Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

IE: HTTPS security is compromised by res://ieframe.dll/sslnavcancel.htm

I'm working on an ecommerce application that has many HTTPS-only areas. This particular error only happens in IE (10 at least, haven't tried others) and it only happens on one HTTPS page in the entire application.

From research, I gather this is IE's mixed-content warning. This is very confusing because IE is the only browser that has any issue with this page. All other relevant browsers don't complain about any mixed content.

Can anyone shed some light on what sslnavacancel.htm is? Or, how to drill down further to get an idea of what resource may be actually causing this problem?

Thanks in advance.

like image 465
Patrick Avatar asked Jun 12 '14 22:06

Patrick


1 Answers

Issue: res://ieframe.dll/sslnavcancel.htm is an embedded HTML resource in ieframe.dll that is displayed in IE to users to indicate that some resource was blocked because it was signed with an invalid certificate. A certificate may be considered invalid for a variety of reasons including if the certificate has expired or if there's a mismatch between the hostname in the certificate and the hostname actually used to obtain the resource.

Solution: You can try installing Fiddler the HTTP debugging proxy and running that while testing your website in IE10. Fiddler sits as an HTTP proxy between your browser and HTTP servers and (among many other things) will let you know if any resource obtained has an invalid certificate. Start Fiddler, go to Tools|Fiddler Options|HTTPS, check Capture HTTPS CONNECTs, check Decrypt HTTPS traffic, and ensure 'Ignore server certificate errors' is unchecked. Restart Fiddler, visit your website in IE, and then examine Fiddler's log view for resources with invalid certificates.

like image 183
David Risney Avatar answered Nov 03 '22 10:11

David Risney