want to know ssl is working or not in magento - security

Ii have purchase an SSL certificate for my site and in the admin I set the secure base url to https and unsecure base url to http and enable for the frontend. now i am not sure is it working fine or not. when i come to checkout it shifts to https. this is the link of my site http://majorcomfort.com/index.php/ Please tell me is it fine or i have to do something else ....

Everything seems to be fine, the checkout steps and the customer area are under the secured URLs, which is the standard setting for Magento's "SSL enabled for frontend".
The SSL protection in the front-end is defined in the XML config under the node
<config><frontend><secure_url>path</secure_url></frontend></config>
where path is the desired URL,e.g. /customer/ for the customer area, or /checkout/onepage, for the checkout

Related

HTTPS URL changing from secure to non-secured in the browser interface

We have website where we have applied SSL on subdomain, it works well in normal scenarios but in specific cases the URL shows HTTPS but it not shows secure sign.
We are using single page application with sammy.js so URL contains # in it.
As soon as we hit this URL https://app.testdomain.com/appname/App/#/Dashboards/Dashboard/Index, the secure mark goes away and it shows like unsecured app.
What could be the possible reason?

Migrating Website from HTTP to HTTPS

I have to migrate a website from HTTP to HTTPS and keep user experience unchanged (no warning popups). What would be the front end main points to be verified?
I realized I have to make sure all inclusions (CSS, images and JS) have to reference https content, but I'm still not sure about the a(link) href attribute and if there's anything I'm missing.
How to migrate to HTTPS is an excellent migration howto. The steps are:
Get and install certificates
Enable HTTPS on your servers
Make intra-site URLs relative
Redirect HTTP to HTTPS
Turn on strict transport security and secure cookies
Between step 3 and step 4, run through Qualys' best practices and test your site.
Updated Feb 02, 2016
Planning on moving to HTTPS? Here are 13 FAQs! visit https://plus.google.com/+JohnMueller/posts/PY1xCWbeDVC
I done of my website and works perfectly (it depends on the size of your site). My site is local business indexed (2,xxx) on google
1. No effect on SEO Ranking
2. No effect on link juice
Related links will ref to https automatically. All absolute links have to ref to https, unless you configure your htaccess file to redirect all http traffic to https.

FBML apps fail under HTTPS

When setting in the developer console a secure url (https), and trying to load the canvas under facebook:
https://apps.facebook.com/fanta-seriea/
I get the error saying that facebook received an empty responde.
Am I doing something wrong? The certificate is allright:
https://fanta-seriea.com
So why is this happening?
L.
If you enable SSL for your FBML app, please make sure that your SSL certificate includes all intermediate certificates in the chain of trust as our SSL validation is strict. You can use third-party SSL analysis tools (e.g., https://www.ssllabs.com/index.html) to check your certificate status and fix any errors (and warnings). If your SSL certificate has problems, you may see "Empty response received" error when you load your FBML canvas app."
From https://developers.facebook.com/blog/post/567/
Sorry for offtopic.
New Developer Roadmap says that FBML will die on 1st June 2012. Better go on iframe mode.
Have you definitely added a secure canvas URL in your app configuration? On the developer app, go to edit your app and under basic settings you should have URLs in both 'Canvas URL' and 'Secure Canvas URL'
I'm showing the HTTPS version as resolving correctly (although it doesn't fail gracefully if you access that url directly, it pukes errors all over the place) - https://www.fanta-seriea.com/fbfsapro/ - but when I try to access the HTTPS version of the canvas app, it redirects me back to the HTTP version. Is the SSL url set correctly in the SSL url section of your application settings?
You are referencing non-secure assets on that page. Facebook may be providing you with an invalid error message.
You should relativize all URLs that are simple assets.
If you need assets from other domains that are not yours, you can use protocol relative URLs : http://paulirish.com/2010/the-protocol-relative-url/

Force http for subdomain without SSL

I recently moved servers and redeveloped the website at the same time. Previously all pages were served via https and I wanted to change this so only cart pages were via https. Also I wanted to clean up the url a bit. Old urls were:
https://secure.mydomain.com/onlinestore/index.php
and I removed the secure prefix and the subfolder so it is now:
http://www.mydomain.com/index.php
Problem is I wanted people who clicked on old links or bookmarks to be redirected to the new page. I got this working with htaccess. However the new SSL only covers the root domain and not the secure subdomain. So if someone clicks an old link it brings up "This Connection is Untrusted" before it can redirect. Works fine if i change https to http.
So what I want to know is if there is anyway I can force http instead of https before it checks the SSL cert.
Hope that makes sense!
The short answer is no. With conventional SSL, your web server doesn't even get to see the URL before certificate negotiation happens. It just sees a connection on port 443 and starts doing SSL negotiation. The browser then sees the mismatched cert and throws an exception.
However, more modern browsers and web servers (see Wikipedia for the list) support a TLS extension called Server Name Identification (SNI), which allows the client to send the hostname it's requesting before the server has to respond with a certificate. At that point you'll need to have certificates for both secure.mydomain.com and www.mydomain.com on that server, and it'll need to be configured to respond with the proper certificate.

Is there a way for IIS6 to do http and https together in the same site?

The site needs to be accessible both from HTTP and HTTPS (in case the client wants the form submissions to be secure or not)
The site is hosted in IIS6 and ideally I'd like to be able to just have one website in there and it can handle both http and https..is this possible?
alternatively i was thinking maybe creating a "secure" subdirectory in the site and duplicating everything in there as well..is that feasible?
this is further complicated that it is using asp.net 3.5's routing ability to do url rewrites
so even if I create a secure subdirectory, i dunno if it will actually pick up that it's supposed to be SSL approved
It is possible. There is a checkbox on the security settings that allows you to "Require ssl" for connections. It is then up to you to manage transitions between https and http with redirects or links.
More information on this here. Just skip step 6.
You can have IIS 6 & IIS7 operate the same site with https as well as http. In IIS 6 there is a restriction that you can't use host headers. So you'll need a dedicated IP address for it. Simply bind it to the ip address and then setup the cert. Don't use the "require https" and just enforce it in the sections of your application that you want.
I m not sure about iis 6 but in iis 7 you select the site and go to bindings and click add select https it will automaticaly chose port 443 and then chose your ssl cerificate
This is all very possible but,
The site needs to be accessible both
from HTTP and HTTPS (in case the
client wants the form submissions to
be secure or not)
If you have the capability for them to use SSL I wouldn't give them a choice. Just make them use it. Most users don't know the difference between secure and unsecure connections or even why they should care. Just force everyone to use a secure connection for form submissions.
alternatively i was thinking maybe
creating a "secure" subdirectory in
the site and duplicating everything in
there as well..is that feasible?
Yes but what is far more common is to have a secure sub domain. Check out most shopping sites and while you're browsing products and such you'll be looking at www.someshoppingsite.com. The moment you begin checking out you'll be forwarded to secure.someshoppingsite.com. If you create an SSL subfolder I guarantee you at some point it will be disabled accidentally and no one will notice for weeks.

Resources