We are thinking to SSL enabled part of our website, but some page contains ads from third party vendor (like Google AdSense). I'd think this will create a annoying problem for our users since they are going to see warning message like "This page contains both secure and non secure items" when they view a page with ads. However, when I browse to Gmail with https instead of http, I don't see that warning in firefox. Does anyone know how Gmail hide this?
Google's documentation indicates this is a known issue and does not offer a workaround: https://www.google.com/adsense/support/bin/answer.py?answer=10528
some page contains ads from third party vendor (like Google AdSense)
Then the browser is right — that isn't secure.
With AdSense and most other ad networks you are given a link to JavaScript. When you refer to any external <script>, you are giving complete trust over the contents of your page to the external script provider. You need to trust them to do only what they say they're going to do (show an ad), and not something nefarious like take over the login form from the page it's on and steal values you type into it, or, if the “ad” script were included on your bank account page, automatically empty out all your money.
So external scripts are a trust problem, but if you are using a vendor that provides an HTTPS interface to their ads, then at least it's only one known party you have to trust. If the ad provider only has an HTTP interface, then you're sending out your trust to anyone who can grab control with a man-in-the-middle or similar attack. You are effectively reducing the trust level of your entire page to that of plain unencrypted HTTP, so the browser is quite correct to complain that the page isn't actually any more secure than any old HTTP site.
Since this is the answer for Analytic you can use this to not show ads on your secure pages
if ("http:" == document.location.protocol) { /*show your adds here*/ }
I got this idea from how I do analytics on my sites
<script type="text/javascript">
var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
</script>
I admit this means you can't show ads on your secure pages, but you probably don't want Google reading your secure pages contents and showing ads anyways. (That is a cop out and making excuses for Google, but as mentioned, they just don't support it)
To answer your GMail question... (using Firebug here, so I could be interpreting this wrong)
- I login to gmail with the always secure connection. No ads.
- I turn on the console to see what connections gmail makes.
- I clear the console
- I click a message that has ads shown to the right.
Gmail only made two calls. First a get to https://mail.google.com that I am guessing is my email. The second was a POST to https://mail.google.com/mail/channel/
I am guessing (everybody else correct me) Gmail requests a post from a proxy that serves the ads.
GMail sends content to proxy, proxy gets ads, proxy sends content back to Gmail. All securly.
TOTAL GUESS THERE
Thanks for the downvote but no explanation about what wasn't helpful
"Does anyone know how Gmail hide this?"
Short answer: they use https to fetch the ads. Looking through the Net tab in Firebug for GMail's page load I see the ads that are on the page in a request with the URL https://mail.google.com/mail/?ui=2&ik=bbff8a9f5c&view=ad&ak=is00jux7yq7kgk730lqdkxklz03d9d8
so it looks like they do have a way to serve ads over https but only for their own sites.
if you are trying to include non-secure content and have control over what is displayed, you could write a handler that takes a url as a parameter.
As the handler is hosted in SSL it can fetch the html, and stream it out back to the browser through SSL. in effect its acting as a small proxy for you.
I've done this for a number of projects in the past to get to files from within a network without exposing the actual network itself.
using the information here: http://www.csharp-station.com/HowTo/HttpWebFetch.aspx you could easily adapt it to take a parameter (the actual url you want to fetch)...
so in your rendered page you would call https://my.domain.com/pages/HttpWebFetch.aspx?url=http://ads.google.com/ the HttpWebFetch.aspx would then retrieve and relay the page content over https thereby removing the secure/insecure warnings.
Another approach is to use a protocol relative url. Basically it is a url without the protocol. With this approach the external file can be served under both a secure and nonsecure url without any warnings. Here is a link to a good blog post about this method.
Hope this helps.