Alpha Video Training
Page 1 of 2 12 LastLast
Results 1 to 30 of 33

Thread: HTTPS issues

  1. #1
    "Certified" Alphaholic
    Real Name
    Larry Grupido
    Join Date
    May 2010
    Posts
    1,769

    Default HTTPS issues

    My website has recently developed some issues with it's security setup.

    I am consistently getting security errors on several pages of my Alpha Server. However, when the pages do load, the security appears fine. It gives a solid lock.

    If I check the server rating I get an A.

    It acts as if sometimes it is simply not connecting properly with the servers in charge of checking the security in the first place.

    This is ONLY happening in Edge and Firefox. Chrome does not seem to be having an issue.

    During the summer our website is not even busy, so it's not too much traffic.

    Anyone else experiencing issues with HTTPS recently?

  2. #2
    "Certified" Alphaholic CharlesParker's Avatar
    Real Name
    Charles Parker
    Join Date
    Dec 2012
    Location
    New Orleans, LA
    Posts
    2,115

    Default Re: HTTPS issues

    I would look into the issuer of the cert as a source of unreliability, who is the issuer of the cert? are you getting a specific error?
    NWCOPRO: Nuisance Wildlife Control Software My Application: http://www.nwcopro.com "Without forgetting, we would have no memory at all...now what was I saying?"

  3. #3
    "Certified" Alphaholic
    Real Name
    Larry Grupido
    Join Date
    May 2010
    Posts
    1,769

    Default Re: HTTPS issues

    The site is hosted on ZebraHost. They setup the certificate and they have tested it for me today. The certificate is from RapidSSL RSA CA 2018.

    If you want to take a look yourself, it is easytrack.us

    Like I've said it doesn't ALWAYS give an error, but it's happening often enough to be concerning.

  4. #4
    Member
    Real Name
    Sean OKelly
    Join Date
    Sep 2015
    Location
    Charleston, WV
    Posts
    216

    Default Re: HTTPS issues

    I was able to duplicate your error. What I think is happening is that when the URL is being called, it is sometimes calling a resource which is unsecured (such as an api or library call). You could always reissue the cert and hopefully remove that as a potential cause, then start analyzing your external calls. Sometimes you can have a local resource be called if an external resource isn't available, and sometimes the local resource url isn't fully qualified. Just a thought.

  5. #5
    "Certified" Alphaholic
    Real Name
    Larry Grupido
    Join Date
    May 2010
    Posts
    1,769

    Default Re: HTTPS issues

    I thought of that, but ….

    If it was calling any unsecured resources, wouldn't that show up in the JavaScript console? I've looked and not seen anything like that.

    This is a site that has been up for about 8 years btw. This is an issue that has only recently been reported.

    I am not on the latest version of Alpha, but my version is not very old either.

  6. #6
    Member
    Real Name
    Joe
    Join Date
    Mar 2009
    Location
    NY
    Posts
    505

    Default Re: HTTPS issues

    I believe RapidSSL is owned by DigiCert now. I know they had some Root certificate updates. Is your cert using the right chain? Maybe it is hitting an old root cert. We had an issue with Citrix Receiver that they issued a patch for the root certs.
    Never take a ride to the edge of your mind unless you've got a ticket back - Jon Oliva - Savatage.

  7. #7
    "Certified" Alphaholic
    Real Name
    Larry Grupido
    Join Date
    May 2010
    Posts
    1,769

    Default Re: HTTPS issues

    I will ask ZebraHost to do a complete reissue of the SSL and see if that fixes the issue.

    I'll let you know once that is completed.

  8. #8
    Alpha Software Employee Lenny Forziati's Avatar
    Real Name
    Lenny Forziati
    Join Date
    Nov 2001
    Location
    Alpha Software
    Posts
    4,682

    Default Re: HTTPS issues

    How do you duplicate the error? I loaded your login page and the new user page many times using Firefox 68.0.2 and never got a security error. I cannot test with Edge because I am on Windows Server 2016.

    Is your client up to date on all Windows updates? TLS negotiation is dependent on the client and server having matching ciphers, so a missing update on the client could also lead to this type of problem.

    Lenny Forziati
    Vice President, Internet Products and Technical Services
    Alpha Software Corporation

  9. #9
    "Certified" Alphaholic
    Real Name
    Larry Grupido
    Join Date
    May 2010
    Posts
    1,769

    Default Re: HTTPS issues

    It happens mostly (and frequently) in Edge. In Firefox it happens much less often and is actually much better since the reissue of the certificate. And yes, the client is up to date. And unfortunately, that doesn't matter, because the client for most of those pages is the general public.

    I will try the ciphers tonight, just to be safe and report back tomorrow.

  10. #10
    "Certified" Alphaholic
    Real Name
    Larry Grupido
    Join Date
    May 2010
    Posts
    1,769

    Default Re: HTTPS issues

    So, I have reset the ciphers, reissued the certificate and still I am getting security errors on Edge.

    I am getting security errors even on pages that have almost nothing on them. (Like the login page.)

    And the errors are intermittent. I mean, if the site was truly insecure, shouldn't it report as insecure every time? But you can actually visit 3 or 4 pages sometimes before getting an error, then you can refresh and the error goes away.

    This site has been running fine for YEARS and it's only developed this issue about a month ago, maybe a little longer - the summer is really slow for us. I have not updated or changed the Alpha server in that time - though I have made plenty of site improvements.

    I am out of ideas here - Is no one else having this issue accessing their site with Edge?

  11. #11
    "Certified" Alphaholic
    Real Name
    Rich Fulham
    Join Date
    May 2011
    Location
    Portland, OR
    Posts
    1,018

    Default Re: HTTPS issues

    Your login page is trying to get a logo from a different web site:

    https://www.studentadventures.org/images/logo.png

  12. #12
    "Certified" Alphaholic
    Real Name
    Larry Grupido
    Join Date
    May 2010
    Posts
    1,769

    Default Re: HTTPS issues

    That is true, thank you. I fixed that now. Still getting a security error. I would think that a bad link would show no image (which was happening) or show an error image, but it shouldn't cause the site to register as insecure.

    The Student Adventures .org site it was referencing is not having any security issues, and unfortunately, it has a spot which is referencing the same incorrect file. (Which I will get fixed next …)

    Is there any easy way to find all bad links on a page? I usually just look in the console, but it wasn't showing that link I think because it was a background image in a CSS file. How did YOU find it?

  13. #13
    "Certified" Alphaholic mikeallenbrown's Avatar
    Real Name
    Mike Brown
    Join Date
    Nov 2009
    Location
    United States
    Posts
    1,826

    Default Re: HTTPS issues

    I just tried your login page in both Chrome and Edge. I don't have any security problems in either. Where are you seeing these problems?
    Mike Brown - Contact Me
    Programmatic Technologies, LLC
    Programmatic-Technologies.com
    Independent Developer & Consultant

  14. #14
    "Certified" Alphaholic
    Real Name
    Rich Fulham
    Join Date
    May 2011
    Location
    Portland, OR
    Posts
    1,018

    Default Re: HTTPS issues

    Larry,
    In Edge, I turned on Developer Tools and went to the "Network" tab instead of the "Console" tab, before navigating to the web site.

    I think browsers are going to become more and more picky about security and loading resources from different domains, especially when both domains specify "https". It is a lot of work for the browser and server to negotiate what security algorithm they are going to use for TLS or SSL. In a page that loads resources from multiple "https" sites, I don't know what the browsers are going to start doing when the sites have differing levels of TLS and SSL support, you know, all that Cipher list stuff.

  15. #15
    "Certified" Alphaholic
    Real Name
    Rich Fulham
    Join Date
    May 2011
    Location
    Portland, OR
    Posts
    1,018

    Default Re: HTTPS issues

    Larry,
    You might also check what is going on with "index.a5w".

    It shows status code "302 / Found" in the "Network" tab in Dev Tools. I would expect it to not even show up in that tab, yet. Check the Alpha server, default page settings, maybe?

