canu
asked on
SSL 101
Hi,
I've added an SSL certificate to a couple of websites to make them secure but noticed that this didn't take place even though the URLs start with https etc.
These are old existing sites so I suspect that the reason might be to do with legacy image links i.e. http:// www.site.com/image1jpg.
Does the same logic apply to hyperlinks to external websites?
For example, if a page is linked to http://www.externalsite.com/ instead of https://www.externalsite.com/ and all other image links etc. are https:, would the page be considered as not being totally secure?
Any and all help and tips would be much appreciated.
Thanks!
I've added an SSL certificate to a couple of websites to make them secure but noticed that this didn't take place even though the URLs start with https etc.
These are old existing sites so I suspect that the reason might be to do with legacy image links i.e. http:// www.site.com/image1jpg.
Does the same logic apply to hyperlinks to external websites?
For example, if a page is linked to http://www.externalsite.com/ instead of https://www.externalsite.com/ and all other image links etc. are https:, would the page be considered as not being totally secure?
Any and all help and tips would be much appreciated.
Thanks!
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You're questions suggest you're new to TLS/SSL.
Best publish your actual URL where you're having challenges + likely someone can assist.
Certs must be integrated into your Webserver config + then your Webserver do a cold/hard restart, to pull in the cert files + listen on port 443, if it wasn't before.
Best publish your actual URL where you're having challenges + likely someone can assist.
Certs must be integrated into your Webserver config + then your Webserver do a cold/hard restart, to pull in the cert files + listen on port 443, if it wasn't before.
It seems it is back to basic hygiene. I do suggest you can check out the below. In short, once you get your SSL/TLS working, all content need to be secured too. Use of HSTS is one area to look at too.
Rule - Do Not Provide Non-TLS Pages for Secure Content
Rule - Do Not Mix TLS and Non-TLS Content
Rule - Use HTTP Strict Transport Security
https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet#Rule_-_Do_Not_Provide_Non-TLS_Pages_for_Secure_Content
Rule - Do Not Provide Non-TLS Pages for Secure Content
Rule - Do Not Mix TLS and Non-TLS Content
Rule - Use HTTP Strict Transport Security
https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet#Rule_-_Do_Not_Provide_Non-TLS_Pages_for_Secure_Content
ASKER
First of all, thanks a lot for your responses, they've definitely given me food for thought.
Kyle - Thanks for your answer.
Paul - I don't think that the connection is completely secure because when viewing the site using Chrome, the word Secure & closed padlock is not visible as with this forum's URL.
David - Absolutely right, I'm just trying to make sense of it all and thanks to you and others who took the time to answer my question, it's definitely clearer. An example of URL that I'm referring to is as follows: https://www.antiguanice.co m/v2/index .php
btan - I'm sorry but as I'm a beginner with all this, I'll have to take time to digest the information that you sent me but thanks anyway.
Any other suggestions would appreciated.
Thanks!
Kyle - Thanks for your answer.
Paul - I don't think that the connection is completely secure because when viewing the site using Chrome, the word Secure & closed padlock is not visible as with this forum's URL.
David - Absolutely right, I'm just trying to make sense of it all and thanks to you and others who took the time to answer my question, it's definitely clearer. An example of URL that I'm referring to is as follows: https://www.antiguanice.co
btan - I'm sorry but as I'm a beginner with all this, I'll have to take time to digest the information that you sent me but thanks anyway.
Any other suggestions would appreciated.
Thanks!
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Sure. The short it is good to enforce HTTPS consistently throughout the website. Therefore, we can look into HSTS.
https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet
Web application that is intended to be purely HTTPS inadvertently contains HTTP links or serves content over HTTP
HSTS automatically redirects HTTP requests to HTTPS for the target domain
ASKER
Thanks for your input, I think that I found the only element of the site which is obtaining content from a non secure website so that would explain why I'm receiving a warning and not receiving the full Secure accreditation.
btan - Sorry to ask this but where exactly do you add the HSTS?
btan - Sorry to ask this but where exactly do you add the HSTS?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I'm curious about what this means. What, specifically, makes you think the connection isn't secure?
FWIW, an SSL certificate makes the connection to the domain name secure, so all traffic to/from that domain should be secure - images included. Any files coming from a third party may require that third party to also use SSL for their site.