Connection is Not Secure – Secure Socket Layer error of web browser

Connection is Not Secure

Part of this page are not secure (such as images).

 

 

How to Resolve Unsecured Content Warnings on  SSL certified website or application

 

You’ve taken all the steps necessary to make sure your site is secure, and you want your customers to be confident that their personal information is kept confidential. Even though your site is protected by your SSL certificate, customers may still receive messages that the page they’re viewing contains unsecured content if there are images or other elements that haven’t been encrypted.

When you have an SSL certificate installed on your store, it attempts to encrypt all of the elements on your store’s secure pages (e.g. the checkout page). If all elements on the page cannot be encrypted, customers will see an “unsecured content” message and, in some browsers, customers may see a broken padlock icon.

Though these messages do not indicate a failure of the SSL certificate, they can still be scary to customers and drive your store’s conversions down. Below are the three most common issues in your store that can cause an “unsecured content” message and tips on how to correct the issues.

When your store’s SSL certificate fails to encrypt all of the elements on a page (for example: forms, textboxes, images, etc.), customers receive an “unsecured content” pop-up message.

To resolve the error, all you need to do is find the elements on the page that cannot be encrypted and make some minor modifications.

Images Hosted on Your site must be linked with https link

or relative link

Any time an HTML image link is created within a page using the entire, “absolute” URL for the image file’s location, the resulting image link will not be encrypted by any SSL on the site.

For example, the following image link cannot be encrypted by an SSL certificate:

<img src="http://www.prakashbhandari.info.np/assets/photo1.jpg">

To correct this issue, simply remove your store’s domain from the image tag, creating a relative link:

<img src="/assets/photo1.jpg">

Images link from external link must be Secured link – Externally

Note that the previous example only applies if the image file is being hosted within your store. If an image link refers to a file hosted on a web server outside your store (e.g. a Flickr account), you’ll need to modify the image link to use the secure “https” protocol.

In this case, the image link should look like this:

<img src="https://www.prakashbhandari.info.np/images/photo1.jpg">

Note that the third-party web hosting server in question must support the “https” protocol in order to successfully secure the image using your store’s SSL certificate in this manner.

Javascript Files Hosted Externally

As with image links, any unsecured reference to an external file such as a stand-alone Java Script file (.js) will also produce the “unsecured content” pop-up. You can resolve the issue by removing your store’s protocol and domain name from the HTML that references the Java Script file.

If the JavaScript file is linked from an external source, the secure http protocol (https) must be used when linking to the script file and the server it is hosted on must support the secure http protocol.

You may encounter this issue if you’re attempting to integrate Google Analytics with your storefront. Due to the possible error, we recommend that you use the alternative Google Analytics code provided in “Setting Up Google Analytics“.

Third-Party Tools for Finding Unsecured Content

There are some third-party tools such as WhyNoPadLock.com which can help you find non-secure content on your store’s secure pages. You can visit sites like these and enter your store’s secure URL (https://www.yourvolusionstore.com) to get a report on unsecured content.

Note that Volusion does not endorse any specific third-party software or tool. We encourage you to do your own research on the effectiveness and reputation of any third-party service or tool you choose to use.

Following the above steps will not guarantee a fully secure site, as these are simply a recommended set of preliminary troubleshooting steps to resolve unsecured content issues.

In this example the error message is Image link is connected with only http: protocol we should change it to https protocol for secure connection.

Why is Source Code Disclosure dangerous?

Why is Source Code Disclosure dangerous?

Source code often contains some form of sensitive information—whether it be configuration related information (e.g. database credentials) or simply information on how the web application functions. If disclosed, such information can potentially be used by an attacker to discover logical flaws and escalate into a subsequent chain of attacks which would not be possible without having access to the application’s source code. These may include attacks such as, SQL injection, database take overs and remote code execution.

It is common practice for web applications to serve non-HTML files, such as PDFs, image files and Word documents that are customized for a specific user.

Let’s take the below example where we have a simple web application http://www.example.com/. This web application is intended to allow users to download a PDF file through a hyperlink.

Source Code Disclosure

If we take a closer look, following the link makes an HTTP GET request to a download.php script which makes use of the filename parameter.

More specifically, the following request is sent when the link is clicked – http://www.example.com/download.php?filename=aboutus.pdf

Knowing this, we can take a closer look at the the filename parameter since it seems that the download.php script is designed to allow users to download a specific file from the server. Therefore, what would happen if we sent a request to download.php, passing ‘download.php’ as the value for the filename parameter instead of ‘aboutus.pdf’? The resulting URL would look as follows — http://www.example.com/download.php?filename=download.php

Source Code Disclosure

After sending the request, the file download.php is served to the browser, effectively revealing the source code of download.php and by looking through the source code, it’s evident that this occurred because the script is performing absolutely no user input validation.

 

<?php

// Import global config values
include('admin/config.php');

// Get the filename passed by the user
$filepath = $_GET['filename'];

if ($filepath) {
    $connection = mysql_connect($cfg['DATABASE']['HOST'], $cfg['DATABASE']['UNAME'], $cfg['DATABASE']['PASS']);

    mysql_select_db('logs', $connection);

    if (!link) {
        die('Could not connect: ' . mysql_error());
    }

    $user_agent = $_SERVER['HTTP_USER_AGENT'];

    // Used by stats.php to track download trends
    $sql = "INSERT INTO stats VALUES ('$filepath', now(), '$user_agent')";

    $result = mysql_query($sql, $connection);

    if (!$result) {
        echo 'DB Error: ' . mysql_error($connection);
        exit;
    }

    // Clean-up and send file
    mysql_close($connection);
    header('Content-Disposition: attachment; filename=' . basename($filepath));
    readfile($filepath);
}