Java script, icons, html transitional, css and tables.

Discussion in 'HTML' started by Luigi Donatello Asero, Dec 31, 2004.

  1. On the homepage of the website https://www.scaiecat-spa-gigi.com
    I tried to insert the QuickSSL Premium Smart Icon seal
    to show that the site has been secured

    Now, the problem is that the page

    http://www.geotrust.com/quickssl_premium/install_seal.htm
    suggests to use a Java script.
    Using a Java script I cannot use html strict and CSS does not seem to work.
    Thus I cannot center the text on the page unless I use a table for the
    layout.
    On the other hand, the icon is good to show that the site has been secured.
    Any suggestions?



    --
    Luigi ( un italiano che vive in Svezia)
    https://www.scaiecat-spa-gigi.com/sv/boendeiitalien.html
    Luigi Donatello Asero, Dec 31, 2004
    #1
    1. Advertising

  2. Luigi Donatello Asero wrote:
    <snip>
    > I tried to insert the QuickSSL Premium Smart
    > Icon seal

    <snip>
    > On the other hand, the icon is good to show that
    > the site has been secured. ...


    I am always amused by the e-mail that I receive that states clearly at
    the bottom that the contents and attachments have been scanned by some
    anti-virus program and are certified virus free, I don't believe a word
    of it.

    Richard.
    Richard Cornford, Dec 31, 2004
    #2
    1. Advertising

  3. "Richard Cornford" <> skrev i meddelandet
    news:cr2cds$jfv$1$...
    > Luigi Donatello Asero wrote:
    > <snip>
    > > I tried to insert the QuickSSL Premium Smart
    > > Icon seal

    > <snip>
    > > On the other hand, the icon is good to show that
    > > the site has been secured. ...

    >
    > I am always amused by the e-mail that I receive that states clearly at
    > the bottom that the contents and attachments have been scanned by some
    > anti-virus program and are certified virus free, I don't believe a word
    > of it.
    >
    > Richard.


    Anti-virus program and virus do not have much to do with what I was writing
    about, as far as I know.

    --
    Luigi ( un italiano che vive in Svezia)
    http://www.scaiecat-spa-gigi.com/de/schuhe-uebergrossen.html
    Luigi Donatello Asero, Dec 31, 2004
    #3
  4. "Richard Cornford" <> skrev i meddelandet
    news:cr2cds$jfv$1$...
    > Luigi Donatello Asero wrote:
    > <snip>
    > > I tried to insert the QuickSSL Premium Smart
    > > Icon seal

    > <snip>
    > > On the other hand, the icon is good to show that
    > > the site has been secured. ...

    >
    > I am always amused by the e-mail that I receive that states clearly at
    > the bottom that the contents and attachments have been scanned by some
    > anti-virus program and are certified virus free, I don't believe a word
    > of it.
    >
    > Richard.


    I am talking about server certificate and https protocols..

    --
    Luigi ( un italiano che vive in Svezia)
    https://www.scaiecat-spa-gigi.com/sv/boendeiitalien.html
    Luigi Donatello Asero, Dec 31, 2004
    #4
  5. Luigi Donatello Asero wrote:
    >> Luigi Donatello Asero wrote:

    <snip>
    >>> On the other hand, the icon is good to show that
    >>> the site has been secured. ...

    <snip>
    > I am talking about server certificate and https
    > protocols..


    You appear to be talking about an "icon" that "shows the site has been
    secured".

    Richard.
    Richard Cornford, Dec 31, 2004
    #5
  6. On Fri, 31 Dec 2004 02:18:34 GMT, Luigi Donatello Asero
    <> wrote:

    [snip]

    > I am talking about server certificate and https protocols..


    Actually, you're talking about invalid mark-up. :p

    As far as I can see, there's no reason whatsoever for you to use that
    script. To be honest, you shouldn't when one considers just how badly
    written it is. It boils down to including:

    <a href="https://smarticon.geotrust.com/smarticonprofile?
    Referer=[current page host name]"><img alt="Secured by GeoTrust"
    src="https://smarticon.geotrust.com/smarticon?
    ref=[current page host name]"></a>

    in your document, although the mark-up above has better alternative text
    for the image. The rest of it is completely useless context menu-blocking
    code which won't work reliably anyway. The text, [current page host name],
    should be replaced by the domain, and the protocol (https I'd assume),
    from which you'd serve the document.

    Before you go ahead and ignore the script, I'd make sure that you're able
    to do it under their license terms[1]. If not, tell them that the code
    they've produced is utter crap. You might also want to remind them that
    Javascript is optional and that relying on it is a mistake.

    If you really do have to use it, remove the language attribute from the
    opening SCRIPT tag, and preferably put the SCRIPT element within a
    block-level element so that the document tree remains valid after the
    script has executed. I also assume that you need to correct the URL in the
    src attribute to <URL:http://smarticon.geotrust.com/si.js>.

    Good luck,
    Mike


    [1] They don't seem to publish the terms, which is why I didn't have a
    look.

    --
    Michael Winter
    Replace ".invalid" with ".uk" to reply by e-mail.
    Michael Winter, Dec 31, 2004
    #6
  7. Luigi Donatello Asero wrote:

    > http://www.geotrust.com/quickssl_premium/install_seal.htm
    > suggests to use a Java script.
    > Using a Java script ...


    It is not a Java script. It is JavaScript.

    Or, if you prefer, a JavaScript script. Java, an entirely different
    language, has scripts as well.

    Now, on to your question. I do not see anything in the script at
    http://smarticon.geotrust.com/si.js
    that would make your web site any more secure than mine. Why don't you
    just steal the icon from their page and put it on yours? The whole
    thing reads like a scam.

    "This GIF is a sample snapshot of the QuickSSL Premium site seal. The
    actual site will *disable right click and save features* and will
    display a live date / time stamp much like the True Site displayed on
    the bottom of this page" [asterisks mine. Harhar!]

    Oh, and it won't run in my browser ...

    --
    -bts
    -This space intentionally left blank.
    Beauregard T. Shagnasty, Dec 31, 2004
    #7
  8. "Beauregard T. Shagnasty" <> skrev i meddelandet
    news:...
    > Luigi Donatello Asero wrote:
    >
    > > http://www.geotrust.com/quickssl_premium/install_seal.htm
    > > suggests to use a Java script.
    > > Using a Java script ...

    >
    > It is not a Java script. It is JavaScript.
    >
    > Or, if you prefer, a JavaScript script. Java, an entirely different
    > language, has scripts as well.



    I know that.
    I just forgot that I had to write it in one word.

    > Now, on to your question. I do not see anything in the script at
    > http://smarticon.geotrust.com/si.js
    > that would make your web site any more secure than mine. Why don't you
    > just steal the icon from their page and put it on yours? The whole
    > thing reads like a scam.



    As far as I understand, the script itself does not make the page more sure
    than any other.
    It only informs that the page has been secured.
    Steve Pugh, I think was writing some weeks ago about https protocol and the
    like

    > "This GIF is a sample snapshot of the QuickSSL Premium site seal. The
    > actual site will *disable right click and save features* and will
    > display a live date / time stamp much like the True Site displayed on
    > the bottom of this page" [asterisks mine. Harhar!]
    >
    > Oh, and it won't run in my browser ...




    What do you mean?


    --
    Luigi ( un italiano che vive in Svezia)
    https://www.scaiecat-spa-gigi.com/sv/boendeiitalien.html
    Luigi Donatello Asero, Dec 31, 2004
    #8
  9. "Richard Cornford" <> skrev i meddelandet
    news:cr2ds8$gqo$1$...
    > Luigi Donatello Asero wrote:
    > >> Luigi Donatello Asero wrote:

    > <snip>
    > >>> On the other hand, the icon is good to show that
    > >>> the site has been secured. ...

    > <snip>
    > > I am talking about server certificate and https
    > > protocols..

    >
    > You appear to be talking about an "icon" that "shows the site has been
    > secured".


