SSL Chrome Warning


(Gavin Dudeney) #1

Folks,

Just recently some visitors to my site using Chrome have been getting the insecure warning “attackers may be trying to…”, etc. etc. I know the certificate is valid - Chrome knows it is too, if you go deep enough. It shows up as secure in Safari, etc., but the warnings are beginning to cause me problems. Does anyone have any inkling as to why this might be happening:

Many thanks in advance.

Gavin


(Dave Farrants) #2

You have several (I found 2, there may be more) http tags in your code.
Screen%20Shot


(Gavin Dudeney) #4

It’s not set to run out until 2020, and was only bought just over a year ago


(Gavin Dudeney) #5

Thanks Dave - why does Safari report it as secure, as do some versions of Chrome, etc?


(Dave Farrants) #6

Can’t answer that one - sorry!

Change all instances of http in your code to https and see what happens.


(scott williams) #7

tool to help: whynopadlock.com


(Gavin Dudeney) #8

Thanks - sadly this won’t diagnose my problem properly since I do have a padlock in most browsers, just not in some versions of Chrome. It’s not a cut and dry issue, as far as I can tell.


(Thorsten Beck) #9

Did you try to get rid of the cache files in the browsers when testing?
Causes also some problems and is frustrating.


(Doug Bennett) #10

Totally different browsers, Chrome is “leading the way” on forcing HTTPS, so they tend to be the most strict. Safari will probably flag you in the next couple releases.


(Gavin Dudeney) #11

I did, thanks - this is not just an issue for me, it’s an issue for some of my users too.


(Gavin Dudeney) #12

Teefers - I’m probably not explaining myself very well - it’s sporadic, for some of my users, sometimes, in Chrome… I do appreciate that Chrome and Safari are different, but the issue I’m having is hard to pin down. Some people experience it, others don’t.


(Doug Bennett) #13

If you have “mixed content” at all then some versions of a browser might flag you as being insecure.
The why no padlock link above is a good starting point.
The basic three steps to go to HTTPS are

  1. Obtain and install the certificate
  2. Fix or remove all mixed (non secure) content
  3. Redirect the pages to HTTPS
    Active mixed content (CSS, JavaScript, Fonts), basically anything that changes the page has to be fixed or not only can it get you a “not secure” warning it won’t work. It breaks the page(s).

(Gavin Dudeney) #14

Teefers - thanks for sticking with this. This is a relatively recent thing - last four or five weeks. Before that, and for a year, the site was displaying fine.


(Gavin Dudeney) #15

That report is from five minutes ago


(Gavin Dudeney) #16

And this is from now, from: https://sslanalyzer.comodoca.com/


(Thorsten Beck) #17

Hi,

seems like it’s not the problem of your website as the tools are showing that everything is fine.
Guess is a problem of the used browsers of your visitors. Hard to fix.
Tried your website with the mobile version of Google Chrome and everything was fine.
By the way, nice website.


(Gavin Dudeney) #18

Thanks Sharky - I’m happy with it for the moment, but this issue is causing a few people to be put off due to the Chrome warning of ‘attackers’. I’d love to find a solution to this, but I’ve been looking for about four weeks now, with no luck.


(Paul Dennison) #19

I visited the site on Chrome and got the warning to stay away, once on your site the insecure warning was shown, saying the site’s cert is not valid but upon clicking the further details Chrome says it is valid. A bit confusing.

Did a bit of digging and came across this article, would suggest that your certificate provider is the problem.

Don’t know who your hosting provider is but think you need to get a new or replacement certificate asap.


(Anonymous Coward) #20

@dudeneyge Your site is using a Symantic issued SSL certificate. Google distrusted Symantic issued certificates effective with Chrome 70. If you look in the Chrome page inspector, Google provides a link to the explaining blog post with the reported certificate error.

Long story shot. Symantic wasn’t performing due diligence when issuing certificates. Google announced Symantic deprecation in 2017. As result, Symantic sold their business to DigiCert.

If you want your cert to work in Chrome, and you should, because it’s the world’s most popular browser, you need a certificate issued by a valid certificate authority. That shouldn’t be a problem. LetsEncrypt has made SSL free.


(Gavin Dudeney) #21

Anonymous - well spotted and diagnosed. I’ve replaced the certificate so am hoping that will have solved the problem. Thank you to everyone who contributed to this discussion - I’m really grateful.