Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How To Tell What Files IE Thinks Are "nonsecure"?

Tags:

security

internet-explorer-6

internet-explorer-7

We have a CMS system whose web interface gets served over HTTPS. This works beautifully for Firefox, but when we load it in IE6 or IE7, it complains that "This page contains both secure and nonsecure items."

I've loaded the page in Firefox and checked with Firebug, and every connection seems to be going through HTTPS, as should be the case.

Is there any way to tell what is causing IE to throw this apparently spurious error?

like image 939
Sean McMains Avatar asked Sep 18 '08 20:09

Sean McMains

5 Answers

Firefox has a number of bugs in mixed content detection. Generally you should try using Fiddler to spot insecure resources.

If you install a tool I wrote (www.bayden.com/dl/scriptfreesetup.exe) you will get a different mixed content prompt which shows the exact URL of the first insecure resource on the page. That tool is basically a prototype and you should uninstall it when you're done with it.

like image 65
EricLaw Avatar answered Oct 15 '22 00:10

EricLaw

Use Fiddler to watch the traffic between the server and IE.

Be sure to go to Tools > Fiddler Options... > HTTPS > and check 'Decrypt HTTPS traffic'

Any non-HTTPS traffic generated between any server and IE should be easy to spot in the Web Sessions list.

like image 30
Grant Wagner Avatar answered Oct 15 '22 00:10

Grant Wagner

I used Eric's tool (thanks Eric you saved me hours...) and it turns out that IE6 treats a background image specified with a relative path as nonsecure content. Even though it actually requests it over https. So if you're stumped - converting your relative paths to absolute ones might really help...

like image 3
BigMikeW Avatar answered Oct 15 '22 00:10

BigMikeW

Are one or more resources (CSS url-image ref overlooked easily) pointing to a subdomain that's not covered by the certificate (https://www.example.com vs https://static.example.com)?

like image 2
micahwittman Avatar answered Oct 15 '22 02:10

micahwittman

If you can't see anything that isn't using SSL, then this is usually down to a broken SSL certificate somewhere. I don't know of anything off-hand that will tell you what exactly what the problem is, but you can get a list of everything that's loaded easily enough.

The media tab on Firefox's 'page info' dialog (right click on the page) will do it, it might also be worth having a go with Fiddler (which is an excellent, and extremely useful piece of software).

like image 1
Dan Avatar answered Oct 15 '22 01:10

Dan
Sign in to Comment

Related questions

What prevents HttpSession's id from being stolen?
Is it safe to store sensitive data in a C++ compiled binary?
Does using CSRF form tokens help spam prevention?
ASP.net MVC AntiForgeryToken over AJAX
Best way of doing code for "Forgotten Password"
How secure is it to call "secret" URLs in an iOS app?
ServiceStack web services security
Does https encrypt the whole URL?
What attack does the "state" parameter in OpenID Connect server flow prevent?
Using a Single system() Call to Execute Multiple Commands in C
Add group "Everyone" to directory and all of it's sub-directories
Protecting a system deployed in a "hostile" environment
MongoDB Security [closed]
Behaviour of SecureRandom
ExtractToFile throwing Access Denied Error?
How do I make sure a user is only logged in once?
Securely Saving API Keys In Android (flutter) Apps
Md5 Alternative in PHP? [closed]
Understanding Python Pickle Insecurity
Symfony & Guard: "The security token was removed due to an AccountStatusException"

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!