|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Is there a way to avoid/security alert box from redirecting to HTTP to HTTPS?I saw some questions and answers which says we cannot supress the
security alert box when redirecting from HTTP to HTTPS? But i saw many sites are easily redirecting from HTTP to HTTPS without security alert box.. How can i code such that i should not get alert box from HTTP to HTTPS? please help me.. The logic to display the security alert box is controlled by the client.
Outside of IIS and server-side control, so there is nothing you can do. The sites that redirect from HTTP to HTTPS transparently are either doing the transition without the browser knowing, or the user configured the browser to not warn. -- Show quoteHide quote//David IIS http://blogs.msdn.com/David.Wang This posting is provided "AS IS" with no warranties, and confers no rights. // "Jayanthv" <jayanth.vishnuvard***@gmail.com> wrote in message news:1151531125.191719.67700@b68g2000cwa.googlegroups.com... >I saw some questions and answers which says we cannot supress the > security alert box when redirecting from HTTP to HTTPS? > > But i saw many sites are easily redirecting from HTTP to HTTPS without > security alert box.. > > How can i code such that i should not get alert box from HTTP to HTTPS? > > > please help me.. > A lot of sites use javascript, with a location.replace() call (IIRC)
Just look in the HTML source of whatever website(s) you know that don't result in a prompt. Cheers Ken Show quoteHide quote "David Wang [Msft]" <some***@online.microsoft.com> wrote in message news:OAAWamwmGHA.2160@TK2MSFTNGP04.phx.gbl... > The logic to display the security alert box is controlled by the client. > Outside of IIS and server-side control, so there is nothing you can do. > > The sites that redirect from HTTP to HTTPS transparently are either doing > the transition without the browser knowing, or the user configured the > browser to not warn. > > -- > //David > IIS > http://blogs.msdn.com/David.Wang > This posting is provided "AS IS" with no warranties, and confers no > rights. > // > > "Jayanthv" <jayanth.vishnuvard***@gmail.com> wrote in message > news:1151531125.191719.67700@b68g2000cwa.googlegroups.com... >>I saw some questions and answers which says we cannot supress the >> security alert box when redirecting from HTTP to HTTPS? >> >> But i saw many sites are easily redirecting from HTTP to HTTPS without >> security alert box.. >> >> How can i code such that i should not get alert box from HTTP to HTTPS? >> >> >> please help me.. >> > > More often it is transition the other way that causes a warning,
from HTTPS to HTTP. Thankfully this is a client warning under client control -- Show quoteHide quoteRoger Abell Microsoft MVP (Windows Server : Security) "Jayanthv" <jayanth.vishnuvard***@gmail.com> wrote in message news:1151531125.191719.67700@b68g2000cwa.googlegroups.com... >I saw some questions and answers which says we cannot supress the > security alert box when redirecting from HTTP to HTTPS? > > But i saw many sites are easily redirecting from HTTP to HTTPS without > security alert box.. > > How can i code such that i should not get alert box from HTTP to HTTPS? > > > please help me.. > Jayanthv wrote on 28 Jun 2006 14:45:25 -0700:
> I saw some questions and answers which says we cannot supress the As Roger pointed out, the warning is normally when you redirect from HTTPS > security alert box when redirecting from HTTP to HTTPS? > > But i saw many sites are easily redirecting from HTTP to HTTPS without > security alert box.. > > How can i code such that i should not get alert box from HTTP to HTTPS? > > please help me.. to HTTP. What is the exact text of the warning message? Have you checked the pages visible in the HTTPS connection to make sure none of them have full references to images/javascript files/etc including HTTP:// ? That's normally the mistake made - when viewing a page over HTTPS with images being pulled from HTTP there will be a client warning, as not all the elements of the page are encrypted. Dan Hi,
I'm still unable to supress the security alert box.. please help me..? Im' getting the below security alert box message "Information you exchange with this site cannot be viewed or changed by others. However there is a problem with the site's security certificate.. Then 1).... 2).... 3)... Do you want to proceed? YES, NO, CANCEL? I'm getting same message box even though i changed by Internet explorer->Tools->Internet options->advanced->checked all the 3 security check boxes under the security tab. Pleae advice and if possible some code to avoid this security box? Thanks in advance.. Daniel Crichton wrote: Show quoteHide quote > Jayanthv wrote on 28 Jun 2006 14:45:25 -0700: > > > I saw some questions and answers which says we cannot supress the > > security alert box when redirecting from HTTP to HTTPS? > > > > But i saw many sites are easily redirecting from HTTP to HTTPS without > > security alert box.. > > > > How can i code such that i should not get alert box from HTTP to HTTPS? > > > > please help me.. > > As Roger pointed out, the warning is normally when you redirect from HTTPS > to HTTP. > > What is the exact text of the warning message? Have you checked the pages > visible in the HTTPS connection to make sure none of them have full > references to images/javascript files/etc including HTTP:// ? That's > normally the mistake made - when viewing a page over HTTPS with images being > pulled from HTTP there will be a client warning, as not all the elements of > the page are encrypted. > > Dan Jayanthv wrote on 3 Jul 2006 11:01:58 -0700:
Show quoteHide quote > Hi, Please include the text from points 1, 2, and 3 - they're the important > > I'm still unable to supress the security alert box.. please help me..? > Im' getting the below security alert box message > > "Information you exchange with this site cannot be viewed or changed by > others. However there is a problem with the site's security > certificate.. > > Then > > 1).... > > 2).... > > 3)... > > Do you want to proceed? > > YES, NO, CANCEL? > > I'm getting same message box even though i changed by Internet > explorer->Tools->Internet options->advanced->checked all the 3 security > check boxes under the security tab. > > Pleae advice and if possible some code to avoid this security box? bits! Does your certificate hostname (CN) match the site hostname? Is the Certificate Authority (CA) in your IE trusted roots list? Dan Daniel Crichton wrote:
Show quoteHide quote > Jayanthv wrote on 3 Jul 2006 11:01:58 -0700: Hi,> > > Hi, > > > > I'm still unable to supress the security alert box.. please help me..? > > Im' getting the below security alert box message > > > > "Information you exchange with this site cannot be viewed or changed by > > others. However there is a problem with the site's security > > certificate.. > > > > Then > > > > 1).... > > > > 2).... > > > > 3)... > > > > Do you want to proceed? > > > > YES, NO, CANCEL? > > > > I'm getting same message box even though i changed by Internet > > explorer->Tools->Internet options->advanced->checked all the 3 security > > check boxes under the security tab. > > > > Pleae advice and if possible some code to avoid this security box? > > Please include the text from points 1, 2, and 3 - they're the important > bits! Does your certificate hostname (CN) match the site hostname? Is the > Certificate Authority (CA) in your IE trusted roots list? > > Dan The following are the three points that are displayed in security alert box 1) The security certificate was issued by a company you have not chosen to trust. View the certificate to determine whether you want to trust the certifying authority. 2)The Security certificate date is valid. 3) The name of the security certificate is invalid or does not match the name of the site. Do you want to proceed ? YES NO CANCEL.. This is popup message i'm getting when redirecting from HTTP to HTTPS? Can you please help me.? Jayanthv wrote on 6 Jul 2006 09:41:56 -0700:
Show quoteHide quote > Daniel Crichton wrote: OK, so you're using a certificate that isn't from one of the Trusted Roots >> Jayanthv wrote on 3 Jul 2006 11:01:58 -0700: >> >>> Hi, >>> >>> I'm still unable to supress the security alert box.. please help me..? >>> Im' getting the below security alert box message >>> >>> "Information you exchange with this site cannot be viewed or changed by >>> others. However there is a problem with the site's security >>> certificate.. >>> >>> Then >>> >>> 1).... >>> >>> 2).... >>> >>> 3)... >>> >>> Do you want to proceed? >>> >>> YES, NO, CANCEL? >>> >>> I'm getting same message box even though i changed by Internet >>> explorer->Tools->Internet options->advanced->checked all the 3 security >>> check boxes under the security tab. >>> >>> Pleae advice and if possible some code to avoid this security box? >> >> Please include the text from points 1, 2, and 3 - they're the important >> bits! Does your certificate hostname (CN) match the site hostname? Is the >> Certificate Authority (CA) in your IE trusted roots list? >> >> Dan > > Hi, > > The following are the three points that are displayed in security alert > box > > 1) The security certificate was issued by a company you have not chosen > to trust. View the certificate to determine whether you want to trust > the certifying authority. > > 2)The Security certificate date is valid. > > 3) The name of the security certificate is invalid or does not match > the name of the site. > > Do you want to proceed ? > > YES NO CANCEL.. > > This is popup message i'm getting when redirecting from HTTP to HTTPS? > > Can you please help me.? in your browser (is this one you've made yourself using Certificate Server or SelfSSL?), and the CN in the certificate doesn't match the hostname in the URL. This is nothing to do with a warning about redirecting to an SSL site - this is warning you that the certificate is not from a trusted source and doesn't match the site. Dan To be clear, the issue is not how to "suppress the security alert box" but
rather "how do I do it correctly to avoid security vulnerability". There is a good reason that the client warns the user because the server is about to do something insecure. You should be thinking about how to do it correctly and securely, not how to suppress the warning. -- Show quoteHide quote//David IIS http://blogs.msdn.com/David.Wang This posting is provided "AS IS" with no warranties, and confers no rights. // "Jayanthv" <jayanth.vishnuvard***@gmail.com> wrote in message news:1151949718.667054.280380@a14g2000cwb.googlegroups.com... > Hi, > > I'm still unable to supress the security alert box.. please help me..? > Im' getting the below security alert box message > > "Information you exchange with this site cannot be viewed or changed by > others. However there is a problem with the site's security > certificate.. > > Then > > 1).... > > 2).... > > 3)... > > Do you want to proceed? > > YES, NO, CANCEL? > > I'm getting same message box even though i changed by Internet > explorer->Tools->Internet options->advanced->checked all the 3 security > check boxes under the security tab. > > Pleae advice and if possible some code to avoid this security box? > > Thanks in advance.. > > > > > > Daniel Crichton wrote: >> Jayanthv wrote on 28 Jun 2006 14:45:25 -0700: >> >> > I saw some questions and answers which says we cannot supress the >> > security alert box when redirecting from HTTP to HTTPS? >> > >> > But i saw many sites are easily redirecting from HTTP to HTTPS without >> > security alert box.. >> > >> > How can i code such that i should not get alert box from HTTP to HTTPS? >> > >> > please help me.. >> >> As Roger pointed out, the warning is normally when you redirect from >> HTTPS >> to HTTP. >> >> What is the exact text of the warning message? Have you checked the pages >> visible in the HTTPS connection to make sure none of them have full >> references to images/javascript files/etc including HTTP:// ? That's >> normally the mistake made - when viewing a page over HTTPS with images >> being >> pulled from HTTP there will be a client warning, as not all the elements >> of >> the page are encrypted. >> >> Dan > 
Other interesting topics
Can Somone Tell Me If We Have a Hacker?
II6.0 ISAPI & MIME types security error in IIS logs (401.2 error) A little help (kerberos, netbios, and SPN... oh my!) login problem with iis and webdav. The IIS service does not seem to be serving up .asmx or .asp pages Keeping a particular intruder out New HTTPS web site and certificate installation file security/authentication IIS5: Renew certificate |
|||||||||||||||||||||||
