I am working on a web development project and I was testing it primarily on Firefox. However, when I tried it on Google Chrome, it would not load completely and Chrome would warn me that the site had "insecure content". After searching for answers, I was advised to make my website use "https" rather than "http". I do not know much about SSL or anything like it, but I followed a set of instructions for setting up Apache to work with SSL. The instructions are here:
https://www.digitalocean.com/community/articles/how-to-create-a-ssl-certificate-on-apache-for-ubuntu-12-04
I followed them. The good news is, my website is accessable by https. The bad news is, unless https is typed, the website is inaccessible. On top of that, both Chrome and Firefox present messages saying "this certificate is not trusted", which is ironic, since I only did any of this to secure the site in the first place.
Can anyone show me where I went wrong or give a more complete explanation of what's going on? I am working on Ubuntu 12.10 with Apache 2 and PHP5.
you can search online to get the best SSL vendor and use that we use symantec at work http://www.symantec.com/theme.jsp?themeid=compare-ssl-certificates
use the below javascript to redirect http to https.
window.location.replace("http://stackoverflow.com");
"this certificate is not trusted" message is due to the fact that you are using a self-generated certificate. SSL uses a trusted third party (certificate authority) to ensure secure communication. You will need to purchase a certificate from one of these for your production environment. Simple google SSL certificate and you will get a whole bunch of options.
Related
I have a few applications relying on hash functions, which were developed a while ago before browsers changed their policy to restrict Crypto.subtle to HTTPS connections.
Deploying the webapps on secure connection isn't a problem for me, but testing them locally is.
Is there a configuration in about:config that allows me to change the setting, for FireFox, Chrome, and Safari?
Probably too late to help you, but there's a config flag available on Chrome that allows you to specify insecure contexts that should be considered secure.
On Chrome, open chrome://flags and search for the flag "Insecure origins treated as secure". Add the insecure context domains you want to test on and relaunch the browser. Works for me.
I couldn't find a similar flag on Firefox.
Website is not loading on Safari browser with SSL. Site is running on https (SSL) layer. Please refer attached screenshot to know more.
click here to see screenshot
P.S. I am using Windows 10 & SSL purchased from Godaddy
Safari refuses to connect to servers that don't match the minimum security requirements defined by Apple.
For example and example.
It will be necessary to contact the administrator of the server to be compliant with the standards or you can try a different browser (try IE, it never complains).
I've got a client who is reporting very strange security errors I've not seen before on Windows 7 using this link
The page won't load any of the assets with the error: "this site makes use of a SHA-1 certificate, it's recommended you use security certificates with algorithms stronger than SHA-1"
Here is the console:
Can anyone tell me why this might be happening?
The site uses a SHA-256 with RSA certificate, and why does Firefox even need to see the certificate, it's not being requested over https?
Can anyone tell me why this might be happening?
You are including https resources from sites which are using a certificate signed with SHA-1. If you look closely at the console log and at the links provided you will see access to
https://ajax.googleapis.com/ajax/libs/jquery/1.11.2/jquery.min.js
https://connect.facebook.net/en_US/all.js
https://fonts.googleapis.com/css?family=Lato:400,100,300,700,900
https://fonts.gstatic.com/s/lato/v11/9k-RPmcnxYEPm8CNFsH2gg.woff
....
The site uses a SHA-256 with RSA certificate ...
The certificate of the site does not matter for included resources from external sites.
... and why does Firefox even need to see the certificate, it's not being requested over https?
Because you've included the resources as https. Just look at your code and you will find something like
<script type="text/javascript" src="https://ajax.googleapis.com/ajax/libs/jquery/1.11.2/jquery.min.js"></script>
Most likely it is because your site uses an SHA-1 certificate. SHA-1 is an older encryption algorithm that is now considered pretty weak; Firefox, Chrome, and Windows will stop accepting it by 2017. You might want to consider upgrading to an SHA-2 certificate.
Whenever I try to access a NTLM authenticated intranet site, Safari takes forever to process and then comes back with "The sever is unavailable" or if allowed by the site, loads with out authenticating. I can access these same sites with no problems in both Firefox and Internet Explorer. The sites are hosted on IIS6 and are being generated with either ASP, ASP.Net 1.1 or ASP.Net 2.0.
Any insight on why Safari choking on these sites? Are there any work-arounds to get NTLM to correctly authenticate with Safari?
Update:
In further playing with it I have determined that NTLM will work (with the page loading reasonably fast) if I am using the FQDN for the site (i.e. http://mysite doesn't work, but http://mysite.domain.prv will work). Unfortunately, this will not work due to other constraints on the project.
Does anyone know why the FQDN would work but the shorter name will not? Is this something that can be worked around or is it "Sorry out of luck"?
Update 2:
According to the Wireshark packet sniffer, safari sends a SYN to the correct severs IP address. The intranet sever responds with a SYN, ACK, to which safari sends an ACK. This is the end in communication between safari and the sever. When attempting to access the intranet site by FQDN these three packets were the same but were then followed by a HTTP GET request, which then successfully loaded the page.
Because Safari is connecting to the correct IP address, I find it hard to believe that Safari just doesn't support NetBIOS/WINS names. Additionally, because the NTLM packets are never exchanged as safari never sends the initial GET request, I'm certain that NTLM has nothing to do with this issue.
Does anyone know the status of safari's support of NetBIOS/WINS?
In a similar situation with a Java based B2B client, I was successful in using http://ntlmaps.sourceforge.net/ to traverse the proxy.
Any insight on why Safari choking on these sites?
Because NTLM is not a web standard. You can't expect any given web browser to support it.
Until recently only IE supported it at all. And Firefox's support has to be specifically configured.
Firefox has always been able to traverse NTLM sites. I know because I'm stuck with this god awful custom ASP solution and SharePoint site to use in our intranet... Firefox is a dream.
Apple.. fix Safari kthx?
We have a CMS system whose web interface gets served over HTTPS. This works beautifully for Firefox, but when we load it in IE6 or IE7, it complains that "This page contains both secure and nonsecure items."
I've loaded the page in Firefox and checked with Firebug, and every connection seems to be going through HTTPS, as should be the case.
Is there any way to tell what is causing IE to throw this apparently spurious error?
Firefox has a number of bugs in mixed content detection. Generally you should try using Fiddler to spot insecure resources.
If you install a tool I wrote (www.bayden.com/dl/scriptfreesetup.exe) you will get a different mixed content prompt which shows the exact URL of the first insecure resource on the page. That tool is basically a prototype and you should uninstall it when you're done with it.
Use Fiddler to watch the traffic between the server and IE.
Be sure to go to Tools > Fiddler Options... > HTTPS > and check 'Decrypt HTTPS traffic'
Any non-HTTPS traffic generated between any server and IE should be easy to spot in the Web Sessions list.
I used Eric's tool (thanks Eric you saved me hours...) and it turns out that IE6 treats a background image specified with a relative path as nonsecure content. Even though it actually requests it over https. So if you're stumped - converting your relative paths to absolute ones might really help...
Are one or more resources (CSS url-image ref overlooked easily) pointing to a subdomain that's not covered by the certificate (https://www.example.com vs https://static.example.com)?
If you can't see anything that isn't using SSL, then this is usually down to a broken SSL certificate somewhere. I don't know of anything off-hand that will tell you what exactly what the problem is, but you can get a list of everything that's loaded easily enough.
The media tab on Firefox's 'page info' dialog (right click on the page) will do it, it might also be worth having a go with Fiddler (which is an excellent, and extremely useful piece of software).