Saturday, March 10, 2012

Two notes on Mixed security warnings

When deploying and testing websites that use secure connections (SSL)  we might get warnings about non secure content on the page. This is usually an easy thing to fix. Just find a tool like "Fiddler" and find out what traffic is going over a regular HTTP (non secure) channel.

Sometimes even a simple FIND over the code will let you find those "unsecured" elements. But that's not enough if you refer some javascript or refer a link over SSL that then does some non-SSL redirection.

 Each browser has a similar way to show you how secure you are on a website. Google Chrome shows website security indicators (icons) that will appear next to your site URL in the toolbar.

The first one (1) is just a regular site with no SSL, and we want number (2) the green one, you should avoid the other ones. Now two notes on that.

Google Ads
Don't use Google Adsense on your website if you use SSL and you care about your site not showing any warning, the ads will be functional, but they cause your site to display the fourth (4) indicator.

And that won't look very professional. It will give the impression that the certificate is not valid or that the user is at risk on your site, even when might be not true, because "you" the developer knows that is just an Ad, the user is not a developer. So avoid this.

Note: even if the ads are only in one page, once the browser hits that page, will show the warning, and even if you navigate away from that one, and go to other pages on the site without ads, it will still show the warning. 

Silverlight "medallion"
There is nothing wrong with Silverlight itself when it comes to security, however, the default code you place on a page when adding a Silverlight element, contains a link to Microsoft that will later redirect a non secure URL. The content on that URL is an image. Is the "Download and Install Silverlight" image.

In this case the warning from the browser is the number three (3), while is not critical, is not good enough. The line causing the problem is this one:

Don't bother changing the source of the image from http to httpS, it won't work. Instead, just download the image and host it yourself with your site.

Now the site won't show any warnings on any browser. Of course the Silverlight medallion will be the one you downloaded and not decided by Microsoft based on the culture. But security goes first...

No comments: