Opened 10 years ago

Closed 10 years ago

Last modified 6 years ago

#685 closed bug (fixed)

Big Problem with HTTP / HTTPS because of non-https content

Reported by: jeanyves Owned by:
Priority: blocker Milestone: Legacy Resolved
Component: ServerSetup Keywords: HTTPS sysadmin Google security
Cc: philipp, guaka, tobixen, hkroger

Description

BW Web site is using both real HTTPS page and HTTPS page which are (if I understand well) in fact HTTP page. The result with IE7 make it unusable, each time a page which is not secured is display IE7 prompt the use with a message (sorry I only have in in French "Cette Page contient des éléments sécurisés et non sécurisés voulez vous afficher les éléments non sécurisés ?" This mean that IE7 detect that the BW pages are a mix of secured and not secured pages and prompt the user each time to ask him/her if he/she wants to continue.

There is a setting in IE to allow to work with a mix content despite this warning, but really this is not something people will find very easily.

So I think this point is to be solve in emergency (I don't know how) because this make BW almost unusable with IE7.

If someone has an idea, please tell it.

Change History (12)

comment:1 Changed 10 years ago by micha

I confirm this problem. tested with IE7 on windows vista.

comment:2 Changed 10 years ago by crumbking

I confim this problem. tested with IE7 on windows XP. But just once. If I click yes, IE dont ask again. Just if I close browser and start again: same problem.

comment:3 Changed 10 years ago by midsch

  • Keywords Google added; IE7 removed
  • Summary changed from Big Problem with IE7 with HTTP / HTTPS to Big Problem with HTTP / HTTPS because of non-https content

The reason for the error message is non-https-content (here: from google) included in a page with https-content (BW). It's not browserrelated, FF gives the same message as well (Preferences -> Security -> . Settings for warning messages -> Activate "I'm about to view encrypted page which contains some unencrypted information." (This only works if you don't block the google script of course, just tricked myself ...). So I change the ticket summary a bit.

comment:4 Changed 10 years ago by crumbking

maybe this helps? no idea what this is all about ...just did a google search:

http://groups.google.at/group/Google-Maps-API/browse_thread/thread/ee81cbe4086938c/fe7233ca2265fea1

comment:5 Changed 10 years ago by micha

@crumbking: seems like a nice solution. But I doubt that the google-scripts are the only problem. IE7 gives security-warnings on EVERY page. And we don't include the google-scripts everywhere on our site. But I guess, there are means to check which elements are accessed via HTTP, no? Someone knows?

comment:6 Changed 10 years ago by midsch

  • Keywords security added

Http-elements from somewhere else (google) just for the topmenu links:

  • Home: The map with latest members, do we need it? It provides a google-logo nearly as big as the bw-logo ...
  • myAccount: the map (completely useless, a link would be enough, if you don't know where the place is)
  • FindMembers?: tons of scripts, images ... I guess this is necessary for the search, at least as long as we don't provide a googlefree search (somehow i don't understand what google is good for if I search for keywords ... at least quicksearch can do without.)
  • Trips: google scripts
  • Blogs: looks clean at first look, but there is a http-link to google scripts as well (javascript for the map-links)
  • Forum: Googlescripts again, no idea why.
  • Groups: clean
  • Gallery: clean
  • About: clean

In short: The browser warnings "everywhere" are correct. (And don't wait for IE8: exactly this behaviour is announced as feature!). Before working around security features we should discuss if the stuff is really necessary.

comment:7 Changed 10 years ago by jeanyves

Good summary Midsch,

personnally I like the google map one home and on other members pages (of course if google logo could be smaller ...), may be someone will find a way to avoid the warning which popu as a consequence

What I don't understand, and which can certainly be solved, this is why they are googlescript in forum, may be it is some geonames script ?

comment:8 Changed 10 years ago by philipp

Forum: the search is currently just a google custom search, could and should be replaced if somebody volunteers

general: we can maybe get rid of some of the google scripts but I would rather expect that we will use gmaps in more and more places (unless somebody feels like adding our own maps application which is possible and not too difficult but not really high priority and usually people have no experience in doing such things)

comment:9 Changed 10 years ago by crumbking

  • Priority changed from critical to blocker

This is really a pain! We have to remove the https on sites with no secure data. I wouldn't sign up for a site were I always get this errors..

Please guys forum, trips, blogs remove it!

comment:10 Changed 10 years ago by midsch

  • freq_reported changed from 1 to 3

I agree with Crumbking that this should be fixed soon, I wouldn't signup or trust such a site either. But I'd prefer another way to fix it: don't remove https as it IS a security feature, remove the stuff that is killing it.

For search we may need google(maps), but not for just showing pictures. They don't fit into the layout and waste space anyway. If we really have to do advertisement for a company - the google brand is nearly as big as the bw-logo! - than let's get money for it. Google doesn't pay as far as I know.

comment:11 Changed 10 years ago by philipp

  • Resolution set to fixed
  • Status changed from new to closed

for now we use https only for password submission during logn todo > same for changing password, submit signup and address changes

comment:12 Changed 6 years ago by TimLoal

  • Cc philipp guaka tobixen hkroger added; philipp guaka tobixen hkroger removed
  • Milestone changed from unassigned to Legacy Resolved
Note: See TracTickets for help on using tickets.