Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1811
  • Last Modified:

This page contains both secure and non secure items.

Hi,

My application uses SSL on IIS6. Up on visiting some pages, IE 6 shows:
This page contains both secure and non secure items.
Do you want to display non-secure items?

Regardless I answer no (or yes), everything works fine.

We don’t like our users see that message because it makes them nervous without any good reason.


How can I track why the browser shows that false security alert?

Thanks,
Manesh
0
Manesh_n
Asked:
Manesh_n
  • 3
  • 2
  • 2
  • +5
4 Solutions
 
ahoffmannCommented:
> We don’t like our users see that message because it makes them nervous without any good reason.
deliver all and every content of that page with SSL

Even if it is technically correct and secure to use mixed pages, it confuses most users and they have no chance to see what is protected by SSL and what is clear text by http. That's why the browser complains.
0
 
SaineolaiCommented:
Is it possible that the page is pulling some content from a http url rather than a https URL?  Perhaps some additional embedded content.  Verify that all the components of the page come from a https url.
0
 
jhanceCommented:
The BEST way to ensure this in my view is to make sure you DO NOT use any http://www.domain.com/xxxx on the page.  Make sure ALL objects are included using RELATIVE references to your site.  That way all items will be reference using the "parent" URL which will be http or https.

This warning happens most often because an image or some other object was included using a full URL rather than a relative one.
0
The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

 
rairdonmCommented:
Basically, all you need to do is view the page source or source code.  search for anything that contains "http" vs "https".  Any image, url or other links that go to a "http" are unsecure and are being displayed with your secure page.

If you click no, ONLY the secure information will be rendered.  You may find broken image links or missing text.

If you click Yes, BOTH the secure and non secure information is rendered.

Bottom line, in order to fix this, you have to make sure all href, img src, etc are going to the same https on the web document.

0
 
FermionCommented:
Open IE
Click TOOLS/INTERNET OPTIONS/ADVANCED tab

Scroll down to SECURITY(should be all the way down)
Uncheck "warn if changing between secure and not secure mode"

Close IE
Restart IE

Your done.
0
 
FermionCommented:
Note: you may also need to uncheck the next item:
"warn if forms submittal is being redirected"
0
 
FermionCommented:
Oh, be sure to click APPLY and then OK on those above steps before exiting and restarting IE.
0
 
floorman67Commented:
since your application requires internet explorer, it will use the client settings for the user/machine.

you can not alter this unless you make the changes in the users/machines internet explorer.

if you ahve full control over all the users/machines at your place of business, then by all means, do as the previous responder suggested and change all IE settings for notification warnings.

if not, then you can not ethically suspend notifications of another users machine without globally affecting their browsing enviroment and privacy, unless you place a warning for it or popup otion to ahve them do this in your application.

so dont jsut program your application to make these changes in the users machine without them knowing.
0
 
rairdonmCommented:
Ok...you've changed the browser...but not the code (which IS the problem).

and made it less secure:
Scroll down to SECURITY(should be all the way down)
Uncheck "warn if changing between secure and not secure mode"

Note: you may also need to uncheck the next item:
"warn if forms submittal is being redirected"

PLEASE TRY TO FIX THE CODE FIRST.

If you have no control over the developed web pages, making IE less secure (or annoying) isn't the solution.  And it's only temporary until the same user logs onto a different computer or different username, or the next update to windows or IE reset, etc...you'll revisit this OVER AND OVER.  It would be better to explain what's happening ONCE to whoever knocks on your door than reconfiguring IE.

One good point made by floorman is an ethical issue regarding browser environment and privacy.  Is the lesser of evils making the pop-ups go away by rendering the browser less secure and private?  What if your end users to online banking?  What if your browser is redirected to malicious code?  There would be no warnings for them to intervene.

Here's what the "more info" produces when a security information dialog like yours pops up.

"Downloading non-secure content from a secure Web site

The Web site you are viewing is a secure site. It uses a security protocol such as SSL (Secure Sockets Layer) or PCT (Private Communications Technology) to secure the information you send and receive.
When sites use a security protocol, information that you provide, such as your name or credit-card number, is encrypted so that other people can’t read it. However, this Web page also contains items that do not use this secure protocol.
Given what you know about this Web site and your computer, you must decide whether to continue working with this site.

If you do not feel confident about working with this site, click No. "
0
 
adamtodd16Commented:
This issue has nothing to do with the browser that the user is accessing your site with. Go through your code and remove any http://www.sitename.com - everything should be completely relative; not hard-coded. This includes urls, images, etc.

Example:
<a href="http://www.sitename.com/news/index.html">
Should be:
<a href="news/index.html> or something along those lines.

Feel free to post the code or send it over and I will gladly take a look for you.
0
 
Manesh_nAuthor Commented:
Hi
I am using IFRAME in one of the pages. How can I use IFRAME for HTTPS

Manesh
0
 
ahoffmannCommented:
<iframe src=https://..... >
<iframe src=//..... >

the latter one automatically inherits the schema from the page
0

Featured Post

Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

  • 3
  • 2
  • 2
  • +5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now