tags:

views:

111

answers:

4
Q: 

Any tool available to detect what's not HTTPS on an encrypted page?

More often than I like when designers edit some of our sites' pages, they include javascript or an external image our SSL pages that are not encrypted. For example if we have a page like this:

https://www.example.com/cart/EnterCreditCard

And the designer includes some non-encrypted image like this:

<img src='http://www.cardprocessor.com/logo.gif' />

Of course, this creates errors in all browsers:

  • IE: Do you want to view only the webpage content that was delivered securely?
  • Firefox: Connection Partially Encrypted
  • Chrome: (I forget this message)

What I'm looking for is a tool or plugin that lets me easily see what objects are not encrypted. A firefox extension or something along those lines would be great.

Edit: Ben pointed me in the right direction. If you're using Chrome, do a Ctrl-Shift-J to bring up the developer tools. Then click on Resources to see all the items on the page.

+1  A: 

I develop with Safari and use resource tracking in the Web Inspector to see which resources are loaded from http://.

Ben  2010-04-13 20:34:11
@Ben-- Found the same resource for Chrome as well. Ctrl-Shift-J brings up the developer console. Thanks for pointing me in the right direction!
Keltex  2010-04-13 20:49:44
+2  A: 

Try Fiddler - http://www.fiddler2.com/fiddler2/

It works with IE and FireFox. When you have Fiddler running and pull up a web-page, it shows all assets that are downloaded: JavaScript, Images, etc...

The SSL items will have a little "lock" icon next to them, while others will not. This tool is great for debugging Ajax too.

dana  2010-04-13 20:48:04
A: 

You could write a scanner to find non-relative references, and check if they are https. Depending on your process you could make it a build/publish phase to be passed before publishing it to production. If there is no appropriate process, you could always use it as a scheduled scan for changed content and create a trigger to be notified of violations.

But personally I would really try to reduce the manual work of checking every page via a browser plugin.

Davy Landman  2010-04-13 20:53:06
+1  A: 

For completeness, since Firefox was mentioned:

If you use Firefox with firebug installed, you see all of the assets downloaded on the Net panel. Hovering over each line gives you the full URL, so you can quickly scan for those http: lines.

grossvogel  2010-04-13 20:57:39

related questions

Web framework programming mindset
ASP.NET - asp:xxx Controls versus standard HTML
From Desktop to Web browser considerations
Which PHP Framework will get me to a usable UI the fastest?
Best practice for integrating TDD with web application development?
How to Manage Web Development?
When is a file just a file?
Recommendations for browser add-on tools to help with development
REALLY Simple Website--How Basic Can You Go?
Convince Firefox to send an If-Modified-Since header over HTTPS
What do the getUTC* methods on the date object do?
Planning and Building a mobile enabled site for your main site.
Firebug for IE
Javascript and PHP - Login Script with hidden buttons
Firebug won't display console feeds for some of my sites
Displaying ad content from Respose.WriteFile()/ Response.ContentType
How can I detect if a browser is blocking an popup?
How to Test Web Code?
What PHP framework would you choose for a new application and why?
How do you disable browser Autocomplete on web form field / input tag?
What is Progressive Enhancement?
In HTML, how to word-break on a dash?
The Definitive Guide To Website Authentication
How do you test layout design across multiple browsers/OSs?
How much of the Web build process do you/should you automate?