Iframe from domain with SSLcertificate will be embedded on other site (foo.com).
Must foo.com have SSL cerificate?
If foo.com has SSL certificate, will it be an security error? foo.com has SSL certificate for foo.com, but iframe domain has other SSL certificate.
If foo.com hasn't got SSL certificate, will it be an security error?
No.
You will only get a security error if the embedding site uses SSL, but the iFramed one does not. Whether the sites use different certificates or not, that does not matter.
No. (Isn't this the same question as #1?)
Summary
Having different certificates between the main page and iframed pages is not a problem.
Embedding https:// pages with <iframe /> on a http:// page is not a problem.
However, if you are running a https:// secured page that embeds non-secure pages via http://, then you might get something like this (Internet Explorer):
It depends on the browser and its settings. For example, in IE you can turn this off:
The best way to look at an iFrame is to see it as almost a separate browser. In the case of foo.com not being SSL but the iFramed site being SSL you will not get any errors.
If you switch this around, where foo.com has SSL and the IFramed site doesn't, you can get a security warning about mixed-content from the browser.
It does not matter if the two websites use different SSL certificates. However, if the website that is being iframed is not SSL protected you will get a partially encrypted error message even if the website with the iframe embedded on it is SSL protected. I only know this because this is what I am dealing with right now. My web page was only secured after I took out the iframed website that did not have SSL protection.
While the main website (which contains the iframe) doesn't have to be using SSL, it really should, at least if security is a concern (which is the point of using SSL).
Not doing so prevents the user from checking that the iframe is indeed served securely and from which site it's from, which makes its usage of SSL useless. (Examples here.)
Related
i have a website running adsense and its on HTTPS
recently i noticed some mixed content warnings. When i checked the insecure content loaded it turned out to be coming from this domain:
http://ad.afy11.net/ad?mode=7&publisher_dsp_id=74&external_user_id=AQECC2tGjY3QXwJlCfSKAQEBAQE&expiration=1526138980&external_user_id=
i read online that this is some tracking code by adsense, but how come it's not secure? other people said it could be a malware, so what exactly is that?
"Mixed content" means that your page is served over HTTPS, but some sub-components are HTTP. This URL begins http:.
The primary concern in this case is that this domain name can be spoofed on a local network, causing browsers who have contacted your secure site (and displayed a "this connection is secure" icon in their user) to be tricked into also contacting a malicious site.
It is possible that you've misconfigured AdSense. See AdSense ad code support for SSL for instructions. If this is coming from some other provider, then you need to work with them to convert it to HTTPS.
I have this one page which has an iframe inside of which a survey page is embedded, unfortunately i'm getting "Your connection is not secure" error inside the iframe. Does anyone know how to fix this issue? By the way, the website is SSL certified, not the page i'm trying include inside the iframe. Also this is a php site not wordpress.
Thanks
You are always going to have this problem when an HTTPS page references non secured content. You options are:
move the page hosting the iframe (and its associated content) outwith HTTPS. Although, in theory a HTTP page should be able to reference HTTPS hosted javascript, CSS and images without emitting warnings, this will probably vary by browser
move the survey page into HTTPS. I am guessing that you don't host this yourself - have you contacted the provider to ask if they can provide the service via HTTPS? Have you considered using a different provider?
proxy the HTTP survey page via your server - this would require some clever configuration on the webserver or terminating the SSL connection in front of a proxy operating in reverse mode for your service and rewriting/forwarding mode for the survey. Basically, if you don't control the infrastructure this is probably a non-starter.
re-implement the survey capability within your own site.
Bear in mind that as soon as your site is exposed outside of HTTPS it becomes vulnerable to more attacks.
.htaccess is not going to help - it overrides the behaviour within a vhost - the HTTP and HTTPS sites will operate in seperate vhosts.
Suppose I have valid HTTPS page https://mydomain.tld (letsencrypt certificate in this case) and I want to display images from some other domain mystatic.tld.
I’m aware that it is not possible to use HTTP content http://mystatic.tld, because browsers will block it.
What about if mystatic.tld is using a self-signed certificate? When opening a web page from that server, most modern browsers will give a warning and require the user the manually accept the security implications afaik. What happens to images embedded inside my original page from mydomain.tld?
I have a site that can be accessed both through http (http://mysite.com) and https (https://mysite.com). The https version holds secured content, while the http content is for public use. Both contents are on the same server.
Some of the https pages contain some elements such as images that are hosted on the http pages. So when one goes to the https site, IE's security alert pops up saying that the content required contains nonsecure data. knowing that there is no risk anyway, I want to stop that popup. Is this something to be done only through the IE's settings on the client side or do I need to do something about the SSL certificate and configurations? Any guide is highly appreciated.
IE isn't the only browser that will give a popup of that nature. From memory, Firefox and Chrome have similar warnings (like they remove the padlock, or make the https go red in the address bar, instead of green).
The only way you can get it to go away is to only reference https resources in https pages. Have you checked to see what you're referring to doesn't have a secure version? All of the tools I have used generally have an equivalent https:// domain.
Please understand that the alert is there for a reason. The SSL certificate in place protects against man-in-the-middle attacks*. If you load in resources from non-https sources, then the man-in-the-middle protection you otherwise would have, is lost. The user's data may still be encrypted, but it doesn't really matter if the user is sending all his data to an attacker's computer that is decrypting it itself!
You need to remember that HTTPS is an all-or-nothing scheme. As soon as you introduce a non-HTTPS element into your page, you have essentially lost all the security that SSL has to provide.
Please mount your resources (or somehow make them available) on both HTTP and HTTPS URLs and load them accordingly. If you don't you are putting your users at unnecessary risk.
*only if you have a fully valid SSL certificate.
I recently moved servers and redeveloped the website at the same time. Previously all pages were served via https and I wanted to change this so only cart pages were via https. Also I wanted to clean up the url a bit. Old urls were:
https://secure.mydomain.com/onlinestore/index.php
and I removed the secure prefix and the subfolder so it is now:
http://www.mydomain.com/index.php
Problem is I wanted people who clicked on old links or bookmarks to be redirected to the new page. I got this working with htaccess. However the new SSL only covers the root domain and not the secure subdomain. So if someone clicks an old link it brings up "This Connection is Untrusted" before it can redirect. Works fine if i change https to http.
So what I want to know is if there is anyway I can force http instead of https before it checks the SSL cert.
Hope that makes sense!
The short answer is no. With conventional SSL, your web server doesn't even get to see the URL before certificate negotiation happens. It just sees a connection on port 443 and starts doing SSL negotiation. The browser then sees the mismatched cert and throws an exception.
However, more modern browsers and web servers (see Wikipedia for the list) support a TLS extension called Server Name Identification (SNI), which allows the client to send the hostname it's requesting before the server has to respond with a certificate. At that point you'll need to have certificates for both secure.mydomain.com and www.mydomain.com on that server, and it'll need to be configured to respond with the proper certificate.