ssl issue with google chrome and css on aceshop/joomla - google-chrome

I have a joomla installation which I have installed aceshop onto. I have also setup an SSL for the checkout page as that is the only area I want or need to have secured for ssl.
The problem im getting is with Google Chrome. Because the checkout page is in SSL, and the css/js references aren't, Chrome is blocking the css. You have to override the security setting for the page to display it properly.
Anyone know how to fix this problem? I DON'T want the rest of the site under sll, just the checkout page.
Thanks!

You need to serve your CSS/JS over SSL as well. If you don't, it doesn't matter that you have served the page over SSL. In that case, a man-in-the-middle attacker can add arbitrary JavaScript, which will execute in the context of the checkout page, where it can steal all the information that the user types (name, address, cc, whatever).
If you want your site to be secure, you need to fix all the mixed mode content problems, otherwise it is equivalent to having no security at all.

Related

style not working when browsing though domain

When i brows website using its ip address the style loading fine. But when i try to do it using domain name then style not working. The interesting thing is that i have checked both output html, css source for code and they are 100% same. Then why browser not showing style in domain mode?
direct ip browse- view-source:http://22.199.66.33/
domain browse- view-source:https://www.ogibogi.com/
here i checked both source output code- https://www.diffchecker.com/diff
Any idea how to fix it?
Note: i am using cloudflare with domain.
Note: that this is happening after changing hosting server.
Check the output in your browser's console. There's mixed content error.
Refer to Cloudflare KB on how to troubleshoot mixed content error.
An easy fix is to enable "Always Use HTTPS" and "Automatic HTTPS Rewrite".
The answer from Faiz is correct. Go to the crypto tab and set Automatic HTTPS rewrites to on. But, that will not affect stylesheets or javascript files. And, you have two missing scripts and one missing css file.
To correct those, you'll need to use a relative reference. If you're calling an asset with a full URL, like <img src="http://example.com/image.jpg" />, you would want to change this to <img src="//example.com/image.jpg" />. By removing the http:, the browser will use whichever protocol the visitor is already using. And, on the crypto tab, if you set Always use https to on, that protocol will be https.

Is there a way to block all cookies in html header

I'm using a online web builder to create my website. Once the site is published, it automatically sets their (web builders) third party cookies (google analytics, etc). There is no way to disable it in the platform.
However, under the new EU law, you are not supposed to download any cookies to the users computer, without their prior consent.
I can modify the header html code. Is there a way to generically block all cookies in the html header of my webiste?
Is there a way to generically block all cookies in the html header of my webiste?
No.
If you think your hosting service is exposing you to legal problems, then don't try to hack around them, either talk to them so they fix the problem or find a new host.

Display non ssl url images on ssl site

I am trying to display images from a non-ssl url source on my ssl site through relative linking, making sure the padlock shows up green and does not message mixed content. Though I understand this might not be the best way going forward I have 2 questions:
1) I have 2 sources:
http://bc01.rp-online.de/polopoly_fs/benito-raman-fortuna-duesseldorf-2017-1.7053738.1516622253!httpImage/1633501625.jpg_gen/derivatives/d950x950/1633501625.jpg
and
http://bilder.bild.de/fotos-skaliert/prinzessin-eugenie-ist-verlobt-200668711-54556312/3,w=120,c=0.bild.jpg
If I convert the first source to:
//bc01.rp-online.de/polopoly_fs/benito-raman-fortuna-duesseldorf-2017-1.7053738.1516622253!httpImage/1633501625.jpg_gen/derivatives/d950x950/1633501625.jpg
it will not be displayed in Chrome.
If I convert the second source to:
//bilder.bild.de/fotos-skaliert/prinzessin-eugenie-ist-verlobt-200668711-54556312/3,w=120,c=0.bild.jpg
it will be displayed in Chrome and padlock shows green.
Can someone explain me the difference?
2) Is there a better way to show images from non-SSL URL's external sources in a SSL site making sure the padlock is green.
Any help would be highly appreciated.
Funny you should post this. I had a really odd behaviour for something similar to this today and you have no choice but to use //example.com/...... and this is just a (Google) Chrome thing.
The difference here is that in using //, it will automatically resolve to the respective protocol; which you should use and this for JS scripts, images, forms etc.
NOTE: If there is any mix of http/https anywhere in your code, then that too will cause havoc and will throw a message in any browser about mixed content.
If your urls starts with "//" it means that the browser should use the protocol of the parent webpage. In your case it's https.
So your two links becames:
https://bc01.rp-online.de/polopoly_fs/benito-raman-fortuna-duesseldorf-2017-1.7053738.1516622253!httpImage/1633501625.jpg_gen/derivatives/d950x950/1633501625.jpg
But bc01.rp-online.de doesn't have a valid https certificate.
and
https://bilder.bild.de/fotos-skaliert/prinzessin-eugenie-ist-verlobt-200668711-54556312/3,w=120,c=0.bild.jpg
which works perfectly.
If you include http images in your https website, chrome doesn't show the "secure" green padlock because your website is not fully secure: some items may be intercepted/modified by a third party.
To have the green padlock you should only use secure (https) images/resources. If these images are not available with https (or if their https links are broken or redirect to http) then you need to find another solution, such as hosting yourself the images.

I have an SSL but the pages are not showing lock signs which I need for my order page

I have an old site I am just about well enough (broken arm + cancer) to start working on again and I have already moved it to another server OVH and added an SSL/TLS certificate to it.
However in Chrome when I visit any page on the site, especially https://www.strictly-software.com/plugins/order.asp it shows either (don't know why refreshes would change it but they do sometimes) the insecure sign with the red line through the https:// part of the URL in the address bar or an information circle.
In Firefox however I get a secure lock sign. It maybe some add-on I have used like a popup blocker or something but I am at a loss to find out what is causing these insecure signs to appear when I need locks, especially on the order page
This morning I spent hours going through loads of JavaScript and CSS (background:http://blah.jpg) etc and changing it so it is local and cannot be changed remotely as well as making any http references into src="//" or href="//" etc.
I thought it must be one of the images on the "add this" pop up but cannot see anything in their code. Then I thought the Twitter scroller might be showing images from http destinations but Twitter wraps them all in their own URL format.
Does anyone know from looking at the generated source code what is making the page insecure?
Surely there should be a list somewhere in the browser that shows what content isn't secure and offers you to load or not load it? I know the information icon lets you load or not lot Flash, images or JavaScript but do you know of how I can find out what content isn't secure on these pages without asking visitors?
Thanks in advance.

google chrome https error

my site getting the problem while typing https:www.mysite.com/
showing red cross mark in the url head and i didnt find the problem .can any one help .
in chrome help they given
"Your connection to the site is encrypted, but Google Chrome has detected mixed scripting on the page. Be careful if you’re entering personal information on this page. Mixed scripting can provide a loophole for someone to take over the page. This content could be third-party scripts or videos embedded on the page.
If you’re connected to the Internet via a public wireless network, mixed scripting is especially risky because wireless networks are easier to tamper with than wired networks."
please help me
This error generally means that the site itself is being loaded over HTTPS, but that it's loading resources (scripts, style, images, etc) via HTTP. This is usually the result of hard-coding absolute URLs like:
<script src="http://mysite.com/path/to/resource.js"></script>
Changing references like that use HTTPS:
<script src="https://mysite.com/path/to/resource.js"></script>
----^----
should solve the problem.