| Groups | Blog | Home |
iis security : Is there a way to avoid/security alert box from redirecting to HTTP to HTTPS?
I saw some questions and answers which says we cannot supress the
security alert box when redirecting from HTTP to HTTPS? But i saw many sites are easily redirecting from HTTP to HTTPS without security alert box.. How can i code such that i should not get alert box from HTTP to HTTPS? please help me..
The logic to display the security alert box is controlled by the client.
Outside of IIS and server-side control, so there is nothing you can do. The sites that redirect from HTTP to HTTPS transparently are either doing the transition without the browser knowing, or the user configured the browser to not warn. -- //David IIS http://blogs.msdn.com/David.Wang This posting is provided "AS IS" with no warranties, and confers no rights. // [quoted text, click to view] "Jayanthv" <jayanth.vishnuvardhan@gmail.com> wrote in message news:1151531125.191719.67700@b68g2000cwa.googlegroups.com... >I saw some questions and answers which says we cannot supress the > security alert box when redirecting from HTTP to HTTPS? > > But i saw many sites are easily redirecting from HTTP to HTTPS without > security alert box.. > > How can i code such that i should not get alert box from HTTP to HTTPS? > > > please help me.. >
More often it is transition the other way that causes a warning,
from HTTPS to HTTP. Thankfully this is a client warning under client control -- Roger Abell Microsoft MVP (Windows Server : Security) [quoted text, click to view] "Jayanthv" <jayanth.vishnuvardhan@gmail.com> wrote in message news:1151531125.191719.67700@b68g2000cwa.googlegroups.com... >I saw some questions and answers which says we cannot supress the > security alert box when redirecting from HTTP to HTTPS? > > But i saw many sites are easily redirecting from HTTP to HTTPS without > security alert box.. > > How can i code such that i should not get alert box from HTTP to HTTPS? > > > please help me.. >
Jayanthv wrote on 28 Jun 2006 14:45:25 -0700:
[quoted text, click to view] > I saw some questions and answers which says we cannot supress the > security alert box when redirecting from HTTP to HTTPS? > > But i saw many sites are easily redirecting from HTTP to HTTPS without > security alert box.. > > How can i code such that i should not get alert box from HTTP to HTTPS? > > please help me.. As Roger pointed out, the warning is normally when you redirect from HTTPS to HTTP. What is the exact text of the warning message? Have you checked the pages visible in the HTTPS connection to make sure none of them have full references to images/javascript files/etc including HTTP:// ? That's normally the mistake made - when viewing a page over HTTPS with images being pulled from HTTP there will be a client warning, as not all the elements of the page are encrypted. Dan
A lot of sites use javascript, with a location.replace() call (IIRC)
Just look in the HTML source of whatever website(s) you know that don't result in a prompt. Cheers Ken [quoted text, click to view] "David Wang [Msft]" <someone@online.microsoft.com> wrote in message news:OAAWamwmGHA.2160@TK2MSFTNGP04.phx.gbl... > The logic to display the security alert box is controlled by the client. > Outside of IIS and server-side control, so there is nothing you can do. > > The sites that redirect from HTTP to HTTPS transparently are either doing > the transition without the browser knowing, or the user configured the > browser to not warn. > > -- > //David > IIS > http://blogs.msdn.com/David.Wang > This posting is provided "AS IS" with no warranties, and confers no > rights. > // > > "Jayanthv" <jayanth.vishnuvardhan@gmail.com> wrote in message > news:1151531125.191719.67700@b68g2000cwa.googlegroups.com... >>I saw some questions and answers which says we cannot supress the >> security alert box when redirecting from HTTP to HTTPS? >> >> But i saw many sites are easily redirecting from HTTP to HTTPS without >> security alert box.. >> >> How can i code such that i should not get alert box from HTTP to HTTPS? >> >> >> please help me.. >> > >
Hi,
I'm still unable to supress the security alert box.. please help me..? Im' getting the below security alert box message "Information you exchange with this site cannot be viewed or changed by others. However there is a problem with the site's security certificate.. Then 1).... 2).... 3)... Do you want to proceed? YES, NO, CANCEL? I'm getting same message box even though i changed by Internet explorer->Tools->Internet options->advanced->checked all the 3 security check boxes under the security tab. Pleae advice and if possible some code to avoid this security box? Thanks in advance.. [quoted text, click to view] Daniel Crichton wrote:
> Jayanthv wrote on 28 Jun 2006 14:45:25 -0700: > > > I saw some questions and answers which says we cannot supress the > > security alert box when redirecting from HTTP to HTTPS? > > > > But i saw many sites are easily redirecting from HTTP to HTTPS without > > security alert box.. > > > > How can i code such that i should not get alert box from HTTP to HTTPS? > > > > please help me.. > > As Roger pointed out, the warning is normally when you redirect from HTTPS > to HTTP. > > What is the exact text of the warning message? Have you checked the pages > visible in the HTTPS connection to make sure none of them have full > references to images/javascript files/etc including HTTP:// ? That's > normally the mistake made - when viewing a page over HTTPS with images being > pulled from HTTP there will be a client warning, as not all the elements of > the page are encrypted. > > Dan
Jayanthv wrote on 3 Jul 2006 11:01:58 -0700:
[quoted text, click to view] > Hi, > > I'm still unable to supress the security alert box.. please help me..? > Im' getting the below security alert box message > > "Information you exchange with this site cannot be viewed or changed by > others. However there is a problem with the site's security > certificate.. > > Then > > 1).... > > 2).... > > 3)... > > Do you want to proceed? > > YES, NO, CANCEL? > > I'm getting same message box even though i changed by Internet > explorer->Tools->Internet options->advanced->checked all the 3 security > check boxes under the security tab. > > Pleae advice and if possible some code to avoid this security box? Please include the text from points 1, 2, and 3 - they're the important bits! Does your certificate hostname (CN) match the site hostname? Is the Certificate Authority (CA) in your IE trusted roots list? Dan
To be clear, the issue is not how to "suppress the security alert box" but
rather "how do I do it correctly to avoid security vulnerability". There is a good reason that the client warns the user because the server is about to do something insecure. You should be thinking about how to do it correctly and securely, not how to suppress the warning. -- //David IIS http://blogs.msdn.com/David.Wang This posting is provided "AS IS" with no warranties, and confers no rights. // [quoted text, click to view] "Jayanthv" <jayanth.vishnuvardhan@gmail.com> wrote in message news:1151949718.667054.280380@a14g2000cwb.googlegroups.com... > Hi, > > I'm still unable to supress the security alert box.. please help me..? > Im' getting the below security alert box message > > "Information you exchange with this site cannot be viewed or changed by > others. However there is a problem with the site's security > certificate.. > > Then > > 1).... > > 2).... > > 3)... > > Do you want to proceed? > > YES, NO, CANCEL? > > I'm getting same message box even though i changed by Internet > explorer->Tools->Internet options->advanced->checked all the 3 security > check boxes under the security tab. > > Pleae advice and if possible some code to avoid this security box? > > Thanks in advance.. > > > > > > Daniel Crichton wrote: >> Jayanthv wrote on 28 Jun 2006 14:45:25 -0700: >> >> > I saw some questions and answers which says we cannot supress the >> > security alert box when redirecting from HTTP to HTTPS? >> > >> > But i saw many sites are easily redirecting from HTTP to HTTPS without >> > security alert box.. >> > >> > How can i code such that i should not get alert box from HTTP to HTTPS? >> > >> > please help me.. >> >> As Roger pointed out, the warning is normally when you redirect from >> HTTPS >> to HTTP. >> >> What is the exact text of the warning message? Have you checked the pages >> visible in the HTTPS connection to make sure none of them have full >> references to images/javascript files/etc including HTTP:// ? That's >> normally the mistake made - when viewing a page over HTTPS with images >> being >> pulled from HTTP there will be a client warning, as not all the elements >> of >> the page are encrypted. >> >> Dan >
[quoted text, click to view]
Daniel Crichton wrote: > Jayanthv wrote on 3 Jul 2006 11:01:58 -0700: > > > Hi, > > > > I'm still unable to supress the security alert box.. please help me..? > > Im' getting the below security alert box message > > > > "Information you exchange with this site cannot be viewed or changed by > > others. However there is a problem with the site's security > > certificate.. > > > > Then > > > > 1).... > > > > 2).... > > > > 3)... > > > > Do you want to proceed? > > > > YES, NO, CANCEL? > > > > I'm getting same message box even though i changed by Internet > > explorer->Tools->Internet options->advanced->checked all the 3 security > > check boxes under the security tab. > > > > Pleae advice and if possible some code to avoid this security box? > > Please include the text from points 1, 2, and 3 - they're the important > bits! Does your certificate hostname (CN) match the site hostname? Is the > Certificate Authority (CA) in your IE trusted roots list? > > Dan Hi, The following are the three points that are displayed in security alert box 1) The security certificate was issued by a company you have not chosen to trust. View the certificate to determine whether you want to trust the certifying authority. 2)The Security certificate date is valid. 3) The name of the security certificate is invalid or does not match the name of the site. Do you want to proceed ? YES NO CANCEL.. This is popup message i'm getting when redirecting from HTTP to HTTPS? Can you please help me.?
Jayanthv wrote on 6 Jul 2006 09:41:56 -0700:
[quoted text, click to view] > Daniel Crichton wrote: >> Jayanthv wrote on 3 Jul 2006 11:01:58 -0700: >> >>> Hi, >>> >>> I'm still unable to supress the security alert box.. please help me..? >>> Im' getting the below security alert box message >>> >>> "Information you exchange with this site cannot be viewed or changed by >>> others. However there is a problem with the site's security >>> certificate.. >>> >>> Then >>> >>> 1).... >>> >>> 2).... >>> >>> 3)... >>> >>> Do you want to proceed? >>> >>> YES, NO, CANCEL? >>> >>> I'm getting same message box even though i changed by Internet >>> explorer->Tools->Internet options->advanced->checked all the 3 security >>> check boxes under the security tab. >>> >>> Pleae advice and if possible some code to avoid this security box? >> >> Please include the text from points 1, 2, and 3 - they're the important >> bits! Does your certificate hostname (CN) match the site hostname? Is the >> Certificate Authority (CA) in your IE trusted roots list? >> >> Dan > > Hi, > > The following are the three points that are displayed in security alert > box > > 1) The security certificate was issued by a company you have not chosen > to trust. View the certificate to determine whether you want to trust > the certifying authority. > > 2)The Security certificate date is valid. > > 3) The name of the security certificate is invalid or does not match > the name of the site. > > Do you want to proceed ? > > YES NO CANCEL.. > > This is popup message i'm getting when redirecting from HTTP to HTTPS? > > Can you please help me.? OK, so you're using a certificate that isn't from one of the Trusted Roots in your browser (is this one you've made yourself using Certificate Server or SelfSSL?), and the CN in the certificate doesn't match the hostname in the URL. This is nothing to do with a warning about redirecting to an SSL site - this is warning you that the certificate is not from a trusted source and doesn't match the site. Dan
Don't see what you're looking for? Try a search.
|
June 2003
July 2003
August 2003
September 2003
October 2003
November 2003
December 2003
January 2004
February 2004
March 2004
April 2004
May 2004
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |