Author Topic: HTTPS Website Showing Gold Padlock in URL  (Read 6927 times)

Offline MMadden

  • Newbie
  • *
  • Posts: 8
HTTPS Website Showing Gold Padlock in URL
« on: April 02, 2015, 11:42:12 PM »
Hi. I have a Wordpress built site hosted through Bluehost, and I have my SSL through Comodo. This website is an author site, not collecting money or sensitive information other than email addresses at the moment (any fund transfers go through either the Square Store or Paypal), but I wanted the certificate just in case I decide to sell directly  later on, and to bump my SEO. Bluehost tells me that my certificate is working just fine, but when I visit the site using Chrome, I get the gold padlock instead of a green one. And another author who was visiting my site (also using Chrome) said he got a warning from Sitelock (who also has some security on my site through Bluehost, though not their SSL) that my domain's "SSL not supported". It was after this that I got in touch with Bluehost, who says my SSL is working okay.

I looked up Chrome's color coding of the yellow/gold padlock, and Chrome says it could be any number of things, from the person viewing the site's not having their cache cleared out, to third party code (I'm assuming plugins, etc?) that the site could have that weren't produced or are running on a secure platform.

I'm really new to web building and only been self-hosted about a month. If someone out there could help ease my mind about this, I'd be grateful!

Offline JoWa

  • Humanist
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 6741
  • I believe in doubt.
    • Evolutionary history of life
Re: HTTPS Website Showing Gold Padlock in URL
« Reply #1 on: April 03, 2015, 01:02:24 AM »
Quote from: Chrome Help
Your connection to the site is encrypted, but Google Chrome has detected mixed content on the page. Be careful if you're entering information on this page. Mixed content can provide a loophole for someone to manipulate the page. This content could be third- party images or ads embedded on the page.
https://support.google.com/chrome/answer/95617?hl=en

Make sure all images have https-links.

And to please Chrome, make TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256  (0xC02F) the prefered cipher suite. ;)
Ubuntu | Firefox | HTTPS Only Mode | Privacy Badger
Forum Policy | Comodo Product Help

Offline MMadden

  • Newbie
  • *
  • Posts: 8
Re: HTTPS Website Showing Gold Padlock in URL
« Reply #2 on: April 03, 2015, 01:08:38 AM »
Thank you for responding, and so quickly! How do I make sure my images have https links? I upload them to the media section of my site. Sorry if these questions seem juvenile, but I am still learning.

It seems as if all my images do, indeed, all have the https tag. But I didn't look at every single one of them, as I may already have a couple hundred or more up. But I did a sampling of several scattered throughout, even down to the very first ones I uploaded.

When I clicked on your support article, I tested my site using the page icon (my browser didn't show the padlock), and the answer was given that the site hasn't supplied a certificate to the browser. Do I need to take a copy of my certificate's code and place it somewhere in my site?
« Last Edit: April 03, 2015, 01:29:59 AM by MMadden »

Offline JoWa

  • Humanist
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 6741
  • I believe in doubt.
    • Evolutionary history of life
Re: HTTPS Website Showing Gold Padlock in URL
« Reply #3 on: April 03, 2015, 01:41:56 AM »
In WorPress’s HTML-editor (not Visual Editor), make sure all image links begin with
Code: [Select]
<img src="https://or just (“protocol-relative”)
Code: [Select]
<img src="//
Most of your “insecure” images are in the dark box at the bottom, and in the dark box to the right (Pinterest).

In Chrome, you can press Ctrl+Shift+I, and then click on the yellow triangle with an exclamation mark, to see insecure content. There is content from media-cache-ak0.pinimg.com, which is insecure.
Ubuntu | Firefox | HTTPS Only Mode | Privacy Badger
Forum Policy | Comodo Product Help

Offline MMadden

  • Newbie
  • *
  • Posts: 8
Re: HTTPS Website Showing Gold Padlock in URL
« Reply #4 on: April 03, 2015, 02:06:38 AM »
Thank you for your help. I've removed all widgets, even though containing links without an https in them, and used the shortcut Control Shift I as you suggested. The only things I can see with a yellow exclamation point are some font codes associated with my theme, but those codes are also crossed off. But I'm still showing not 100% secure.

