Link to home
Start Free TrialLog in
Avatar of canu
canuFlag for Antigua and Barbuda

asked on

SSL 101

Hi,
I've added an SSL certificate to a couple of websites to make them secure but noticed that this didn't take place even though the URLs start with https etc.
These are old existing sites so I suspect that the reason might be to do with legacy image links i.e. http:// www.site.com/image1jpg.
Does the same logic apply to hyperlinks to external websites?
For example, if a page is linked to http://www.externalsite.com/ instead of https://www.externalsite.com/ and all other image links etc. are https:, would the page be considered as not being totally secure?

Any and all help and tips would be much appreciated.

Thanks!
SOLUTION
Avatar of Kyle Abrahams, PMP
Kyle Abrahams, PMP
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
"...but noticed that this didn't take place even though the URLs start with https..."
I'm curious about what this means.  What, specifically, makes you think the connection isn't secure?

FWIW, an SSL certificate makes the connection to the domain name secure, so all traffic to/from that domain should be secure - images included.  Any files coming from a third party may require that third party to also use SSL for their site.
You're questions suggest you're new to TLS/SSL.

Best publish your actual URL where you're having challenges + likely someone can assist.

Certs must be integrated into your Webserver config + then your Webserver do a cold/hard restart, to pull in the cert files + listen on port 443, if it wasn't before.
Avatar of btan
btan

It seems it is back to basic hygiene. I do suggest you can check out the below. In short, once you get your SSL/TLS working, all content need to be secured too. Use of HSTS is one area to look at too.

Rule - Do Not Provide Non-TLS Pages for Secure Content
Rule - Do Not Mix TLS and Non-TLS Content
Rule - Use HTTP Strict Transport Security

https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet#Rule_-_Do_Not_Provide_Non-TLS_Pages_for_Secure_Content
Avatar of canu

ASKER

First of all, thanks a lot for your responses, they've definitely given me food for thought.
Kyle - Thanks for your answer.
Paul - I don't think that the connection is completely secure because when viewing the site using Chrome, the word Secure & closed padlock is not visible as with this forum's URL.
David - Absolutely right, I'm just trying to make sense of it all and thanks to you and others who took the time to answer my question, it's definitely clearer. An example of URL that I'm referring to is as follows: https://www.antiguanice.com/v2/index.php
btan - I'm sorry but as I'm a beginner with all this, I'll have to take time to digest the information that you sent me but thanks anyway.

Any other suggestions would appreciated.

Thanks!
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Sure. The short it is good to enforce HTTPS consistently throughout the website. Therefore, we can look into HSTS.

Web application that is intended to be purely HTTPS inadvertently contains HTTP links or serves content over HTTP
HSTS automatically redirects HTTP requests to HTTPS for the target domain
https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet
Avatar of canu

ASKER

Thanks for your input, I think that I found the only element of the site which is obtaining content from a non secure website so that would explain why I'm receiving a warning and not receiving the full Secure accreditation.

btan - Sorry to ask this but where exactly do you add the HSTS?
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial