Triggering https to http alerts

For some time I've been searching for a solution to what is likely a
common customer request:

In a 'mixed' website that contains content from other sites, don't
trigger the SSL alerts going to/from https or when displaying the
content from other sites.

By 'mixed' I mean the site contains both http & https pages with a
valid SSL cert for the domain.

The external site content is from registered user postings to a
classifieds listing. For example images they've cut and pasted from
their corporate website or elsewhere. (Uploading the images doesn't
appear to be an option in this case.)

Since the site contains many pages that require https for sensitive
customer information (registration, customer data), most of it is
served via https.

Given that, in order to avoid triggering the mixed secure/non-secure
content alert the classifieds listing pages need to be served in http
vs. https.

So far I've tried a number of strategies, but have unfortunately been
unsuccessful in avoiding triggering the http to https (you're going to
a secure site...) or https to http (you're leaving a secure site)
alerts.

The site is in ASP (classic) and uses redirects heavily. In most cases
there is querystring data - so server.transfer is less of an option
and response.redirect is used (aside from the fact its serving up the
same page via a different protocol vs a different page). So there are
both clickable links and programmatic redirects to handle. (As well as
very limited session data.)

Here are some things I've tried but unfortunately still triggered the
alerts:
+ https page https link --> https swap page that redirects to desired
page in http
+ https page https link --> https desired page w/ Meta refresh to http
+ https page https link --> https desired page w/ Javascript
window.location change to http
+ https page https link --> https desired page w/ ASP redirect to http
+ https page http link --> http desired page
+ https page https redirect --> https swap page redirecting to desired
page in http
+ https page https redirect --> https desired page w/ ASP redirect to
http
+ https page https redirect --> https desired page w/ Meta refresh to
http
+ https page https redirect --> https desired page w/ Javascript
window.location change to http
+ https page http redirect --> http desired page
& similarly for going from http to https

Perhaps someone has some suggestions and can point me in the right
direction?

Thanks!
Bonnie

Re: Triggering https to http alerts

The warning messages are under control of the browsing client.
If the webservers / content rendering could control this then it
would be pretty useless.

In order to avoid mixed content you need to avoid mixed content,
I mean, what the browser sees needs to all come from http such as
if your rendering code emitted the html after itself fetching the
content from the https site serverside.

Roger

"NWdev" wrote in message
news:1170953544.276230.238520@j27g2000cwj.googlegroups.com.. .
> For some time I've been searching for a solution to what is likely a
> common customer request:
>
> In a 'mixed' website that contains content from other sites, don't
> trigger the SSL alerts going to/from https or when displaying the
> content from other sites.
>
> By 'mixed' I mean the site contains both http & https pages with a
> valid SSL cert for the domain.
>
> The external site content is from registered user postings to a
> classifieds listing. For example images they've cut and pasted from
> their corporate website or elsewhere. (Uploading the images doesn't
> appear to be an option in this case.)
>
> Since the site contains many pages that require https for sensitive
> customer information (registration, customer data), most of it is
> served via https.
>
> Given that, in order to avoid triggering the mixed secure/non-secure
> content alert the classifieds listing pages need to be served in http
> vs. https.
>
> So far I've tried a number of strategies, but have unfortunately been
> unsuccessful in avoiding triggering the http to https (you're going to
> a secure site...) or https to http (you're leaving a secure site)
> alerts.
>
> The site is in ASP (classic) and uses redirects heavily. In most cases
> there is querystring data - so server.transfer is less of an option
> and response.redirect is used (aside from the fact its serving up the
> same page via a different protocol vs a different page). So there are
> both clickable links and programmatic redirects to handle. (As well as
> very limited session data.)
>
> Here are some things I've tried but unfortunately still triggered the
> alerts:
> + https page https link --> https swap page that redirects to desired
> page in http
> + https page https link --> https desired page w/ Meta refresh to http
> + https page https link --> https desired page w/ Javascript
> window.location change to http
> + https page https link --> https desired page w/ ASP redirect to http
> + https page http link --> http desired page
> + https page https redirect --> https swap page redirecting to desired
> page in http
> + https page https redirect --> https desired page w/ ASP redirect to
> http
> + https page https redirect --> https desired page w/ Meta refresh to
> http
> + https page https redirect --> https desired page w/ Javascript
> window.location change to http
> + https page http redirect --> http desired page
> & similarly for going from http to https
>
> Perhaps someone has some suggestions and can point me in the right
> direction?
>
> Thanks!
> Bonnie
>

Re: Triggering https to http alerts

Thanks for your response Roger.

I understand that this is a browser initiated (client side) response,
however I am not interested in disabling the response, but rather
avoiding the trigger when a user navigates from https to http and vice
versa.

So, to re-state the question:

What ASP (classic) or JavaScript coding makes it possible to move from
http to https and https to http without triggering the client side
browser alert?

I need to be able to allow a user move to and from a secure page
(https) to an insecure one (http) without the user's browser being
triggered to display the SSL alert (you are moving to a secure page/
you are moving from a secure page).

What complicates this somewhat further is I also need to be able to do
this programmatically after running server side code (not just when a
user clicks a link).

Hopefully someone can point me in the right direction. I've done a
number of tests, however each has been unsuccessful in avoiding the
trigger. I know sites do this, often moving to/from a secure login or
form page (SSL, https) to non-secured pages (non-SSL, http) without
triggering the alert. So it seems it is a matter of either sequence
that I'm missing.

Thanks for any assistance.

Regards,
Bonnie

Re: Triggering https to http alerts

It is not a matter of "the right sequence to avoid triggering the
alert". You don't want to do things the way you think because if you
succeed, it is called a "security exploit".

So, instead of searching for a security exploit, you're going to have
to do something else to proxy HTTP content over HTTPS... such as
having an ASP page which you retrieve via HTTPS (so the browser only
sees HTTPS links with the original page also HTTPS), but the ASP page
makes an outbound HTTP call to retrieve the offsite content, then
return that content over HTTPS back to the browser.

This ASP page will be able to satisfy both of your requirements,
including:
> I also need to be able to do this
> programmatically after running
> server side code (not just when a
> user clicks a link).

You can use ActiveX components on the server, like WinHttp and
XMLHTTP, to do what you want within the ASP page. These components are
also documented on MSDN.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//




On Feb 28, 5:09 pm, "NWdev" wrote:
> Thanks for your response Roger.
>
> I understand that this is a browser initiated (client side) response,
> however I am not interested in disabling the response, but rather
> avoiding the trigger when a user navigates from https to http and vice
> versa.
>
> So, to re-state the question:
>
> What ASP (classic) or JavaScript coding makes it possible to move from
> http to https and https to http without triggering the client side
> browser alert?
>
> I need to be able to allow a user move to and from a secure page
> (https) to an insecure one (http) without the user's browser being
> triggered to display the SSL alert (you are moving to a secure page/
> you are moving from a secure page).
>
> What complicates this somewhat further is I also need to be able to do
> this programmatically after running server side code (not just when a
> user clicks a link).
>
> Hopefully someone can point me in the right direction. I've done a
> number of tests, however each has been unsuccessful in avoiding the
> trigger. I know sites do this, often moving to/from a secure login or
> form page (SSL, https) to non-secured pages (non-SSL, http) without
> triggering the alert. So it seems it is a matter of either sequence
> that I'm missing.
>
> Thanks for any assistance.
>
> Regards,
> Bonnie

Re: Triggering https to http alerts

Thank you David for your response.

So if I understand the suggested solutions correctly, one option is to
fetch the cut & pasted images from the user's sites via https versus
http. That could be done by swapping out any http links to https
before storing the user's text input in the database. It seems though
that there's something else I'm missing.

What about sites which require sections to be http and other parts
https?

For example a site which has a section of pages which are publicly
available (via http) and another section which are only available to
registered (& logged in) users (via https).

In my case, the site contains both of these types of sections and
logged in users can navigate to the public pages as well as the non-
public https pages. The customer wants them to be able to do this
without seeing the standard https to http (or vice versa) alert.

So the question is --
What is required to allow a user to navigate from http to https (and
vice versa) without receiving an alert?

Regards,
Bonnie

Re: Triggering https to http alerts

Let me repeat again.

The alert happens when the browser agent is configured to alert when
switching between https:// and http:// . Thus to avoid the alerts, the
browser agent has to consistently see either https:// or http://
URLs.

If you can swap between https:// and http:// without the browser agent
alerting, when the browser agent is configured to alert on such a
change, that is a Security vulnerability in the browser and will be
fixed. Thus, do not search for such a "solution".

Easiest way is to put the entire website under SSL, images and
everything.

For example, most banks have a public HTTP website and private HTTPS
section for Registered Users. Their public HTTP server never
references anything in the HTTPS section other than the initial HTTPS
login page (security reasons), and the HTTPS section only references
other HTTPS URLs until logout. I never said that the content of the
URLs had to come from this server -- it just has to *appear* to come
from this server.

If you want to present HTTP content from other websites as a part of
your website's HTTPS content, then you will have to reverse-proxy it
from your website with such an ASP/ASP.Net page that I described
before. The browser agent thinks it is making an HTTPS request to your
ASP page, but the ASP page is actually making an HTTP request to the
other website behind-the-scenes, getting that response back, and then
sending it back to the browser agent over HTTPS -- thus everything
looks kosher to the browser.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//




On Mar 5, 1:59 pm, "NWdev" wrote:
> Thank you David for your response.
>
> So if I understand the suggested solutions correctly, one option is to
> fetch the cut & pasted images from the user's sites via https versus
> http. That could be done by swapping out any http links to https
> before storing the user's text input in the database. It seems though
> that there's something else I'm missing.
>
> What about sites which require sections to be http and other parts
> https?
>
> For example a site which has a section of pages which are publicly
> available (via http) and another section which are only available to
> registered (& logged in) users (via https).
>
> In my case, the site contains both of these types of sections and
> logged in users can navigate to the public pages as well as the non-
> public https pages. The customer wants them to be able to do this
> without seeing the standard https to http (or vice versa) alert.
>
> So the question is --
> What is required to allow a user to navigate from http to https (and
> vice versa) without receiving an alert?
>
> Regards,
> Bonnie