views:

252

answers:

5

I am getting the security alert: "You are about to be directed to a connection that is not secure. the information you are sending to the current site might be transmitted to a non-secure site. Do you wish to continue?" when I try to login as a customer on my clients oscommerce website. I noticed the link in the status bar goes from a https prefix to a nonsecure http prefix. The site has a SSL certificate, so how do I ensure the entire store portion of the site directs to the secured site?

+3  A: 

It is likely that some parts of the page, most often images or scripts, are loaded non-secure. You'll need to go through them in the browser's "view page source" view one by one and eliminate the reason (most often, a configuration setting pointing to http://).

Some external tools like Google Analytics that you may be embedding on your site can be included through https://, some don't. In that case, you may have to remove those tools from your secure site.

If you can't switch all the settings, try using relative paths

<img src="/images/shop/xyz.gif">

but the first thing is to identify the non-secure elements using the source code view of your browser.

An immediate redirection from a https:// page to a http:/ one would not result in a warning as you describe. Can you specify what's up with that?

Pekka
Sure, if you go to https://balancedecosolutions.com/products//catalog/login.php and login as a customer. I have setup [email protected] as the user name and test123 as the password. You'll see the message (IE6) when you try to login.
me
The login doesn't work for me.
Pekka
+1  A: 

Ensure that the following are included over https:

  • css files
  • js files
  • embedded media (images, videos)

If you're confident none of your own stuff is included over http, check things like tracking pixels and other third-party gadgets.

Edit: Now that you've linked your page, I see that your <base> tag is the problem:

<base href="http://balancedecosolutions.com/products//catalog/"&gt; 

Change to:

<base href="https://balancedecosolutions.com/products//catalog/"&gt; 
BipedalShark
Thanks shark... the only reference to that that I can find is a line of code like this: <base href="<?php echo (($request_type == 'SSL') ? HTTPS_SERVER : HTTP_SERVER) . DIR_WS_CATALOG; ?>">
me
Hopefully the OSCommerce software has an option for always using `HTTPS_SERVER`. If not, try editing that line:`<base href="<?php echo HTTPS_SERVER . DIR_WS_CATALOG; ?>">`
BipedalShark
+2  A: 

Use Fiddler and browse your site, in the listing it should become evident what is using HTTP and HTTPS.

Brian Schmitt
Jon Galloway talks about this in one of his blog-posts: http://weblogs.asp.net/jgalloway/archive/2009/10/15/did-you-know-about-protocol-relative-hyperlinks.aspxTL;DR - pre-pend it with // rather than http(s)
Brian Schmitt
A: 

It sounds to me like the HTML form you are submitting is hardcoded to post to a non-secure page.

Shea Daniels
A: 

If the suggestion from Pekka doesn't suit your needs you can try using relative links based on the schema (http or https):

e.g.,

<a href="//www.example.com/mypage.html">I am a 100% valid link!</a>

The only problem with this technique is that it doesn't work with CSS files in all browsers; though it does work within Javascript and inline CSS. (I could be wrong here; anyone want to check?).

e.g., the following :

<link rel="stylesheet" href="/css/mycss.css" />
<!-- mycss.css contents: -->
...
body{
    background-image:url(//static.example.com/background.png);
}
...

...might fail.

A simple Find/Replace on your source code could be easy.

David Murdoch