Security Warnings

loloyd

I am browsing locally using Firefox 2.0.0.4 on Windows XP where my Abyss 2.5 Beta 1 resides. I'm not really savvy with HTTPS and SSL but, to my understanding, packet transmissions over HTTPS should well be encrypted, as per definition.
Why is it then that my Firefox reports a Security Warning like this? Why is it that I only get partial encryption? Shouldn't all packet transmissions be encrypted in HTTPS?

aprelium-beta

loloyd,
That's not a server issue. It's related to your HTML page code.
It seems that you are viewing a HTML page over HTTPS while this page references some HTTP images (or other embedded objects). This makes most browsers complain and report a warning.
So try removing the hard coded http:// links from your page. Does that help?

loloyd

Yes, that helps! You're right. Thank you very much.
I also did some crude tests. I src'd images from external http only sites and the security set did not complain. I think what's causing the security alerts to pop up are my src'd (embedded) videos. It is now my belief (yeah not very scientific admittedly) that only tags with SRC= attribute are affected by this.
Any additional insights are very much welcome.

aprelium-beta

loloyd,
This warning message is controlled by the checbox "I'm about to view an encrypted page that contains some unencrypted information" in Settings inside the Security tab of Firefox preferences ( http://www.mozilla.org/support/firefox/options#security ).

loloyd

It's not really the checkbox I'm concerned about or the pop up alert. It's the sense of not having all parts of the content encrypted. It makes our HTTPS website users feel less secure when transacting with the site, especially when there's a heavy consideration on security. Leaving an HTTPS website "partially secured" would be ugly in my opinion, and it somehow defeats the purpose of installing an HTTPS server on it.

aprelium-beta

loloyd,
Sorry, but we don't see the problem here. It's up to the web site designer to make pages serve everything from a HTTPS request to avoid that situation. The server can do nothing if you have hard coded a http:// inside your page.
So for example, instead of using:

<IMG SRC="http;//mysite/test.jpg">

write:

<IMG SRC="/test.jpg">

The second chunk will never raise any warning and will work regardless of your domain name and the protocol you're going to choose when deploying the site.

loloyd

loloyd wrote
Yes, that helps! You're right. Thank you very much.

As I said before, you are right. That is the kind of crude test I have just implemented as described in my earlier post. I was able to "fully secure" my web pages when I removed all external SRC="HTTP://..." references. What I was merely pointing out was my opinion regarding partially encrypted content. Us website makers should indeed avoid partially encrypted content when using HTTPS. And, advising our website users to switch off the pop up alert on this with their browsers if we are hosting partially encrypted content would be a less desirable option.
So there was actually no problem with the Abyss Beta 1 server. The problem lies within the webmaster's pages. :D

aprelium-beta

loloyd wrote
So there was actually no problem with the Abyss Beta 1 server. The problem lies within the webmaster's pages. :D

:-)

Mahindra

dgroos:
If you want to avoid the security warnings, then you will need to create buy a SSL Certificate from a certified authority.
A self-signed Certificate as the one you probably have is not "trusted", so the users are prompted to add your site the CmapServers site in the list of trusted places. If they add the certificate, then they wont be prompted anymore.