    Yes. How does it have to do with antivirus?


    --
    Luigi ( un italiano che vive in Svezia)
    https://www.scaiecat-spa-gigi.com/sv/boendeiitalien.html
    Luigi Donatello Asero, Dec 31, 2004
    #9
  10. Luigi Donatello Asero wrote:
    > "Beauregard T. Shagnasty" <> skrev i
    > meddelandet news:...


    >> Oh, and it won't run in my browser ...

    >
    > What do you mean?


    JavaScript is disabled.

    --
    -bts
    -This space intentionally left blank.
    Beauregard T. Shagnasty, Dec 31, 2004
    #10
  11. "Michael Winter" <> skrev i meddelandet
    news:eek:psjup74hnx13kvk@atlantis...
    > On Fri, 31 Dec 2004 02:18:34 GMT, Luigi Donatello Asero
    > <> wrote:
    >
    > [snip]
    >
    > > I am talking about server certificate and https protocols..

    >
    > Actually, you're talking about invalid mark-up. :p



    I was talking about that too. However, it now validates as html
    transitional.
    I would rather use php script or some other script which is executed on the
    server and not on the client but I do not know whether I may set the icon
    that way.
    Now, to be honest, I still do not understand why you are against server
    certificates.
    Was Steve not for them anyway? Aren´t there many banks which use secure
    connections and https protocols?

    Now Verisign is one of the companies which offers these certificates but
    their prices are more expensive, so that´s why I took the one from Geotrust
    then. But I did not order it myself, my webhost did it for me and installed
    it. So, do you mean now that my webhost did not install it correctly or is
    it just the icon which does not work?


    > As far as I can see, there's no reason whatsoever for you to use that
    > script. To be honest, you shouldn't when one considers just how badly
    > written it is. It boils down to including:
    >
    > <a href="https://smarticon.geotrust.com/smarticonprofile?
    > Referer=[current page host name]"><img alt="Secured by GeoTrust"
    > src="https://smarticon.geotrust.com/smarticon?
    > ref=[current page host name]"></a>
    >
    > in your document, although the mark-up above has better alternative text
    > for the image. The rest of it is completely useless context menu-blocking
    > code which won't work reliably anyway. The text, [current page host name],
    > should be replaced by the domain, and the protocol (https I'd assume),
    > from which you'd serve the document.



    Do you mean https://www.scaiecat-spa-gigi.com should be written instead for

    > Before you go ahead and ignore the script, I'd make sure that you're able
    > to do it under their license terms[1]. If not, tell them that the code
    > they've produced is utter crap. You might also want to remind them that
    > Javascript is optional and that relying on it is a mistake.



    Actually, I have already written to them because I do not like Javascript.
    I prefer script which are executed at the server such as php.
    But I did not realize that the javascript that they wrote was so bad.


    > If you really do have to use it, remove the language attribute from the
    > opening SCRIPT tag, and preferably put the SCRIPT element within a
    > block-level element so that the document tree remains valid after the
    > script has executed. I also assume that you need to correct the URL in the
    > src attribute to <URL:http://smarticon.geotrust.com/si.js>.
    >
    > Good luck,
    > Mike
    >
    >
    > [1] They don't seem to publish the terms, which is why I didn't have a
    > look.


    Can you find something there
    http://www.geotrusteurope.com/corporate/legal/pdfs/quickssl_premium_SA.pdf ?


    --
    Luigi ( un italiano che vive in Svezia)
    https://www.scaiecat-spa-gigi.com/sv/boendeiitalien.html
    Luigi Donatello Asero, Dec 31, 2004
    #11
  12. "Beauregard T. Shagnasty" <> skrev i meddelandet
    news:...
    > Luigi Donatello Asero wrote:
    > > "Beauregard T. Shagnasty" <> skrev i
    > > meddelandet news:...

    >
    > >> Oh, and it won't run in my browser ...

    > >
    > > What do you mean?

    >
    > JavaScript is disabled.



    You are right about that.
    On the other hand, you can go on and click on the links anyway.
    You just do not see any icon.
    What about the fact that the website is secured.
    Do you have any reason to believe that it is not?
    What do you see on the bottom right corner of the browser?
    Does it show that the page is secured or not?

    --
    Luigi ( un italiano che vive in Svezia)
    https://www.scaiecat-spa-gigi.com/sv/boendeiitalien.html
    Luigi Donatello Asero, Dec 31, 2004
    #12
  13. Luigi Donatello Asero wrote:
    > "Beauregard T. Shagnasty" <> skrev i
    > meddelandet news:...
    >
    >> Luigi Donatello Asero wrote:
    >>
    >>> "Beauregard T. Shagnasty" <> skrev i
    >>> meddelandet news:...

    >>
    >>>> Oh, and it won't run in my browser ...
    >>>
    >>> What do you mean?

    >>
    >> JavaScript is disabled.

    >
    > You are right about that.
    > On the other hand, you can go on and click on the links anyway.
    > You just do not see any icon.


    Nor does that script execute.

    > What about the fact that the website is secured.
    > Do you have any reason to believe that it is not?
    > What do you see on the bottom right corner of the browser?
    > Does it show that the page is secured or not?


    Seeing as how it is https, my browser shows a 'padlock'. So what does
    this mean to the average visitor? It means that the download is slower
    due to the encryption. On a normal page, it is useless. On a page
    where you are taking info - a form, a credit card - it means that
    their credit card numbers may not be able to be intercepted as easily.

    So, why don't you just use it (https) on a page where you take a
    credit card number? IMO, there isn't any other real reason to do it.

    --
    -bts
    -This space intentionally left blank.
    Beauregard T. Shagnasty, Dec 31, 2004
    #13
  14. "Beauregard T. Shagnasty" <> skrev i meddelandet
    news:...
    > Luigi Donatello Asero wrote:
    > > "Beauregard T. Shagnasty" <> skrev i
    > > meddelandet news:...
    > >
    > >> Luigi Donatello Asero wrote:
    > >>
    > >>> "Beauregard T. Shagnasty" <> skrev i
    > >>> meddelandet news:...
    > >>
    > >>>> Oh, and it won't run in my browser ...
    > >>>
    > >>> What do you mean?
    > >>
    > >> JavaScript is disabled.

    > >
    > > You are right about that.
    > > On the other hand, you can go on and click on the links anyway.
    > > You just do not see any icon.

    >
    > Nor does that script execute.
    >
    > > What about the fact that the website is secured.
    > > Do you have any reason to believe that it is not?
    > > What do you see on the bottom right corner of the browser?
    > > Does it show that the page is secured or not?

    >
    > Seeing as how it is https, my browser shows a 'padlock'. So what does
    > this mean to the average visitor? It means that the download is slower
    > due to the encryption. On a normal page, it is useless. On a page
    > where you are taking info - a form, a credit card - it means that
    > their credit card numbers may not be able to be intercepted as easily.
    >
    > So, why don't you just use it (https) on a page where you take a
    > credit card number? IMO, there isn't any other real reason to do it.



    There are many reason to do it.
    Please visit http://www.ebusinesslex.net
    Just to mention a few things:
    1) it is important the the user can send data through the encryption so that
    confidential data cannot be intercepted as easily
    2) it is also important that the user can identify who offers a product or a
    service. A https protocoll says that the site
    https://www.scaiecat-spa-gigi.com is really this and not some other.
    This is important for all the pages.
    Most pages are available also as on http://www.scaiecat-spa-gigi.com
    Under the circumstances the user can choose to navigate the unsecure version
    if he or she prefers to do so.
    Some pages, however are going to be available only as https, for example
    forms.
    As to credit card numbers should create a connection from a form where the
    user would fill the number of his or her card to a database?
    The user should wait for my answer anyway, that means, that I open the data
    base, take the number and so on.
    In other cases however it could be automatised. For example the user could
    fill in a form with the number of his card and get a password from the data
    base. Afterwards he could use the password to download e-books or may-be to
    have access to some information sites.
    What do you think?
    Last but not least, is it necessary to get a special permission from Visa to
    get the money by credit cards?

    --
    Luigi ( un italiano che vive in Svezia)
    https://www.scaiecat-spa-gigi.com/sv/boendeiitalien.html
    Luigi Donatello Asero, Dec 31, 2004
    #14
  15. Luigi Donatello Asero

    rf Guest

    Beauregard T. Shagnasty" <> wrote

    > So, why don't you just use it (https) on a page where you take a
    > credit card number? IMO, there isn't any other real reason to do it.


    Paranoia?

    --
    Cheers
    Richard.
    rf, Dec 31, 2004
    #15
  16. "rf" <rf@.invalid> skrev i meddelandet
    news:885Bd.96791$...
    > Beauregard T. Shagnasty" <> wrote
    >
    > > So, why don't you just use it (https) on a page where you take a
    > > credit card number? IMO, there isn't any other real reason to do it.

    >
    > Paranoia?


    Another opinion than yours?

    --
    Luigi ( un italiano che vive in Svezia)
    https://www.scaiecat-spa-gigi.com/sv/skor.html
    Luigi Donatello Asero, Dec 31, 2004
    #16
  17. "Luigi Donatello Asero" <> wrote:

    > "Beauregard T. Shagnasty" wrote:
    > >
    > > On a normal page, it [https] is useless.

    >
    > Just to mention a few things:
    > 1) it is important the the user can send data through the encryption so that
    > confidential data cannot be intercepted as easily


    If the data being sent actually _is_ confidential, then sure.

    > 2) it is also important that the user can identify who offers a product or a
    > service. A https protocoll says that the site
    > https://www.scaiecat-spa-gigi.com is really this and not some other.
    > This is important for all the pages.


    If this is of such pressing importance, why is that so few sites that
    live and breathe by the trust their customers have in them bother to use
    https for the entire site? Example: my employer (you've heard of them)
    is fanatical about securing customer data, and about security in
    general. But for just looking around the site, doing searches, adding
    items to a cart, etc., plain ol' http is used. It's important to secure
    against risk, but it's also important to objectively identify where the
    risk is.

    > The user should wait for my answer anyway, that means, that I open the data
    > base, take the number and so on.


    How secure _is_ that database, by the way? Does it have any sort of
    password protection? How secure is the password and how often is it
    changed?

    Are the credit card numbers highly encrypted *in* the database? No? Then
    couldn't some enterprising young thief simple extract the plain-text
    credit card number from the database and start charging? (Answer: yes.)
    If you have to bring the credit card number up on your screen in
    plain-text, what is to stop some enterprising young thief from
    screen-scraping it? (Answer: precious little.)

    It seems to me that if you're really concerned about security and
    safe-guarding your customers' valuable data, it's issues like those that
    you ought to be worrying about, not about someone somehow corrupting
    your sales information pages. That is a miniscule threat. Extracting
    plain-text credit card numbers from any sort of data store is a real and
    present threat.

    > Last but not least, is it necessary to get a special permission from Visa to
    > get the money by credit cards?


    Yes, you need an account with them. Also, be aware that credit card
    companies charge their clients (that'd be you) a small surcharge:
    usually several percent of the amount charged will go to the credit card
    company and not to yourself.

    --
    Joel.
    Joel Shepherd, Dec 31, 2004
    #17
  18. Luigi Donatello Asero

    Oli Filth Guest

    Luigi Donatello Asero wrote:
    > "rf" <rf@.invalid> skrev i meddelandet
    > news:885Bd.96791$...
    >
    >>Beauregard T. Shagnasty" <> wrote
    >>
    >>
    >>>So, why don't you just use it (https) on a page where you take a
    >>>credit card number? IMO, there isn't any other real reason to do it.

    >>
    >>Paranoia?

    >
    >
    > Another opinion than yours?
    >


    I think this was discussed in a thread a few weeks ago. It really is
    paranoid to worry about the security of the information used for general
    browsing and conclude that you need to use HTTPS for every page. There
    are for more likely targets for hackers when it comes to your website's
    security, like your database, or even your server itself. No amount of
    HTTPS will prevent this.

    A challenge: Try and find an established e-commerce site that uses HTTPS
    for all its pages. Doing this might help convince you that the "HTTPS
    everywhere" approach really is "paranoia".

    Oli
    Oli Filth, Dec 31, 2004
    #18
  19. On Fri, 31 Dec 2004 03:48:31 GMT, Luigi Donatello Asero
    <> wrote:

    > "Richard Cornford" <> skrev i meddelandet
    > news:cr2ds8$gqo$1$...
    >
    >> You appear to be talking about an "icon" that "shows the site has been
    >> secured".

    >
    > Yes. How does it have to do with antivirus?


    Richard was making a comparison.

    Think about the massive worldwide virus outbreaks that were spread by
    e-mail. You can be certain that many of the individuals and organisations
    that were infected scan incoming mail. Similarly, some of those that
    (unintentionally) helped spread the infection also scanned outgoing mail.

    The moral here is just because someone (or something) says "this is fine"
    doesn't automatically make it so. Anyone could forge the seal image and
    put it on their site; it doesn't mean anything. Only the certificate
    itself matters.

    Mike

    --
    Michael Winter
    Replace ".invalid" with ".uk" to reply by e-mail.
    Michael Winter, Dec 31, 2004
    #19
  20. On Fri, 31 Dec 2004 04:03:27 GMT, Luigi Donatello Asero
    <> wrote:

    > However, it now validates as html transitional.


    As I said at the end of my previous post, removing the language attribute
    would allow the element to validate under a Strict DTD. Don't go to
    Transitional just to accomodate them (especially as it's not necessary).

    [snip]

    > Now, to be honest, I still do not understand why you are against server
    > certificates.
    > Was Steve not for them anyway? Aren´t there many banks which use secure
    > connections and https protocols?
    >
    > Now Verisign is one of the companies which offers these certificates but
    > their prices are more expensive, so that´s why I took the one from
    > Geotrust then. But I did not order it myself, my webhost did it for me
    > and installed it. So, do you mean now that my webhost did not install it
    > correctly or is it just the icon which does not work?


    None of these comments have anything to do with me. I only discussed the
    script. Make sure you direct your replies to the right people.

    [MW:]
    >> The text, [current page host name], should be replaced by the domain,
    >> and the protocol [...].

    >
    > Do you mean https://www.scaiecat-spa-gigi.com should be written instead
    > [...]


    Yes.

    [Licensing terms]

    > Can you find something there
    > http://www.geotrusteurope.com/corporate/legal/pdfs/quickssl_premium_SA.pdf
    > ?


    There doesn't seem to be anything in that document, nor a similar one in
    their legal section, that refers to the seal at all so there can't be any
    terms attached to its inclusion. As far as I can see, the seal's only
    purpose is to allow visitors easy (and simplified) access to the
    certificate information.

    Mike

    --
    Michael Winter
    Replace ".invalid" with ".uk" to reply by e-mail.
    Michael Winter, Dec 31, 2004
    #20
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. tom watson

    icons for valid css and html

    tom watson, Sep 16, 2003, in forum: HTML
    Replies:
    13
    Views:
    5,915
    Jukka K. Korpela
    Sep 17, 2003
  2. Sally Thompson
    Replies:
    10
    Views:
    6,189
    Sally Thompson
    Jun 26, 2004
  3. Luigi Donatello Asero
    Replies:
    18
    Views:
    719
    Luigi Donatello Asero
    Jan 5, 2005
  4. Richie Williams
    Replies:
    5
    Views:
    1,485
    Richie Williams
    Oct 25, 2007
  5. michael solis

    Java-Script, Icons not showing when loaded

    michael solis, Jul 8, 2004, in forum: Javascript
    Replies:
    2
    Views:
    84
    Grant Wagner
    Jul 8, 2004
Loading...

Share This Page