Suppose I visit a web page www.example.com and is successfully loaded into my browser.
When this page is loaded, we can see the certificate information www.example.com by clicking on padlock icon (on left side of address).
The certificate includes the information like owner/organisation, connection status, certificate verified by, cookies set by the page and so on.
Is there any way to get this information programmatically from the browser like by using javascript/Ajax or any other language.
I found this link very helpful:
https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest/How_to_check_the_secruity_state_of_an_XMLHTTPRequest_over_SSL
Related
Gravatar is causing mixed content issue especially when a user is logged in. For logged out users, there is no issue. My site loses the green Security (SSL) padlock on the browser. For all the pages which logged in Users visit, there is Mixed content. The message on display by Chrome/Firefox usually
that the page was loaded over HTTPS, but requested an insecure image 'http://gravatar.com/avatar/b87daeb6292d165f7bd8db0dbb2e0a8b?s=400&d=identicon'. This content should also be served over HTTPS.
Is there any way to resolve this pls?
This does not happen with my blog. Check out the attached image for more information.
Yes, I faced this error two month back but I resolved it using cloudflare. I made the following two changes to load all the resources including image on https.
In Crypto Page of Cloudflare, changed the setting to always HTTPS and Automatic Redirect.
Made similar change in Cloudflare plugin active in WordPress.
You will find the detailed step by step tutorial on acheving this at below article
How to Fixed Mixed Content Error in WordPress?
I have a website embedding another website with iframe. The first website has SSL with a certificate for *.something.com and let's say its domain is somethingelse.something.com. Can I use the same certificate for the embedded website as well even though there is no subdomain in something.com referring to it?
In other words, does the fact that I am originally coming from somethingelse.something.com count for the embedded website as well?
I hope this makes sense, I am quite new with this.
If the certificate is valid for the domain, the fact that it's an iframe doesn't count.
Be careful: A certificate for "*.example.com" is valid for "anything.example.com" but NOT for "example.com"
The iframe may be blocked for another reason:
CSP on the main page
X-FRAME-OPTIONS on the iframe
I am using an iFrame which is hosted on another domain that has an SSL certificate. On the page where the iFrame is used I get 'Not Secure' message next to the domain in Google Chrome and the following warning in the console log:
This page includes a password or credit card input in a non-secure
context. A warning has been added to the URL bar. For more
information.
Note: The iFrame loads an online booking portal which includes both login details and credit card information.
In order to prevent this message from showing, would I need to purchase an SSL certificate?
I'm asking because I don't want to order one if it doesn't resolve the issue, there is a way around this without having to get a SSL certificate or if it's just not worth getting one for this situation.
Your thoughts would be highly appreciated.
Thanks in advance.
To help users browse the web safely, Chrome indicates connection
security with an icon in the address bar. Historically, Chrome has not
explicitly labelled HTTP connections as non-secure. Beginning in
January 2017 (Chrome 56), we’ll mark HTTP pages that collect passwords
or credit cards as non-secure, as part of a long-term plan to mark all
HTTP sites as non-secure.
It applies to all sites that are not https.
Do check for any website which have login information and doesn't have https, you can view the username and password in the chrome developer window.
security page documentation
I have a newsletter tool that, well, shows newsletters. Well, the site was on non-SSL hosting and now is on an SSL host. When a user receives the newsletter in Gmail or Outlook the images have a blue question mark on it and the image doesn't show. They can click the 'view in browser' option and everything shows up fine.
This is also with images displayed option turned on in both Outlook and Gmail.
Here's where I think I see the problem - the site does not have it's own SSL cert. It's using a server one so there is a name mismatch.
Would that be the reason why the images are not showing up in Outlook/Gmail? If so, would the solution be to get an SSL cert that matches the domain name?
Here's where I think I see the problem - the site does not have it's own SSL cert. It's using a server one so there is a name mismatch.
The certificate you're using must be valid for the host name you're using (see RFC 2818, Section 3.1). If this is not the case, your HTTPS server isn't set up properly, so you shouldn't be surprised clients don't like it.
They can click the 'view in browser' option and everything shows up
fine.
Presumably, this works because your users are willing to ignore an error message, which they shouldn't do.
The web-site has ssl certificate.
Any http page is redirected to the same, but https page (if not https) by .htaccess.
Everything works fine, but 404.shtml gets a security warning "This webpage contains content that will not be delivered using a secure HTTPS connection..." in IE. The same behavior is in any other browser.
How to exclude that error?
404.shtml web-page was created using web-hosting control panel wizard. The file 404.shtml was created automatically.
Most likely the automatically generated file includes links, images or other resources fetched via http. If you can change them to https links, you should avoid the problem. There's afaik no other way to make the browser not warn about this, at least in a cross browser way.