SSL lock sometimes isn't displayed

[ilan]

Hi All,

I have just opened an ecommerce website, and have purchased an SSL
certificate, so all traffic on the site should be secure. The website
address is: www.ilandesign.com.au.

I don't get any warning messages, error messages, or prompts that the
website may not be trusted, but sometimes when I open the page, the
padlock doesn't display. It might only be for a short time whilst I
navigate across a few pages, and then seemingly randomly, the lock
will appear.

Once the lock appears, as long as I don't navigate away from the page,
it stays there. If I go to another website and then return, the same
problem occurs, where for a short while the lock doesn't display.

This wouldn't be such a big problem as I know that all transactions
and information transmitted is secure, and there are no warnings or
error messages to suggest otherwise, although I did a test and I was
able to complete an entire transaction without the lock displaying.

From selecting the product, checking out, entering personal details,

and entering credit card details (I used an invalid card number), the
lock never showed. I am quite concerned about this - not so much from
a security point of view, but because people may not believe the site
is secure unless they see the lock.

Any help would be greatly appreciated.

Thanks,

Ilan

 

[Harlan Messinger]

Hi All,

I have just opened an ecommerce website, and have purchased an SSL
certificate, so all traffic on the site should be secure. The website
address is: www.ilandesign.com.au.

I don't get any warning messages, error messages, or prompts that the
website may not be trusted, but sometimes when I open the page, the
padlock doesn't display. It might only be for a short time whilst I
navigate across a few pages, and then seemingly randomly, the lock
will appear.

If I go to http://www.ilandesign.com.au, I don't expect a lock because I
didn't *ask* for secure communication by using https. And if I click a
link with a URL that has http instead of https, such as any of the links
on your home page (which have http because the HREFs are relative, and
you have a BASE tag with a URL that has http instead of https), I don't
expect the next page to be secure either because, again, a secure page
wasn't requested.

For secure communications, pages have to be requested with https. If you
want to accept incoming traffic that uses http (and you should) then you
need to redirect to the user to the corresponding https address to have
the security kick in.

You also have to configure the site to *accept* requests for secure
communications, ordinarily via port 443.

 

[ilan]

Wow.

That makes so much sense. I will look into redirecting users to the
secure page.

The only problem that I can see is that whilst it would be possible to
have a redirection page, I don't see how I can distinguish between
those people who entered http:// and those that entered https:// So
essentially, I would be redirecting some people (https) to a page that
they typed in anyway. Is there a way to solve this problem?

As well, I am using a CMS, so I define a homepage, and that is what
everyone sees, regardless of whether they type https or http. I think
the only way I could do this is by having the code of the webpage
evaluate the URL and decide based on that. Is this possible?

Thanks,

Ilan