I've recently done my first wordpress site that is using an SSL license. I've noticed it comes up as secure but with errors. In the details it says the following.
Your connection to www.kluemperinsurance.com is encrypted with
obsolete cryptography. However, this page includes other resources
which are not secure. These resources can be viewed by others while in
transit, and can be modified by an attacker to change the look of the
page.
The connection uses TLS 1.0.
The connection is encrypted using AES_256_CBC, with SHA1 for message
authentication and DHE_RSA as the key exchange mechanism.
I'm not familiar with any of this so I went to an SSL error checking site to find out what is causing the errors and every page comes up with this.
Pages with unsecure content: https://www.kluemperinsurance.com/ ?
http://ajax.googleapis.com/ajax/libs/webfont/1.4.7/webfont.js
http://feedburner.google.com/fb/a/mailverify
I've tried to figure out how to fix these two issues but I haven't had any luck so far. I'm not using a feedburner of any kind that I am aware of. No plugins being used either. For the webfont issue I followed the instructions from this link and it did not seem to help.
Am I at least on the right track here? What do you suggest I look for instead? Do you know how to fix it?
You have http links on a site which is being served as https. Change any links such as http://ajax.googleapis.com/ajax/libs/webfont/1.4.7/webfont.js to their secure version if available. Normally this will simply be changing http:// to https:// or // but you will need to check if your third party providers support secure urls, and if so what they are (some might use the hostname ssl instead of www for example).
Related
Good Day
I have a normal PHP page doing some functions I am trying to use GEOLOCATION from the pages to obtain the handset location.
I am getting error now stating **Error: Only secure origins are allowed (see: **
Is there a way I can change the PHP page to use HTTPS or do I require to buy a SSL Certificate for the site? I have never worked with HTTPS before and not sure how to direct the page to become HTTPS or how to alter the page for this.
What would be the best method for this.
Php has nothing to do with HTTPS.
Your server needs to provide SSL certificates that you can buy or find somewhere.
If you already have those you can then use php, or javascript or whatever to force the user to use HTTPS doing maybe a redirect or something similar.
I got the following error message in my Firebug console.
Password fields present on an insecure (http://) page. This is a
security risk that allows user login credentials ,to be stolen.
What is the reason for this error?
If this is regarding http and https, what do I have to do to convert http:// to https://?
I am working on my local machine and I can not install SSL here. I can not log to the system due to this error.
I change the password field to text filed, but the same thing is happening.
Please help me to solve this without installing SSL to work on my local machine.
First of all, this is not error. It's not even a warning. It's a notice.
Secondly, this in no way affect your forms, POSTs and logging.
Lastly, nothing even requires SSL and HTTPS for user logins. Even many e-commerce websites don't use SSL, because they don't need to. All you need to know that if you create account on non-SSL page, is that password must be stron and unique (you shouldn't use the same password anywhere else).
Note:
SSL actually is required when you process critical users' data like credit cards' numbers. You can usually observe it on some e-commerce shops, which don't use SSL at all, but when you go to any of payment methods, you always end up with SSL.
it's okay to have this error in development mode, but you should use https when you want to publish your website because login should be done through https because that prevent some hacker attacks like session hijacking.
I have a site running WordPress on Apache server and I am attempting to provide both HTTP and HTTPS connections via the same site. I want to allow connections over HTTP without forcing a redirect to HTTPS, unless the client is connecting initially via HTTPS then I want all subsequent HTTP requests to be forwarded to HTTPS to avoid issues with CORS and unsecured content warnings.
I am having some trouble turning up results on how to effectively do this with mod_rewrite alone. Most solutions I find try to force the connections to redirect to HTTPS regardless and will not allow an HTTP connection or vice versa. I have tried a few mod rewrite conditions including making use of the referer string but none seem to work thus far. I must be missing something because I feel that this is indeed possible but I and my search engines alone are stumped.
Maybe I'm just doing something wrong or is this kind of functionality beyond Mod_Rewrite?
I was thinking to use a PHP script but was worried it wouldn't work for some static files since WordPress doesn't handle those requests.
Update:
I have made a php script to detect the version. It sets a cookie which expires in 20 seconds from being set, this is read by Mod_Rewrite and if set it redirects the URLs to HTTPS. This works for most of the subsequent requests of an initial HTTPS request. A few URLs seem to be unaffected by it, not sure exactly why as the cookie hasn't expired by the time of these file requests and the particular rules are before the static file bypass rules in the htaccess file. At any rate that was easy enough to fix by setting the file urls to protocol-less versions.
Some third party sites need domains rewritten though, as they serve https from other domains. On that note I don't think this is actually possible without buffering the whole page and actually re-writing the URLs.
It is possible to detect the initial connection but this must be done using Server Side code, like a PHP script. Then using the detection can be done at Mod_Rewrite level.
Add in the WordPress constraint and things get complicated.
WordPress isn't built to facilitate one install with both protocols allowing access to content. So to accomplish this would require a custom plugin using the detection mentioned earlier, and instead of using Mod_Rewrite to direct requests on the server, we have to buffer WordPress output and logically replace/rewrite URLs in the page before they go to the user if and only if the initial connection for the page is in SSL.
There is only one plugin I have found which does something similar to this, however it doesn't do dynamic detection only gives admin/editors a checkbox option to make a page SSL secured. The plugin is called WordPress HTTPS
Dynamic detection and redirection isn't something SSL was meant for anyways, it's either on or off, and most pages need it that way.
I was originally trying to provide both so I could use a self-signed certificate without worrying that users would get the "warning unsecured connection" messages from their browsers by forcing them to use only SSL connections.
So I'll be purchasing a cert or making a custom plugin.
tkausl is right, you don't really need to do mod_rewrite. You should be able to format links without the protocol and it will automagically select for you.
You can see that google does this with their hosted libraries:
<script src="//ajax.googleapis.com/ajax/libs/jquery/1.11.1/jquery.min.js"></script>
*Note the lack of http: or https: this will follow the protocol requested by the user.
I've been experimenting with OpenID, and have set up a sample web page to access using my OpenID account. I'm using the Php OpenID Library by Janrain and it wasn't working with my Google Account. A little research led me to this question, which suggests the problem is that Google uses https and...
... it's likely the setup for making HTTPS requests is borked on your PHP server. Check to make sure you have the ca-certificates package installed.
In the same thread, someone links to their hacked version of the library which I deployed and have used with my Google Account successfully. Other questions have other customizations to get around similar problems (Janrain’s PHP-OpenID and Google/Yahoo, php-openID doesn’t work with Yahoo!, Example usage of AX in PHP OpenID...)
I'm not too hot on security, so I ask; does anyone know of a reason to not use these hacked versions?
Does the original library have whatever shortcoming these hacks fix by design, and therefore the hack is a potential security vulnerability?
Is there a qualified crypto-ifier out there who has looked at any of these solutions and gone "By David Chaum's beard! NO!!"
If so - and I therefore shouldn't use any of these hacks - how would I check that I "have the ca-certificates package installed"?
Here's what the author of one of those "hacked" versions wrote:
In particular CURLOPT_SSL_VERIFYPEER
and CURLOPT_SSL_VERIFYHOST are true by
default: I set them to false and it
worked for the test page!
The effect that has is to pretty much negate any security advantage offered by using HTTPS. The primary reason HTTPS is useful in OpenID is that it guards against a man-in-the-middle attack, i.e. some bad guy poisons your DNS cache to send all google.com requests to bad-guys.example. With properly configured HTTPS, you'd verify the certificate on the connection, find out it wasn't from Google, and say "I'm not going to believe anything you say, bad-guys!"
Unless, of course, you don't verify any certificates (you set all the SSL_VERIFY options to false), in which case your server will believe everything bad-guys says as if it were the real Google provider. You can imagine how that might be bad.
Now, frankly, this isn't the worst choice you could make, because it's no worse than just using HTTP, which a lot of people do anyway. You're just lying to your users if you imply that you're providing HTTPS-level security when you're not.
And there's a lot of information out there about how easy it is or isn't to do a dns-based attack, or how easy it is to forge SSL certificates. Either way, it does require someone to attack the connection between your server and Google, which is generally harder than attacking the connection between the user's laptop in the coffee shop and your server.
But still, much better to actually fix your PHP or CURL SSL configuration. Or if you don't, warn your users of that when they sign up with HTTPS identifiers, so they can choose if they really want to use that OpenID with your site.
Which leads to your second question. I think, not knowing anything about which server platform you're using, the best thing I can do is to link you to the Curl docs on SSL certificates; see the section that says "Get a better/different/newer CA cert bundle!"
From the Wikipedia article on Certificate Authority:
A CA issues digital certificates that contain a public key and the identity of the owner. When an end-user tries to access an unknown URL, the web browser (e.g. Mozilla Firefox and Microsoft Internet Explorer) will contact the CA to confirm the public key of the URL.
... so the CA Certificate is a Public Key Certificate used to communicate over https://. Your server should have CA Certificates on the file system somewhere. If not, you'll have to download the CA Certificate yourself and set the CURLOPT_CAINFO constant to point to its location. See this article.
http://unitstep.net/blog/2009/05/05/using-curl-in-php-to-access-https-ssltls-protected-sites/
[...] does anyone know of a reason to not
use these hacked versions?
Besides the fact that they're hacked versions, which are most likely undocumented and have no guarantee as to their behavior?
I can't answer specifically, but it there should be some warning lights flashing when you work with modules that have had quick fixes and workarounds applied, especially when you're dealing with authorization and security.. I think the best advice would be "Use at own risk!"
I'm sure someone with more knowledge on the topic will arrive soon enough with a more informed answer.
I know the general definition but I need more details on how to implement them in general and PHP in specific, and what exactly are the features I gain from them?
SSL stands for "Secure Socket Layer", and it's a method of encrypted HTTP communication (among other things). It encrypts the traffic between a web browser and a server, making it possible to send secure data without fear of eavesdropping.
SSL is a web-server level technology, and has nothing to do with PHP. You can enable any web server with SSL, whether it has PHP on it or not, and you don't have to write any special PHP code in order to make your PHP pages show up over SSL.
There are many, many guides to be found on the internet about how to set up SSL for whatever webserver you might be using. It's a broad subject. You could start here for Apache.
some webservers are configured to mirror the whole site, so you can get every page over http or https, depending on what you prefer, or how the webbrowser sends them around. https is secure, but a bit slower and it puts more strain on your hardware.
so you might implement your site and shop as usual, but decide to put everything from the cart to the checkout, payment and so on under https. to accomplish this, all links to the shopping cart are absolute and prefixed with https:// instead of http://. now, if people click on the shopping cart icon, they're transfered to the secure version, and because all links from there on are relative again, they stay there.
but! they might replace the https with http manually, or go on the unencrypted version using a malicious link, etc.
in this case, you probably might want to check if your script was called over https (_SERVER["SERVER_PROTOCOL"], afaik), and deny the execution if not (good practice). or issue a redirect to the secure site.
on a side note: https is not using ssl exclusivley anymore, tls (the successor to ssl, see rfc2818) is more modern
rule of thumb: users should have the choice if they want http or https in noncritical environments, but forced to use https on the critical parts of your site (login/cart/payment/...) to prevent malicious attacks.