  16. #16
    "Certified" Alphaholic
    Real Name
    Larry Grupido
    Join Date
    May 2010
    Posts
    1,769

    Default Re: HTTPS issues

    Index.a5w is a forwarding page. If you try to go to it, it will automatically take you to login.a5w.

    It uses Alpha's response.redirect command.

    In case that takes a moment, it will display "Redirecting you to our login page."

    It does nothing else.

  17. #17
    "Certified" Alphaholic
    Real Name
    Larry Grupido
    Join Date
    May 2010
    Posts
    1,769

    Default Re: HTTPS issues

    I will check the TLS setting for the Student Adventures website. We link to that for several things, since it is the company's main website.

  18. #18
    "Certified" Alphaholic
    Real Name
    Larry Grupido
    Join Date
    May 2010
    Posts
    1,769

    Default Re: HTTPS issues

    So now when I go to the site (in edge), I get this error:

    SEC7120: [CORS] The origin 'ms-appx-web://microsoft.microsoftedge' failed to allow a cross-origin font resource at 'ms-appx-web:///assets/Fonts/BrowserMDL.ttf#Browser MDL2 Assets'.

    If I get this error, it won't load securely.

    But if I simply refresh the screen, the error goes away and does not appear to return. However, if I close the browser and start again, the error comes back for the initial request, then goes away again on a refresh.

    I did some searches, but I don't see how anything I have found is supposed to help me resolve this. Anyone else encounter this issue? Any suggestions on how to resolve?

  19. #19
    "Certified" Alphaholic
    Real Name
    Larry Grupido
    Join Date
    May 2010
    Posts
    1,769

    Default Re: HTTPS issues

    Note: If anyone knows an expert on Edge/web security that might be able to help me out here, please send them my way. Gotta get this fixed for good. Every time I fix one issue another pops up.

    Again, this is a site that has been working fine for YEARS. Just started having this issue in Edge. Firefox was an issue, but it seems to be better now.

  20. #20
    "Certified" Alphaholic mikeallenbrown's Avatar
    Real Name
    Mike Brown
    Join Date
    Nov 2009
    Location
    United States
    Posts
    1,826

    Default Re: HTTPS issues

    Is this the site in question: https://www.studentadventures.org

    If so when I navigate to it, in Edge, I don't see any issues. Where are you seeing a problem? In the console?
    Mike Brown - Contact Me
    Programmatic Technologies, LLC
    Programmatic-Technologies.com
    Independent Developer & Consultant

  21. #21
    "Certified" Alphaholic peteconway's Avatar
    Real Name
    Peter Conway
    Join Date
    Oct 2005
    Location
    Melbourne, Australia
    Posts
    2,603

    Default Re: HTTPS issues

    This may help.
    https://developer.microsoft.com/en-u...sues/20612115/
    Also check any fonts, CSSFonts or SVGFonts in the build are not sourced from a non secure site eg. http Vs https.
    Insanity: doing the same thing over and over again and expecting different results.
    Albert Einstein, (attributed)
    US (German-born) physicist (1879 - 1955)

  22. #22
    "Certified" Alphaholic
    Real Name
    Larry Grupido
    Join Date
    May 2010
    Posts
    1,769

    Default Re: HTTPS issues

    Mike, that is not the site. the site is www.easytrack.us

  23. #23
    "Certified" Alphaholic
    Real Name
    Larry Grupido
    Join Date
    May 2010
    Posts
    1,769

    Default Re: HTTPS issues

    Pete,

    I did see that article. But all of the solutions are talking about how to fix the browser. I think the problem is with the site - as I can navigate to other sites in Edge just fine.

    And I don't understand why it only says it's insecure sometimes - like it's having trouble accessing a font file. If the file it is accessing was insecure, it would ALWAYS be insecure, not every other refresh.

    But I will look (again) for any references to any files from insecure sites.

  24. #24
    "Certified" Alphaholic mikeallenbrown's Avatar
    Real Name
    Mike Brown
    Join Date
    Nov 2009
    Location
    United States
    Posts
    1,826

    Default Re: HTTPS issues

    From my google searches this seems like a Microsoft issue specifically with Edge that Microsoft hasn't/isn't handling well. I'm not sure there is anything you can really do about it.
    Mike Brown - Contact Me
    Programmatic Technologies, LLC
    Programmatic-Technologies.com
    Independent Developer & Consultant

  25. #25
    "Certified" Alphaholic
    Real Name
    Larry Grupido
    Join Date
    May 2010
    Posts
    1,769

    Default Re: HTTPS issues

    Mike,

    There must be SOMETHING I can do about it. Not every site on the internet has this issue. So if it means I have to download some files locally or something I will do so.

    I just don't know WHICH files I need to keep local or where they are being referenced.

    Maybe I need to change a font so it doesn't need to go looking?

    I can write HTML and CSS, but I am hardly an expert at it ….

  26. #26
    "Certified" Alphaholic
    Real Name
    Larry Grupido
    Join Date
    May 2010
    Posts
    1,769

    Default Re: HTTPS issues

    New Error popped up this morning. It said it can not load fonts for ErrorPageStyles.css

    What is that css file? I did a search of my c drive and it looks like it's actually a windows or edge file.

  27. #27
    "Certified" Alphaholic kkfin's Avatar
    Real Name
    Kenneth
    Join Date
    Dec 2006
    Location
    EU
    Posts
    1,535

    Default Re: HTTPS issues

    I see this error in many places when browsing site https://studentadventures.org in Edge console. I understand that it is not your site.

    Code:
     SEC7137: [Mixed-Content] The origin 'https://studentadventures.org' was loaded in a secure context and loaded an optionally blockable insecure image resource at 'http://studentadventures.org/wp-content/themes/sa/img/banner_default.png'.
    But you have for example this link in your own site
    HTML Code:
    https://studentadventures.org/contact-us/
    . The links loads unsecure
    HTML Code:
    http://studentadventures.org/wp-content/themes/sa/img/banner_default.png
    .


    Kenneth

  28. #28
    "Certified" Alphaholic
    Real Name
    Larry Grupido
    Join Date
    May 2010
    Posts
    1,769

    Default Re: HTTPS issues

    I'll get that fixed, thank you!

  29. #29
    "Certified" Alphaholic
    Real Name
    Larry Grupido
    Join Date
    May 2010
    Posts
    1,769

    Default Re: HTTPS issues

    Of course, the Student Adventures site loads fine in Edge despite this error ...

  30. #30
    "Certified" Alphaholic
    Real Name
    Larry Grupido
    Join Date
    May 2010
    Posts
    1,769

    Default Re: HTTPS issues

    Continuing Saga:

    I have fixed all the insecure links I have found so far. I then devised another test:

    I moved the entire site to another Alpha server. The other server was already secure, I just put it under a different directory and test it under the others server's secure URL.

    On that new URL and new server, it does not give a security error.

    So I reinstalled Alpha on the old server, wondering if there was a corruption problem. The reinstall did not fix it.

    So now I am wondering - does Edge not like ".US" sites? (The site is easytrack.us).

    Is there maybe an issue with the actual IP address of the new server? Like did it get put on a watchlist for some reason?

    The trouble is I just am not a security expert - so...

    I want to thank everyone for their help so far - looking for a consultant who IS a security expert for help. Willing to pay for the right person's time to get this fixed.

    And still open to suggestions as to what to try next.

Similar Threads

  1. Download https file
    By G Gabriel in forum Alpha Five Version 11 - Desktop Applications
    Replies: 4
    Last Post: 12-15-2017, 03:45 PM
  2. Forwarding http to https
    By Larry Gordon in forum Application Server Version 11 - Web/Browser Applications
    Replies: 0
    Last Post: 07-27-2016, 12:38 PM
  3. Using SSL and HTTPS protocol with iPhone
    By krhyll in forum Mobile & Browser Applications
    Replies: 0
    Last Post: 12-30-2014, 07:39 AM
  4. Alpha Calendar over https
    By Turnbullca in forum Application Server Version 10 - Web/Browser Applications
    Replies: 0
    Last Post: 07-20-2010, 07:31 AM
  5. https help
    By Ted Diepstraten in forum Alpha Five Version 6
    Replies: 3
    Last Post: 11-25-2004, 12:04 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •