I saw some questions and answers which says we cannot supress the
security alert box when redirecting from HTTP to HTTPS?
But i saw many sites are easily redirecting from HTTP to HTTPS without
security alert box..
How can i code such that i should not get alert box from HTTP to HTTPS?
please help me..
The logic to display the security alert box is controlled by the client.
Outside of IIS and server-side control, so there is nothing you can do.
The sites that redirect from HTTP to HTTPS transparently are either doing
the transition without the browser knowing, or the user configured the
browser to not warn.
--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Jayanthv"
news:1151531125.191719.67700@b68g2000cwa.googlegroups.com...
>I saw some questions and answers which says we cannot supress the
> security alert box when redirecting from HTTP to HTTPS?
>
> But i saw many sites are easily redirecting from HTTP to HTTPS without
> security alert box..
>
> How can i code such that i should not get alert box from HTTP to HTTPS?
>
>
> please help me..
>
A lot of sites use javascript, with a location.replace() call (IIRC)
Just look in the HTML source of whatever website(s) you know that don't
result in a prompt.
Cheers
Ken
"David Wang [Msft]"
news:OAAWamwmGHA.2160@TK2MSFTNGP04.phx.gbl...
> The logic to display the security alert box is controlled by the client.
> Outside of IIS and server-side control, so there is nothing you can do.
>
> The sites that redirect from HTTP to HTTPS transparently are either doing
> the transition without the browser knowing, or the user configured the
> browser to not warn.
>
> --
> //David
> IIS
> http://blogs.msdn.com/David.Wang
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
> //
>
> "Jayanthv"
> news:1151531125.191719.67700@b68g2000cwa.googlegroups.com...
>>I saw some questions and answers which says we cannot supress the
>> security alert box when redirecting from HTTP to HTTPS?
>>
>> But i saw many sites are easily redirecting from HTTP to HTTPS without
>> security alert box..
>>
>> How can i code such that i should not get alert box from HTTP to HTTPS?
>>
>>
>> please help me..
>>
>
>
More often it is transition the other way that causes a warning,
from HTTPS to HTTP.
Thankfully this is a client warning under client control
--
Roger Abell
Microsoft MVP (Windows Server : Security)
"Jayanthv"
news:1151531125.191719.67700@b68g2000cwa.googlegroups.com...
>I saw some questions and answers which says we cannot supress the
> security alert box when redirecting from HTTP to HTTPS?
>
> But i saw many sites are easily redirecting from HTTP to HTTPS without
> security alert box..
>
> How can i code such that i should not get alert box from HTTP to HTTPS?
>
>
> please help me..
>
Jayanthv wrote on 28 Jun 2006 14:45:25 -0700:
> I saw some questions and answers which says we cannot supress the
> security alert box when redirecting from HTTP to HTTPS?
>
> But i saw many sites are easily redirecting from HTTP to HTTPS without
> security alert box..
>
> How can i code such that i should not get alert box from HTTP to HTTPS?
>
> please help me..
As Roger pointed out, the warning is normally when you redirect from HTTPS
to HTTP.
What is the exact text of the warning message? Have you checked the pages
visible in the HTTPS connection to make sure none of them have full
references to images/javascript files/etc including HTTP:// ? That's
normally the mistake made - when viewing a page over HTTPS with images being
pulled from HTTP there will be a client warning, as not all the elements of
the page are encrypted.
Dan
Hi,
I'm still unable to supress the security alert box.. please help me..?
Im' getting the below security alert box message
"Information you exchange with this site cannot be viewed or changed by
others. However there is a problem with the site's security
certificate..
Then
1)....
2)....
3)...
Do you want to proceed?
YES, NO, CANCEL?
I'm getting same message box even though i changed by Internet
explorer->Tools->Internet options->advanced->checked all the 3 security
check boxes under the security tab.
Pleae advice and if possible some code to avoid this security box?
Thanks in advance..
Daniel Crichton wrote:
> Jayanthv wrote on 28 Jun 2006 14:45:25 -0700:
>
> > I saw some questions and answers which says we cannot supress the
> > security alert box when redirecting from HTTP to HTTPS?
> >
> > But i saw many sites are easily redirecting from HTTP to HTTPS without
> > security alert box..
> >
> > How can i code such that i should not get alert box from HTTP to HTTPS?
> >
> > please help me..
>
> As Roger pointed out, the warning is normally when you redirect from HTTPS
> to HTTP.
>
> What is the exact text of the warning message? Have you checked the pages
> visible in the HTTPS connection to make sure none of them have full
> references to images/javascript files/etc including HTTP:// ? That's
> normally the mistake made - when viewing a page over HTTPS with images being
> pulled from HTTP there will be a client warning, as not all the elements of
> the page are encrypted.
>
> Dan
Jayanthv wrote on 3 Jul 2006 11:01:58 -0700:
> Hi,
>
> I'm still unable to supress the security alert box.. please help me..?
> Im' getting the below security alert box message
>
> "Information you exchange with this site cannot be viewed or changed by
> others. However there is a problem with the site's security
> certificate..
>
> Then
>
> 1)....
>
> 2)....
>
> 3)...
>
> Do you want to proceed?
>
> YES, NO, CANCEL?
>
> I'm getting same message box even though i changed by Internet
> explorer->Tools->Internet options->advanced->checked all the 3 security
> check boxes under the security tab.
>
> Pleae advice and if possible some code to avoid this security box?
Please include the text from points 1, 2, and 3 - they're the important
bits! Does your certificate hostname (CN) match the site hostname? Is the
Certificate Authority (CA) in your IE trusted roots list?
Dan
To be clear, the issue is not how to "suppress the security alert box" but
rather "how do I do it correctly to avoid security vulnerability".
There is a good reason that the client warns the user because the server is
about to do something insecure. You should be thinking about how to do it
correctly and securely, not how to suppress the warning.
--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Jayanthv"
news:1151949718.667054.280380@a14g2000cwb.googlegroups.com.. .
> Hi,
>
> I'm still unable to supress the security alert box.. please help me..?
> Im' getting the below security alert box message
>
> "Information you exchange with this site cannot be viewed or changed by
> others. However there is a problem with the site's security
> certificate..
>
> Then
>
> 1)....
>
> 2)....
>
> 3)...
>
> Do you want to proceed?
>
> YES, NO, CANCEL?
>
> I'm getting same message box even though i changed by Internet
> explorer->Tools->Internet options->advanced->checked all the 3 security
> check boxes under the security tab.
>
> Pleae advice and if possible some code to avoid this security box?
>
> Thanks in advance..
>
>
>
>
>
> Daniel Crichton wrote:
>> Jayanthv wrote on 28 Jun 2006 14:45:25 -0700:
>>
>> > I saw some questions and answers which says we cannot supress the
>> > security alert box when redirecting from HTTP to HTTPS?
>> >
>> > But i saw many sites are easily redirecting from HTTP to HTTPS without
>> > security alert box..
>> >
>> > How can i code such that i should not get alert box from HTTP to HTTPS?
>> >
>> > please help me..
>>
>> As Roger pointed out, the warning is normally when you redirect from
>> HTTPS
>> to HTTP.
>>
>> What is the exact text of the warning message? Have you checked the pages
>> visible in the HTTPS connection to make sure none of them have full
>> references to images/javascript files/etc including HTTP:// ? That's
>> normally the mistake made - when viewing a page over HTTPS with images
>> being
>> pulled from HTTP there will be a client warning, as not all the elements
>> of
>> the page are encrypted.
>>
>> Dan
>
Daniel Crichton wrote:
> Jayanthv wrote on 3 Jul 2006 11:01:58 -0700:
>
> > Hi,
> >
> > I'm still unable to supress the security alert box.. please help me..?
> > Im' getting the below security alert box message
> >
> > "Information you exchange with this site cannot be viewed or changed by
> > others. However there is a problem with the site's security
> > certificate..
> >
> > Then
> >
> > 1)....
> >
> > 2)....
> >
> > 3)...
> >
> > Do you want to proceed?
> >
> > YES, NO, CANCEL?
> >
> > I'm getting same message box even though i changed by Internet
> > explorer->Tools->Internet options->advanced->checked all the 3 security
> > check boxes under the security tab.
> >
> > Pleae advice and if possible some code to avoid this security box?
>
> Please include the text from points 1, 2, and 3 - they're the important
> bits! Does your certificate hostname (CN) match the site hostname? Is the
> Certificate Authority (CA) in your IE trusted roots list?
>
> Dan
Hi,
The following are the three points that are displayed in security alert
box
1) The security certificate was issued by a company you have not chosen
to trust. View the certificate to determine whether you want to trust
the certifying authority.
2)The Security certificate date is valid.
3) The name of the security certificate is invalid or does not match
the name of the site.
Do you want to proceed ?
YES NO CANCEL..
This is popup message i'm getting when redirecting from HTTP to HTTPS?
Can you please help me.?
Jayanthv wrote on 6 Jul 2006 09:41:56 -0700:
> Daniel Crichton wrote:
>> Jayanthv wrote on 3 Jul 2006 11:01:58 -0700:
>>
>>> Hi,
>>>
>>> I'm still unable to supress the security alert box.. please help me..?
>>> Im' getting the below security alert box message
>>>
>>> "Information you exchange with this site cannot be viewed or changed by
>>> others. However there is a problem with the site's security
>>> certificate..
>>>
>>> Then
>>>
>>> 1)....
>>>
>>> 2)....
>>>
>>> 3)...
>>>
>>> Do you want to proceed?
>>>
>>> YES, NO, CANCEL?
>>>
>>> I'm getting same message box even though i changed by Internet
>>> explorer->Tools->Internet options->advanced->checked all the 3 security
>>> check boxes under the security tab.
>>>
>>> Pleae advice and if possible some code to avoid this security box?
>>
>> Please include the text from points 1, 2, and 3 - they're the important
>> bits! Does your certificate hostname (CN) match the site hostname? Is the
>> Certificate Authority (CA) in your IE trusted roots list?
>>
>> Dan
>
> Hi,
>
> The following are the three points that are displayed in security alert
> box
>
> 1) The security certificate was issued by a company you have not chosen
> to trust. View the certificate to determine whether you want to trust
> the certifying authority.
>
> 2)The Security certificate date is valid.
>
> 3) The name of the security certificate is invalid or does not match
> the name of the site.
>
> Do you want to proceed ?
>
> YES NO CANCEL..
>
> This is popup message i'm getting when redirecting from HTTP to HTTPS?
>
> Can you please help me.?
OK, so you're using a certificate that isn't from one of the Trusted Roots
in your browser (is this one you've made yourself using Certificate Server
or SelfSSL?), and the CN in the certificate doesn't match the hostname in
the URL. This is nothing to do with a warning about redirecting to an SSL
site - this is warning you that the certificate is not from a trusted source
and doesn't match the site.
Dan