Outlook and Gmail blocking images off an SSL Newsletter - ssl

I have a newsletter tool that, well, shows newsletters. Well, the site was on non-SSL hosting and now is on an SSL host. When a user receives the newsletter in Gmail or Outlook the images have a blue question mark on it and the image doesn't show. They can click the 'view in browser' option and everything shows up fine.
This is also with images displayed option turned on in both Outlook and Gmail.
Here's where I think I see the problem - the site does not have it's own SSL cert. It's using a server one so there is a name mismatch.
Would that be the reason why the images are not showing up in Outlook/Gmail? If so, would the solution be to get an SSL cert that matches the domain name?

Here's where I think I see the problem - the site does not have it's own SSL cert. It's using a server one so there is a name mismatch.
The certificate you're using must be valid for the host name you're using (see RFC 2818, Section 3.1). If this is not the case, your HTTPS server isn't set up properly, so you shouldn't be surprised clients don't like it.
They can click the 'view in browser' option and everything shows up
fine.
Presumably, this works because your users are willing to ignore an error message, which they shouldn't do.

Related

New Google Domain won't connect to Heroku

I have followed all steps to set up my own Google domain that I purchased with Heroku. However when I have to enter the Synthetic Record Information I get an error that says:
This synthetic record has an error and will not function correctly:
The SSL Certificate for this domain hasn't been created yet. This process may take up to 24 hours to complete.
I am not sure what I did wrong. I selected to Temporarily redirect, do not forward path, and Enable SSL.
On the Heroku side the ACM status is labeled ask okay but when I click on the link to go to my webpage it does not work and I get an error from the browser that the server IP address cannot be found.
I have set up the CNAME and DNS target correctly as well.
You may need to add Custom resource records not Synthetic Record
And my other suggestion would be using Firebase if you purchased Google Domains.
They work well together. And Firebase provides free SSL too.

Fiddler not capturing certain websites

I am using fiddler version 4 and am unable to capture some websites like Facebook, google, gmail, yahoo; however, it captures some other websites correctly.
I checked the filters option and found that they use filters option "Unchecked" and also checked fiddler through its IP and its running correctly.
I think that's causes by missing https decryption.
There is a menu point to import the fiddler root certificate in the local certificate store.
http://docs.telerik.com/fiddler/Configure-Fiddler/Tasks/TrustFiddlerRootCert
How to:
Click Tools > Fiddler Options > HTTPS.
Click the Decrypt HTTPS Traffic box.

How do I get placemark icons to load over ssl?

I'm working on a web application that uses the google earth plugin. Recently, a new requirement to have non-public users logon was added, which meant that some users were now using the site over https. Among the things that broke in testing were the custom placemark icons (They were working using http).
The icons are hosted on the same server which servers the page.
Here are the urls for each of the protocols.
http - http://localhost/Images/yellow.png
https - https://localhost/Images/yellow.png
I can follow that link and the image will appear as you would expect.
The images hrefs are declared as icon styles in dynamically generated kml.
I want to avoid loading the images over http because I think that will cause internet explorer to present the user with a mixed content warning.
How do I get the images to load properly while using https?
I have been wrestling with this myself -- the short answer is that this won't work. If the content is served off of an HTTPS site that generates any kind of error/prompt (authentication, invalid certificate, etc.) the plugin will simply not load the content.
Interestingly, the desktop client works fine and prompts the user for credentials if necessary. However, neither client will allow content to be served off of site with an untrusted certificate.
The only workaround that I have found is:
Use a trusted HTTPS certificate on the server hosting the content (either trust the certificate on the client systems or just use a real certificate.)
Do not use HTTPS basic auth as that will always generate 401/Challenge responses which the web browser client will simply ignore
If authentication is a requirement, use NTLM authentication and common (e.g., domain) logins. If you load the plugin in Interent Explorer (or in a .NET WebBrowserControl) the authentication will be handled properly and the images will show up.
I was at a Google Earth administrator's training last week and the trainer confirmed this "bug". It is supposed to be fixed in the next version of the plugin (it may actually be fixed already -- what version of the plugin are you using?)

How to fix Firefox defaulting to https for rails app on custom domain hosted on heroku

I have a ruby on rails 3 app hosted on heroku with a custom domain. It uses oauth to allow the user to log in through Facebook. After a user logs in through Facebook, the next time they type in our domain in Firefox (tested on FF 15.0.1 on Mac) it automatically fills in https before the address (So the user is used to typing "example.com" into the address bar and pressing ENTER, but Firefox changes that to https://www.example.com). This of course shows the "This Connection is Untrusted" warning page (http://support.mozilla.org/en-US/kb/connection-untrusted-error-message) since we do not have an SSL certificate instead of loading our page.
This only seems to happen with Firefox (tested on Chrome and Safari as well).
I've tried redirecting the rails action that we point to for root to the http protocol version using this example (http://captico.com/securing-specific-routes-in-rails-3/2011/02), but that didn't work. I've also tried adding the ssl_requirement gem (https://github.com/bartt/ssl_requirement) and excluding the action that we point to for the root domain, but then I just got a bad URI error.
We're in money saving mode right now as we test out the site and slowly grow in users. I believe the best thing to do is to pay the money for our own SSL cert, as well as the $20/month to heroku to get SSL for our custom domain. But for now, we'd like to avoid having these extra costs.
Is there a way to fix this for free?
To fix it for free, use the *.herokuapp.com domain instead of a custom domain.

why no 403;4 error in IIS6 when user connects to SSL-secured site using plain HTTP

I was under the impression that if a user attempted to visit a website that had been secured with an SSL certificate, but did not use HTTPS and instead used plain HTTP in the address box, a 403;4 error would be generated, and that an errormessage something like this would be presented:
"This page must be viewed over a secure channel"
"The page you are trying to access is secured with Secure Sockets Layer (SSL)."
But that's not happening on our website. You can use http://secure.oursite.com or https://secure.oursite.com and both work fine.
The company that issued the SSL certificate says our certificate checks out OK in their certificate checking tool and that it's "chaining properly" and that this is an IIS configuration issue.
Does this SSL over HTTP error checking have to be explicitly enabled?
I was planning on creating a custom error for the 403;4 condition, pointing to a file, which redirects to https://secure.oursite.com. But the error condition is not being trapped by IIS.
EDIT: I've stopped and restarted the server. Not solved.
Thanks
As per this article have you checked the "Require secure channel (SSL)" box in the properties for your site? This is what triggers the error. You can then create the redirect using a custom error page.
a 403;4 error would be generated
That's not what happens in my site. My site automatically redirects to the HTTPS port. It's done free of charge by Tomcat.