6

My web page sometimes (rarely) shows "there are some insecure resources" warning icon (yellow lock) like in the screenshot below. However that occurs rarely and now I caught another one I don't want to miss it again so I can't risk losing the page.

Insecure content warning

The page is at the URL: https://eksisozluk.com/sedat-kapanoglu-ve-40-kisiye-hapis-talep-edilmesi--3960310 . You will probably not see the warning (unless it's Firefox) because I didn't in my consecutive tries on Chrome and I was logged in when I got the error. So let's assume you and I will never see that warning icon on Chrome again.

Devtools was not open when I was using the site, so "Network" tab is empty. That part won't work.

"Resources" shows all JS and CSS entries as https there is no single resource from http there.

The page has jQuery loaded so I tried queries $('*[href^="http:"]') and $('*[src^="http:"]') to no avail. The page contains some external http links (not resources, plain a href's) but that wouldn't trigger the alarm.

I'm using Kaspersky Anti-Virus and it uses a proxy to scan incoming/outgoing traffic. That could be causing some trouble although I haven't had any issues so far with other web sites.

I tried "view page source" and searching it for http resources but only tag with http resource link was:

<meta name="twitter:image" content="http://eksisozluk.com/content/img/ilogo120.png" />

which actually exists in the page when the icon is green too. So that cannot be the reason.

Isn't there a way to directly view the "insecure content" whatever that is in Chrome?

When I view the page in Firefox it says "partially encrypted" but it doesn't show what's not encrypted either. All the items in "Media" tab start with "https://".

Actually now I'm able to reproduce the issue continuously on Firefox. I looked at the network tab and "nothing" shows as http:// yet Firefox tells me "partially encrypted". I'm not sure if Firefox is saying that for the same reason Google does (because Firefox is consistent and insistent about it), but I'm providing both scenarios in case they belong to the same root cause.

I finally wrote this code in Chrome console to find the culprit: 

$("*").each(function (index, elem) {
  var attrs = elem.attributes;
  for(var n = 0; n < attrs.length; n++) {    
    var attr = attrs[n];
    if(attr.nodeValue.indexOf("http://") >= 0) {
      console.log("FOUND: <" + elem.nodeName + " " + attr.nodeName + "='" + attr.nodeValue + "'>");
      console.log($(elem));
    }
  }
});

The output shows no interesting stuff. Only <META content> for twitter reference, <A href>s and two <TD title="http://...">s that Mvc-Mini-Profiler inserted. None of them justify the warning of course. Here is the full output: http://pastebin.com/kgV8XHgN

So this looks really interesting. There is NOT a single element in DOM that contains an "HTTP" link yet Chrome warns about "insecure" content. I'm very troubled by it.

There are NO iframes on the page. ($("iframe") returns [])

EDIT: DAMN I lost the page :( (navigated to a link and back button turned to SSL icon to green). I knew it wouldn't last long. But I still appreciate any help since it wasn't the first time I saw that issue.

Sedat Kapanoglu
  • 46,641
  • 25
  • 114
  • 148
  • 1
    Are you sure that no browser extensions were involved? Were you able to reproduce it on another machine/device? – Konrad Dzwinel Aug 08 '13 at 06:37
  • Chrome had feedly (feedly-mini disabled) and Google App Script which could interfere (I don't know) but Firefox had Firebug, UA Switcher, PageSpeed and YSlow. I removed all from Firefox except Firebug and it still says "partially encrypted" yet shows no "http://" resource. – Sedat Kapanoglu Aug 08 '13 at 07:46
  • How about other devices/machines, were you able to reproduce it? In Chrome there is one more tool that may help you to debug this. Open Chrome incognito window and close all other Chrome windows. In the incognito window open two tabs: one with page you want to debug and the other one with chrome://net-internals/ . What you will get in the net-internals tab is a detailed debug of all network communication happening in Chrome. – Konrad Dzwinel Aug 08 '13 at 07:58
  • 1
    You may also like to check out similar questions that were asked before: http://stackoverflow.com/questions/3920206/how-can-you-tell-exactly-what-insecure-items-are-causing-a-browser-to-warn-about and http://stackoverflow.com/questions/1087591/why-is-chrome-reporting-a-secure-non-secure-warning-when-no-other-browsers-are . – Konrad Dzwinel Aug 08 '13 at 08:02
  • @KonradDzwinel Trying out on other machines is a good idea but as I said this occurs very rarely (once or twice a day in continuous usage maybe). So it could too much of an effort but I'll definitely keep an eye on it. – Sedat Kapanoglu Aug 08 '13 at 12:42
  • Can it happen because it's not TLS 1.2 by chance? – JSmyth Jan 04 '14 at 16:12
  • @JSmyth Neither browser gives a warning for no TLS 1.2 support afaik. – Sedat Kapanoglu Jan 05 '14 at 23:54
  • 1
    @ssg That was far-fetched =) Haven't seen myself recently. I think once we had an issue when IE 8 or 9 was bitching about TLS 1.0 and upgrading to TLS 1.1 solved it. I might be wrong here but if there's someone who had similar issue let us know. – JSmyth Jan 07 '14 at 22:09
  • @JSmyth interestingly we haven't seen this issue for a while and upgraded to TLS 1.2 recently. I'll update this thread if it surfaces again. – Sedat Kapanoglu Jan 08 '14 at 09:21

5 Answers5

14

Just had this problem – if you check the Javascript Console in Chrome it will now tell you where the problem lies.

Erebus
  • 1,998
  • 2
  • 19
  • 32
4

I had the same issue yesterday, and found http://www.whynopadlock.com/

It shows which elements are not secure, and it also verifies certificate chains.

Btw, if your site can be loaded both http and https, then omit http: from external urls.

Not:

src="http://external.dom/external.js" or "https://external.dom/external.js"

Just: 

src="//external.dom/external.js"

Then the browser will use http or https depending on what the page is loaded as

Leif Neland
  • 1,416
  • 1
  • 17
  • 40
  • +1 for whynopadlock.com. I had an insecure http ref buried inside a CSS file, which it spotted immediately. – Obfuskater Aug 13 '15 at 01:55
2

I just spent an hour with a similar problem, I got the green ssl lock in Chrome and IE but not in Firefox (only after page reload).

First of all: To debug SSL issues, the httpfox plugin seems to be better than firebug's network tab. Firebug showed all sources as https, but looking at httpfox, I quickly found the culprit: Google Analytics was loading the ___utm.gif tracking pixel via http. This tracking pixel came from the previous page, where I was tracking a Google Analytics event which was attached to a button click.

This seems to be a bug in Firefox: When tracking a GA event from a http page to a https page (e.g. Proceed button click), FF will load the tracking pixel via http on the https page, causing the error.

I removed the event from the button and FF stopped complaining about the partially encrypted connection.

Socrates
  • 189
  • 1
  • 5
  • 19
0

It sounds most likely that an AJAX resource was used with an http:// URL... you would most likely need the network panel or console to check that.

Firefox's built-in developer tools have them.

Mike Ratcliffe
  • 989
  • 6
  • 10
0

A quick solution is to add target="_blank" in each <a> element. It will open the link in new window. Working on all browsers.

Anshul Goyal
  • 73,278
  • 37
  • 149
  • 186
M. Petrov
  • 1