Avoiding SSL "You are about to be redirected to a connection that is not secure." message

Question

I have a login screen which I'm serving over SSL. The user fills in their login/password, this gets POSTed to the server. At this point I want to jump out of SSL, so I redirect them back to the same page with no SSL.

This causes the browser to show a warning dialog "You are about to be redirected to a connection that is not secure". How can I avoid this? I've been plenty of sites like yahoo mail, and gmail that give you an SSL page for login, then send you to a non-SSL page after this.

Secondary question: what's the purpose of this dialog? It's trying to warn me about some nefarous purpose - but what's so bad about redirecting someone to a non-SSL page? I don't get a warning when I'm on an SSL page and click a non-SSL link. What's different about redirecting someone?

I'm doing this in ASP.NET 2.0 - but I figure this is a generic web-dev question.

UPDATE SUMMARY: It seems the popular answer is "DON'T AVOID IT". I can understand that a user should get a message when security it being removed. But I don't get a dialog when I follow a link and security is removed, so at the very least I'd say this is inconsistent.

The dialog / browser versions. I actually don't see the dialog in IE7/FF3 (maybe I've clicked a checkbox preventing it). More importantly the client DOES see it in IE6 - with no checkbox to remove it (yes, I know IE6 is old and crap).

Firefox2: FF2 http://img521.imageshack.us/img521/8455/sslwarning.jpg

IE6:

The alternative: make the entire site SSL, never redirect the user out of SSL. I could handle that. But I've got a semi-technical client who has some fairly good points:

• "SSL is going to cause an increase in traffic / processing power". I don't really buy this, and I don't think his site is every going to require more than one box to serve it.
• "Yahoo does it. Yahoo is a big technical company. Are you smarter than Yahoo?"

I'm going to try sway the client over to an entirely SSL site. I'll argue Yahoo's approach made sense in 1996, or for a site that is MUCH more popular. Some official links explaining why this dialog happens would help (i.e Jakob Nielsen level of authenticity).

Answer 1

I've hit this same problem a while back. So I had a look inside fiddler to see how yahoo mail does it. Here's the step I saw (and used on my site):

User fills in SSL encrypted form, and POSTs to the server. Server authenticates, and spits out some script to redirect the client

<script language="JavaScript">
<!--
window.location.replace("~~ non-SSL URL ~~");
// -->
</script>

I figure the client side code is there to avoid this dialog.

Answer 2

"How can I avoid this?"

You shouldn't!

Although you could try that with JavaScript. This might work on some browsers and fail on others.

"What's the purpose of this dialog?"

It warns because switching between SSL and non-SSL on websites is usually unexpected by the user. A warning about the "non-SSL to SSL" is not emitted since it increases security and privacy. However, when security is suddenly decreased, the user should notice that quickly, in order to avoid a false feeling of security. In fact, redirecting to a non-SSL site is sometimes used in XSS/MITM attacks.

"SSL is going to cause an increase in traffic / processing power"

This is nonsense. It might be true for sites full of big, static content. However, for normal dynamic web applications, encryption is very cheap compared to business logic, database access, etc.

There is an urban legend saying that SSL-content is not chached by browsers. See "Will web browsers cache content over https" for more information.

"Yahoo does it. Yahoo is a big technical company. Are you smarter than Yahoo?"

Some rhetoric counter-questions:

• Are you a big technical company like Yahoo?
• Did being a big technical company prevent Microsoft from producing crappy software?
• Do you have to support crappy old (SSL-broken) browsers, as Yahoo has to?