Jump to content

Internet Explorer and SSL


bkessler91

Recommended Posts

Internet Explorer is not playing nice when I enable SSL.  (yes, I have a SSL cert installed)

 

I keep getting [attached] error message, thus scaring customers away.

 

All my mods (mostly image files for the header) to CC5 are contained inside my shoppingcart directory.

 

 

Link to comment
Share on other sites

I read an article on DSLReports that all browsers will very soon be (Firefox 23, for example), or are already, configured to not allow mixed secured and unsecured content on the same page. The discussion entailed there will be a lot of hand-wringing and gnashing of teeth as webmasters will be forced to accommodate this.

 

I simply do not know the state and status of Internet Explorer, and what any Microsoft updates may have done to its various versions.

 

When you click More Info, what does it say? Does it mention what items are coming in unsecured?

Link to comment
Share on other sites

Yes, under more info, it states

"Secure and non-secure content, or mixed content, means that a webpage is trying to display elements using both secure (HTTPS/SSL) and non-secure (HTTP) web server connections. This often happens with online stores or financial sites that display images, banners, or scripts that are coming from a server that is not secured.  The risk of displaying mixed content is that a non-secure webpage or script might be able to access information from the secure content."

 

When I click No its shows everything fine.

When I click Yes, my modified header (image sliced jpgs) do not load.

 

I have disabled SSL so you will not get the error pop-up, but you can see the custom header at the top of the page.

Check out the site ladyfingerssewing.com/shopping_cart/

 

Could it be that the SSL certificate is installed but not enabled on the entire server?

Link to comment
Share on other sites

"Could it be that the SSL certificate is installed but not enabled on the entire server?"

 

If the server can deliver secured data, everything will be delivered secured if it was asked for that way.

 

Your HTML is asking for images using the "http" protocol. That is likely due to hard-coding the URLs instead of using

src="{$STORE_URL}/headerimages/LadyfingersHeader_04.jpg" in your "custom header", as well as the cert seal logo.

Link to comment
Share on other sites

  • 1 month later...

I'm working toward getting an SSL certificate for our store. Based on this thread I checked through my skin templates and hopefully found all the places I had hard coded an image and changed them to {$STORE_URL}.

 

But I'm wondering what happens when a page has one of these scripts that links to an http url, such as AddThis? And is there any way to put a link to a hidden document in a document with the {$STORE_URL} type url, so it will automatically find the https form once the SSL certificate is in place?

Link to comment
Share on other sites

Maybe don't use $STORE_URL.

 

Browsers will figure it out:

/index.php == this the root folder for your domain: dirtybutter.com

/plushcatalog/index.php == this is the absolute subfolder off the root folder

index.php == (most of the time) this is the relative folder from your doman/path/: dirtybutter.com/plushcatalog/

Link to comment
Share on other sites

What am I supposed to see, in particular?

 

If you can have your browser show you the web page html source, let's look at:

<link rel="shortcut icon" href="/favicon.ico">

There is no domain name, but the leading slash says to look for this file in the root folder of dirtybutter.com.

 

Here is the logo:

<img src="/plushcatalog/images/logos/plushanimalshopbarn600.jpg" ...>

Again, starting with the root folder of dirtybutter.com, follow the path to the image file.

 

Some other samples:

<li><a href="http://dirtybutter.com/plushcatalog/index.php?_a=register" title="Register">Register</a></li>
<li><a href="index.php?_a=vieworder" title="Lookup Order" >Lookup Order</a></li>
<form action="/plushcatalog/index.php?_a=category"

The first is a fully-qualified URL.

The second is a relative URL that assumes the browser knows where it is at, specifically (dirtybutter.com/pluishcatalog/).

The third is an absolute URL - not fully-qualified - that assumes the browser knows the domain name (dirtybutter.com), but starting in the root folder, following the path (/plushcatalog/).

 

When you hover the mouse cursor over these links, the browser automatically supplies the rest of the parts to make a fully-qualified URL appear in the status bar (if there is a status bar).

 

If you are referring to script source links like this:

<script type="text/javascript" src="http://s7.addthis.com/js/300/addthis_widget.js

I've seen a number of instances where the link just does not mention the protocol:

<script type="text/javascript" src="http://s7.addthis.com/js/300/addthis_widget.js
would be:
<script type="text/javascript" src="//s7.addthis.com/js/300/addthis_widget.js
compare with
<script src="//ajax.googleapis.com/ajax/libs/jquery/1.5.1/jquery.min.js">

Note the missing http(s). So if the protocol is missing, the browser would then use the appropriate protocol.

Link to comment
Share on other sites

As an experiment, have CubeCart open the above mentioned document for editing. Click on the "story" link. Click the link tool icon to bring up the link editor.

 

For protocol, choose <other>. For the URL, simply enter satin-lining-blankies-warning.html

 

Save the document and request it from your browser.

 

Look for the link and hover the mouse cursor over it. The browser should show that the link includes the missing parts: http(s), dirtybutter.com, and /plushcatalog/ even though the actual html code as received by the browser does not include this info.

Link to comment
Share on other sites

But please note that destination links (as opposed to web addresses for page resources such as images, javascript files, css files, flash files, etc) do not influence the warning dialog referenced in the first post.

 

It would be nice, however, to maintain the protocol -- if on http, then continue with http, if on https, then continue with https. Do any of your documents require the visitor to be using https? (Not that CubeCart would be able to distinguish this as a per-document setting.)

Link to comment
Share on other sites

For protocol, choose <other>. For the URL, simply enter satin-lining-blankies-warning.html

 

This worked. I had previously tried it with a leading slash. Thank you! I'd rather get all these types of changes made before I worry about actually using SSL. I see posts where people have been locked out of admin or all their images disappear when they turn SSL on, or end up having to force SSL... it makes this whole process very scary for me.

 

As I understand it, the normal SSL under CC only makes the pages where the customer inputs information as https pages, but if I force SSL then ALL pages are https. Is that right? Wouldn't it be advantageous as far as customer confidence goes for them to see the https as soon as they come to our site?

Link to comment
Share on other sites

The argument goes that the computational power required to encrypt/decrypt web traffic is a (significant?) drain on the total computational power of the server. I have not looked for any reliable research that has published the impact of SSL on server performance. I have read reports that some data centers have a rack of computers whose sole job is to manage SSL communications.

 

Certainly, every server can be objectively measured for total computational power (100% loading), and if the server is overloaded (too many sites running too many applications), then requiring all of your site's communications be under SSL just adds to the overloading -- slowing down all sites on that shared server even more.

 

But if the server is at less than optimal loading, and it's your own server (not shared or virtual), do whatever you want.

 

Certainly pages where the customer is managing their account and during the checkout phase needs to be under SSL (and all admin pages), but casual browsing? I would argue, no.

 

What works for me is the display of the SSL Security Emblem the provider of your SSL Cert provides to you. This emblem can be clicked on to take the visitor to the Cert provider's site where a record of your 'trustworthiness' is detailed. (And the details of the Cert provider's own 'trustworthiness'.)

 

The store I managed in the past had the highest 'trustworthiness' rating (and the highest cost of the Cert because the provider examined our business papers and made other enquiries) and the emblem indicated as such. This is 'trustworthiness' with respect to we being who we say we are, not how secure against hacking our site was, or how secure our business offices were against burglary.

Link to comment
Share on other sites

Thank you for the information, as this is a new area of research for me. I've kindof hijacked this thread, but I won't split it off for now. If bkessler91 returns with a comment about the original issue I will split my part off into its own thread.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...