SSL lock sometimes isn't displayed

Discussion in 'HTML' started by ilan, Feb 27, 2007.

  1. ilan

    ilan Guest

    Hi All,

    I have just opened an ecommerce website, and have purchased an SSL
    certificate, so all traffic on the site should be secure. The website
    address is: www.ilandesign.com.au.

    I don't get any warning messages, error messages, or prompts that the
    website may not be trusted, but sometimes when I open the page, the
    padlock doesn't display. It might only be for a short time whilst I
    navigate across a few pages, and then seemingly randomly, the lock
    will appear.

    Once the lock appears, as long as I don't navigate away from the page,
    it stays there. If I go to another website and then return, the same
    problem occurs, where for a short while the lock doesn't display.

    This wouldn't be such a big problem as I know that all transactions
    and information transmitted is secure, and there are no warnings or
    error messages to suggest otherwise, although I did a test and I was
    able to complete an entire transaction without the lock displaying.
    and entering credit card details (I used an invalid card number), the
    lock never showed. I am quite concerned about this - not so much from
    a security point of view, but because people may not believe the site
    is secure unless they see the lock.

    Any help would be greatly appreciated.

    Thanks,

    Ilan
     
    ilan, Feb 27, 2007
    #1
    1. Advertisements

  2. If I go to http://www.ilandesign.com.au, I don't expect a lock because I
    didn't *ask* for secure communication by using https. And if I click a
    link with a URL that has http instead of https, such as any of the links
    on your home page (which have http because the HREFs are relative, and
    you have a BASE tag with a URL that has http instead of https), I don't
    expect the next page to be secure either because, again, a secure page
    wasn't requested.

    For secure communications, pages have to be requested with https. If you
    want to accept incoming traffic that uses http (and you should) then you
    need to redirect to the user to the corresponding https address to have
    the security kick in.

    You also have to configure the site to *accept* requests for secure
    communications, ordinarily via port 443.
     
    Harlan Messinger, Feb 27, 2007
    #2
    1. Advertisements

  3. ilan

    ilan Guest

    Wow.

    That makes so much sense. I will look into redirecting users to the
    secure page.

    The only problem that I can see is that whilst it would be possible to
    have a redirection page, I don't see how I can distinguish between
    those people who entered http:// and those that entered https:// So
    essentially, I would be redirecting some people (https) to a page that
    they typed in anyway. Is there a way to solve this problem?

    As well, I am using a CMS, so I define a homepage, and that is what
    everyone sees, regardless of whether they type https or http. I think
    the only way I could do this is by having the code of the webpage
    evaluate the URL and decide based on that. Is this possible?

    Thanks,

    Ilan
     
    ilan, Mar 1, 2007
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.