Here's a screen shot of what I mean.


[attachment deleted by admin]
« Last Edit: April 03, 2015, 02:09:17 AM by MMadden »

Offline JoWa

  • Humanist
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 6741
  • I believe in doubt.
    • Evolutionary history of life
Re: HTTPS Website Showing Gold Padlock in URL
« Reply #5 on: April 03, 2015, 02:09:29 AM »
You missed one image: publogo-150x150.jpg
Ubuntu | Firefox | HTTPS Only Mode | Privacy Badger
Forum Policy | Comodo Product Help

Offline JoWa

  • Humanist
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 6741
  • I believe in doubt.
    • Evolutionary history of life
Re: HTTPS Website Showing Gold Padlock in URL
« Reply #6 on: April 03, 2015, 02:11:46 AM »
Your screenshot is of http, not https. ;)
Ubuntu | Firefox | HTTPS Only Mode | Privacy Badger
Forum Policy | Comodo Product Help

Offline MMadden

  • Newbie
  • *
  • Posts: 8
Re: HTTPS Website Showing Gold Padlock in URL
« Reply #7 on: April 03, 2015, 02:13:16 AM »
Ah-ha! I have several on there now to find out where! But can you tell me what it means in the screenshot when it says website not verified? I've verified through Alexa, Bing, and Google.

Offline JoWa

  • Humanist
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 6741
  • I believe in doubt.
    • Evolutionary history of life
Re: HTTPS Website Showing Gold Padlock in URL
« Reply #8 on: April 03, 2015, 02:16:28 AM »
Because the url is
Code: [Select]
http://metamorphpublishing.com/Instead, go to
Code: [Select]
https://metamorphpublishing.com/
You may add a 301-redirect from http to https.
Ubuntu | Firefox | HTTPS Only Mode | Privacy Badger
Forum Policy | Comodo Product Help

Offline MMadden

  • Newbie
  • *
  • Posts: 8
Re: HTTPS Website Showing Gold Padlock in URL
« Reply #9 on: April 03, 2015, 04:55:28 AM »
Thank you very much for your help! I figured out what the problem was! Even though all my images in the "media" section changed over from http to https when I upgraded for the SSL, the locations at which the images had been previously inserted did not. Now, I've fixed all the pages except my blog post page. I started on that one too but I've got 7 pages of posts to go through and correct, and it's easy way late in my neck of the woods. But I really appreciate your help! At least I didn't have to start all over from scratch!

Offline JoWa

  • Humanist
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 6741
  • I believe in doubt.
    • Evolutionary history of life
Re: HTTPS Website Showing Gold Padlock in URL
« Reply #10 on: April 03, 2015, 06:33:33 AM »
You’re welcome. Glad I could help. :)

Your site is green and clean now. :-TU

If you want to get rid of the “obsolete cryptography” (“gammal kryptografi” in my image), and instead get “modern cryptography” in Chrome, you should, as I suggested in my first post, make TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256  (0xC02F) the prefered cipher suite. Your server configuration prefers ciphers with 256-bit key, but actually AES_128_GCM is more secure than AES_256_CBC. And AES_256_GCM is currently only supported by IE on Windows 7+.

Want do do more? :) Add an HSTS-header with a long duration (180+ days) and a preload-token. Then you can submit your site here, to be included in Google’s preload-list.

You can test your site:
https://sslanalyzer.comodoca.com/?url=metamorphpublishing.com
https://www.ssllabs.com/ssltest/analyze.html?d=metamorphpublishing.com

And here is a good read: SSL/TLS Deployment Best Practices

Next step? HTTP/2. :)

[attachment deleted by admin]
Ubuntu | Firefox | HTTPS Only Mode | Privacy Badger
Forum Policy | Comodo Product Help

Offline MMadden

  • Newbie
  • *
  • Posts: 8
Re: HTTPS Website Showing Gold Padlock in URL
« Reply #11 on: April 03, 2015, 01:12:17 PM »
Ok you went way beyond my knowledge with that last post! I saw how you had mentioned a cipher in that first post, and had I been unable to figure anything out with my simpler stuff, I would have asked again. But I think you're talking drugs that may be way above my head as far as programming and writing code!

