Results 1 to 10 of 10
  1. #1
    Join Date
    May 2002
    Posts
    55

    Insecure content on a secure page

    I've been setting up domain registration on my site and it's done through the registrar's secure pages (https). However, the header and footer I use to customize it to match my site pull images from my server (http), which does not have a secure area.

    The problem with this is that every time I pull up a page, I get a message saying "This page contains both secure and nonsecure items. Do you want to display the nonsecure items?" Of course, that's rather annoying and I can't put a customer or potential customer through having to click "Yes" or "No" with every page change.

    Do I need to obtain a certificate and create a secure area on my site, or is there another way I can make that message stop, not only for me but for anyone else trying to register a domain through my site? Any suggestions will be greatly appreciated.

  2. #2
    Join Date
    Dec 2001
    Location
    Melbourne, Australia.
    Posts
    208
    Creating a secure area on your server is probably the best solution, except you'll need to pay for your own certificate - if you don't have one already, which may not be something you want to do.

    Instead of using the 'reseller' header and footer, you may like to consider using frames. Put your pictures in seperate frames to the secure 'reseller' pages. This has the disadvantage that the 'padlock' will not show in most browser windows.

    It may also be possible to host your pictures on someone elses secure server. Or redesign your site so those pictures are not used on your domain reselling pages.
    www.quost.com - Quost WebHosting
    www.mythellaneous.com - Mythellaneous - A shop selling a Collection of Mythical Creatures and Spooks.

  3. #3
    Using frames may not be a solution, as IE 6 has a security feature regarding secured pages inside frames and the cookies used to handle shopping cart state management.

    The simplest and most elegant solution is to get a cert for your own server (especially since they're cheap enough these days at less than $100).
    I thank my Lord for all His wonderful blessings.

  4. #4
    Join Date
    May 2002
    Posts
    55
    Thanks Wolfy... I thought about framing the registration content, but I'll also consider purchasing a certificate. I recall reading here, I think, about somewhere they're available for around $50. Although I'm generally opposed to using frames, maybe it's the best solution in this case. Good point about the padlock not showing, though.

    Edited to add (initially posted at the same time as hostpath's reply) -- looks like buying my own certificate will be the best solution. I'll probably end up needing it eventually anyway. I'd hoped not to have to get one so soon, but....

    I need to get my site finished soon! The logs indicate that it's already getting hits, and it's mighty short on content.

  5. #5
    Join Date
    Aug 2001
    Location
    United kingdom
    Posts
    1,003
    As mentioned above, the only way is to host your images on a secure connection too (https). Rackshack.net have the cheapest SSL certs, at $49 (+ Tax)... which are also very good as we purchasing one a while back and will be getting another one very soon.

    You could also try to see if someone who has https can give you some space on their server so you can store those images on it, allowing you to link to them in the header and footer.

    Alan
    Alan Ho
    Former Systems Administrator

  6. #6
    Join Date
    Aug 2000
    Location
    Tacoma, Washington
    Posts
    9,576
    a secure cert is always worth the money, for nothing else than times like these - for $50 you have that peace of mind of knowing if you need to set up a secure area of your site it's already at hand. Beside the dom reg, you could always use it for your contact page if you feel it's not getting enough use.

    Greg Moore
    Former Webhost... now, just a guy.

  7. #7
    For those advocating using someone elses certificate - while this is a very common practice and many small hosting providers allow sharing of their certificate on a generic domain. However, in doing so they are usually in breach of their contract with the SSL Server certificate provider.

    For example, Thawte specify that for an SSL Server Certificate
    4. Use Restrictions. You are prohibited from using your Certificate (i) for or on behalf of any other organization...
    http://www.thawte.com/repository/sslsgcagreement.doc

    As I said, most people ignore this, but it's worth being aware of.

  8. #8
    Join Date
    Apr 2002
    Location
    Auckland - New Zealand
    Posts
    1,572
    You could try this little piece of code to kill the pop up box

    <script language="Javascript">
    onAlert=return true;
    </script>

    It should work for mismatch of urls, never tried it for insecure items though...
    See if that works....

  9. #9
    Join Date
    May 2002
    Posts
    55
    Using the script in the header didn't have an effect on the message popping up. It was worth a shot, though.

    What would be the benefit of using a secure area for the contact page? Does it somehow prevent email harvesting, or just provide added security if I'm using a contact form?

  10. #10
    Originally posted by ho247
    Rackshack.net have the cheapest SSL certs, at $49 (+ Tax)...
    InstantSSL certs are $49 too, and you can get one for actually $5 less if you become a referrer.
    I thank my Lord for all His wonderful blessings.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •