Moving to SSL

[Gabriel Torres]

Hi,

I am willing to move my webserver to SSL. The main problem I am facing is that the browser complains that there are external scripts that are not encrypted (tags from ad networks such as OpenX, Tribal Fusion, etcetera), and thus advertisement is blocked on our forum. Any tips on how to deal with that?

Thanks,

Gabriel.

[ASTRAPI]

This is a common error that occurs when some element on a secure web page (one that is loaded with https:// in the address bar) is not being loaded from a secure source. This usually occurs with images, frames, iframes, Flash, and JavaScripts. If you are having trouble finding what elements are loading from http instead of https go to:

https://www.whynopadlock.com/

 

Then you can try to change the http to https for those scripts/widgets if the advertisement companies have https or you may change connection links to // instead of https:

<img src="//www.domain.com/image.gif" alt="" />

 

[Makoto]

If your ad networks don't support loading scripts over HTTPS connections, no, there's generally nothing you can do. You should complain to your Ad Networks that they need to start offering SSL support if they don't already. There's really little to no excuse for them not to be.

If they do, obviously just update your scripts. Testing for support is generally easy enough, just try and load the included scripts over HTTPS connections and see if it works.

[Gabriel Torres]

Thanks @Kirito

The problem I have is that there is one particular network that doesn't support https and I am afraid I will have to hold my migration because of them, since their code/banner isn't loaded when SSL is activated.

[Rugger]

Then you can try to change the http to https for those scripts/widgets if the advertisement companies have https or you may change connection links to // instead of https:

<img src="//www.domain.com/image.gif" alt="" />

 

​Forgive my ignorance but I have never seen someone use a // before a link without the protocol, would it default to the protocol being used or prioritise one over another? Is there any documentation for the usage?

[TSP]

It works as http:// when the address bar contains http:// and works as https:// when the site is visited with SSL/https connection.

I'm not sure on documentation, and I'm on mobile now, but try to search for something like: relative http url ssl

[ASTRAPI]

http://tools.ietf.org/html/rfc3986#section-4.2

 

[Rugger]

That is a very interesting feature, @ASTRAPI I had read that document before but never noticed that section, or at least never realised the significance - thanks. 

[Makoto]

Obviously it's not magic and it will just break the link if you attempt to load the resource from a secured page and the remote server doesn't support HTTPS.

It's better to always explicitly use HTTPS if the remote server/CDN supports it regardless of if you website is actually using HTTPS connections or not.