Offline JoWa

  • Humanist
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 6741
  • I believe in doubt.
    • Evolutionary history of life
Re: HTTPS Website Showing Gold Padlock in URL
« Reply #12 on: April 03, 2015, 01:31:13 PM »
The list of supported ciphers (followed by key-size), in prefered order:

Name  (ID)
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384  (0xC030)      256   
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384  (0xC028)      256   
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA  (0xC014)      256   
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384  (0x9F)         256   
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256  (0x6B)         256   
TLS_DHE_RSA_WITH_AES_256_CBC_SHA  (0x39)         256   
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA  (0x88)      256   
TLS_RSA_WITH_AES_256_GCM_SHA384  (0x9D)            256   
TLS_RSA_WITH_AES_256_CBC_SHA256  (0x3D)            256   
TLS_RSA_WITH_AES_256_CBC_SHA  (0x35)            256   
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA  (0x84)         256
   
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256  (0xC02F)   128   
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256  (0xC027)   128   
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA  (0xC013)   128   
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256  (0x9E)      128   
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256  (0x67)      128   
TLS_DHE_RSA_WITH_AES_128_CBC_SHA  (0x33)      128   
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA  (0xC012)   112   WEAK (key size)
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA  (0x45)   128   
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA  (0x16)      112   WEAK (key size)
TLS_RSA_WITH_AES_128_GCM_SHA256  (0x9C)         128   
TLS_RSA_WITH_AES_128_CBC_SHA256  (0x3C)         128   
TLS_RSA_WITH_AES_128_CBC_SHA  (0x2F)         128   
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA  (0x41)      128   
TLS_RSA_WITH_3DES_EDE_CBC_SHA  (0xA)         112   WEAK (key size)


The cipher in bold should be moved to the top, and those in italics may be removed.
Ubuntu | Firefox | HTTPS Only Mode | Privacy Badger
Forum Policy | Comodo Product Help

Offline MMadden

  • Newbie
  • *
  • Posts: 8
Re: HTTPS Website Showing Gold Padlock in URL
« Reply #13 on: April 03, 2015, 01:34:57 PM »
I wouldn't even know where to find them! That's why I've only been making the most basic of changes to my html and such!

Offline w-e-v

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 1503
  • BETA FORCE MEMBER
Re: HTTPS Website Showing Gold Padlock in URL
« Reply #14 on: April 03, 2015, 02:55:45 PM »
The list of supported ciphers (followed by key-size), in prefered order:

Name  (ID)
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384  (0xC030)      256   
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384  (0xC028)      256   
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA  (0xC014)      256   
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384  (0x9F)         256   
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256  (0x6B)         256   
TLS_DHE_RSA_WITH_AES_256_CBC_SHA  (0x39)         256   
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA  (0x88)      256   
TLS_RSA_WITH_AES_256_GCM_SHA384  (0x9D)            256   
TLS_RSA_WITH_AES_256_CBC_SHA256  (0x3D)            256   
TLS_RSA_WITH_AES_256_CBC_SHA  (0x35)            256   
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA  (0x84)         256
   
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256  (0xC02F)   128   
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256  (0xC027)   128   
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA  (0xC013)   128   
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256  (0x9E)      128   
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256  (0x67)      128   
TLS_DHE_RSA_WITH_AES_128_CBC_SHA  (0x33)      128   
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA  (0xC012)   112   WEAK (key size)
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA  (0x45)   128   
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA  (0x16)      112   WEAK (key size)
TLS_RSA_WITH_AES_128_GCM_SHA256  (0x9C)         128   
TLS_RSA_WITH_AES_128_CBC_SHA256  (0x3C)         128   
TLS_RSA_WITH_AES_128_CBC_SHA  (0x2F)         128   
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA  (0x41)      128   
TLS_RSA_WITH_3DES_EDE_CBC_SHA  (0xA)         112   WEAK (key size)


The cipher in bold should be moved to the top, and those in italics may be removed.

It's nice from you JoWa to share these.

In apache, how would you recommend to do that?
SSLCipherSuite ??:??:??:??
SSLHonorCipherOrder on

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek