secure/non-secure msg when viewing webpage

secure/non-secure msg when viewing webpage

Post by Ton » Sat, 07 Jul 2001 01:34:16



I have clients who, when viewing certain pages in a secure site, get
the "secure/non-secure" dialog box.  A single "page" is actually a
frameset of 2-3 pages.  Being new to server security (SSL,
specifically), can someone tell me what, if not exactly then
generally, causes this dialog box to appear.  
To make the problem even more complicated, when the client either
chooses "yes" or "no", they are kicked out.  When they log back in,
they are brought to the page they would have gone to if they hadn't
been kicked out in the first place.  Weird.
Anyway, if you can point me to some info (web, book, etc...) regarding
this issue (getting the secure/non-secure box) I would very much
appreciate it.

Thanks,
Tony

 
 
 

secure/non-secure msg when viewing webpage

Post by Rich Tee » Sat, 07 Jul 2001 01:38:26



Quote:> I have clients who, when viewing certain pages in a secure site, get
> the "secure/non-secure" dialog box.  A single "page" is actually a
> frameset of 2-3 pages.  Being new to server security (SSL,
> specifically), can someone tell me what, if not exactly then
> generally, causes this dialog box to appear.
> To make the problem even more complicated, when the client either
> chooses "yes" or "no", they are kicked out.  When they log back in,
> they are brought to the page they would have gone to if they hadn't
> been kicked out in the first place.  Weird.
> Anyway, if you can point me to some info (web, book, etc...) regarding
> this issue (getting the secure/non-secure box) I would very much
> appreciate it.

Mixing secure and non-secuire stuff on a page tends to be a no-no.
If you need a secure page, then everything on that page should be
reachable using https to avoid those messages.

--
Rich Teer

President,
Rite Online Inc.

Voice: +1 (250) 979-1638
URL: http://www.rite-online.net

 
 
 

secure/non-secure msg when viewing webpage

Post by Christoph Voge » Sat, 07 Jul 2001 02:15:51



> I have clients who, when viewing certain pages in a secure site, get
> the "secure/non-secure" dialog box.  A single "page" is actually a
> frameset of 2-3 pages.
> To make the problem even more complicated, when the client either
> chooses "yes" or "no", they are kicked out.  When they log back in,
> they are brought to the page they would have gone to if they hadn't
> been kicked out in the first place.  Weird.

Assuming you're talking about Apache/mod-ssl and didn't mix secure and
non-secure content, I saw such behaviour in conjunction with Internet
Explorer. Obey the instructions in the mod_ssl FAQ at

http://www.modssl.org/docs/2.8/ssl_faq.html#io-ie

to avoid it.

Regards,

Christoph.

 
 
 

secure/non-secure msg when viewing webpage

Post by Ton » Sat, 07 Jul 2001 04:00:15





>> I have clients who, when viewing certain pages in a secure site, get
>> the "secure/non-secure" dialog box.  A single "page" is actually a
>> frameset of 2-3 pages.
>> To make the problem even more complicated, when the client either
>> chooses "yes" or "no", they are kicked out.  When they log back in,
>> they are brought to the page they would have gone to if they hadn't
>> been kicked out in the first place.  Weird.

>Assuming you're talking about Apache/mod-ssl and didn't mix secure and
>non-secure content, I saw such behaviour in conjunction with Internet
>Explorer. Obey the instructions in the mod_ssl FAQ at

>http://www.modssl.org/docs/2.8/ssl_faq.html#io-ie

>to avoid it.

>Regards,

>Christoph.

I'm sorry I didn't mention it earlier, but we are using iPlanet 4.1
with SSL (also, the "mix" is all secure).  However, you have
introduced a line of thinking that I haven't pursued yet.  Thank you.
After some additional testing, we find that if we go to a secure page,
wait about 30 seconds, then click on any link we get the
secure/non-secure dialog box.

Thanks again,
Tony

 
 
 

secure/non-secure msg when viewing webpage

Post by Christoph Voge » Sat, 07 Jul 2001 04:29:07



> I'm sorry I didn't mention it earlier, but we are using iPlanet 4.1
> with SSL (also, the "mix" is all secure).  However, you have
> introduced a line of thinking that I haven't pursued yet.  Thank you.
> After some additional testing, we find that if we go to a secure page,
> wait about 30 seconds, then click on any link we get the
> secure/non-secure dialog box.

I'm not familiar with iPlanet, but I think there must be a similar
situation. Do you encounter the problems only with certain clients? I once
saw something like this with IE sending keep-alives to our ssl-enabled
Apache.

Regards,

Christoph.

 
 
 

secure/non-secure msg when viewing webpage

Post by Ton » Sun, 08 Jul 2001 03:42:09





>> I'm sorry I didn't mention it earlier, but we are using iPlanet 4.1
>> with SSL (also, the "mix" is all secure).  However, you have
>> introduced a line of thinking that I haven't pursued yet.  Thank you.
>> After some additional testing, we find that if we go to a secure page,
>> wait about 30 seconds, then click on any link we get the
>> secure/non-secure dialog box.

>I'm not familiar with iPlanet, but I think there must be a similar
>situation. Do you encounter the problems only with certain clients? I once
>saw something like this with IE sending keep-alives to our ssl-enabled
>Apache.

>Regards,

>Christoph.

Not all of our clients/customers experience this problem.  Due to the
code used, our clients have to use, at the very least, IE 5.0.
With the IE sending keep-alives situation, what, if anything, did you
do?  Did you just notice it or did you go further and try to stop it?
If you did stop it, what did you do?

-Tony

 
 
 

secure/non-secure msg when viewing webpage

Post by Christoph Voge » Sun, 08 Jul 2001 04:01:29



> With the IE sending keep-alives situation, what, if anything, did you
> do?  Did you just notice it or did you go further and try to stop it?
> If you did stop it, what did you do?

On Apache/mod-ssl you can set an environment variable based on the
User-Agent string and force Apache to not use keep-alives over ssl. And that
works great (although there is theroretically a slight decrease in
performance, though).

Regards,

Christoph.

 
 
 

1. secure/non-secure terminal designation

Is there a way to configure AIX so that the user 'root' can only login
directly from specified (secure) terminals?  In the case where a direct
login is not allowed, the 'su' command would have to be used.
In SunOS this can be done with the 'secure' designation (or lack thereof)
in the file /etc/ttytab.

--  

     University Computing and Networking Services, Athens, GA 30602-1911        

2. x86 and Adaptec 2742, can't work

3. avoid warning of redirection to non-secure url from secure url

4. Win98 -> Samba problem FIXED. Need explanation though.

5. Help configuring secure/non-secure portions of site

6. S3 Vision 864/#9GXE64/Dell SV15. . . Help!!

7. Secure and non-secure websites

8. File managers, any nice ones recommended?

9. Symbolic links between secure/non-secure server

10. Secure and Non-secure on the same box????

11. Secure Secure Secure

12. use of secure and non secure FTP on the sme server

13. secure - non secure ftp on two NIC's