HTTPS Website Showing Gold Padlock in URL

Hi. I have a Wordpress built site hosted through Bluehost, and I have my SSL through Comodo. This website is an author site, not collecting money or sensitive information other than email addresses at the moment (any fund transfers go through either the Square Store or Paypal), but I wanted the certificate just in case I decide to sell directly later on, and to bump my SEO. Bluehost tells me that my certificate is working just fine, but when I visit the site using Chrome, I get the gold padlock instead of a green one. And another author who was visiting my site (also using Chrome) said he got a warning from Sitelock (who also has some security on my site through Bluehost, though not their SSL) that my domain’s “SSL not supported”. It was after this that I got in touch with Bluehost, who says my SSL is working okay.

I looked up Chrome’s color coding of the yellow/gold padlock, and Chrome says it could be any number of things, from the person viewing the site’s not having their cache cleared out, to third party code (I’m assuming plugins, etc?) that the site could have that weren’t produced or are running on a secure platform.

I’m really new to web building and only been self-hosted about a month. If someone out there could help ease my mind about this, I’d be grateful!

[b]Your connection to the site is encrypted, but Google Chrome has detected mixed content on the page.[/b] Be careful if you're entering information on this page. Mixed content can provide a loophole for someone to manipulate the page. This content could be third- party images or ads embedded on the page.
https://support.google.com/chrome/answer/95617?hl=en

Make sure all images have https-links.

And to please Chrome, make TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xC02F) the prefered cipher suite. :wink:

Thank you for responding, and so quickly! How do I make sure my images have https links? I upload them to the media section of my site. Sorry if these questions seem juvenile, but I am still learning.

It seems as if all my images do, indeed, all have the https tag. But I didn’t look at every single one of them, as I may already have a couple hundred or more up. But I did a sampling of several scattered throughout, even down to the very first ones I uploaded.

When I clicked on your support article, I tested my site using the page icon (my browser didn’t show the padlock), and the answer was given that the site hasn’t supplied a certificate to the browser. Do I need to take a copy of my certificate’s code and place it somewhere in my site?

In WorPress’s HTML-editor (not Visual Editor), make sure all image links begin with

<img src="https://

or just (“protocol-relative”)

<img src="//

Most of your “insecure” images are in the dark box at the bottom, and in the dark box to the right (Pinterest).

In Chrome, you can press Ctrl+Shift+I, and then click on the yellow triangle with an exclamation mark, to see insecure content. There is content from media-cache-ak0.pinimg.com, which is insecure.

Thank you for your help. I’ve removed all widgets, even though containing links without an https in them, and used the shortcut Control Shift I as you suggested. The only things I can see with a yellow exclamation point are some font codes associated with my theme, but those codes are also crossed off. But I’m still showing not 100% secure.

Here’s a screen shot of what I mean.

[attachment deleted by admin]

You missed one image: publogo-150x150.jpg

Your screenshot is of http, not https. :wink:

Ah-ha! I have several on there now to find out where! But can you tell me what it means in the screenshot when it says website not verified? I’ve verified through Alexa, Bing, and Google.

Because the url is

http://metamorphpublishing.com/

Instead, go to

https://metamorphpublishing.com/

You may add a 301-redirect from http to https.

Thank you very much for your help! I figured out what the problem was! Even though all my images in the “media” section changed over from http to https when I upgraded for the SSL, the locations at which the images had been previously inserted did not. Now, I’ve fixed all the pages except my blog post page. I started on that one too but I’ve got 7 pages of posts to go through and correct, and it’s easy way late in my neck of the woods. But I really appreciate your help! At least I didn’t have to start all over from scratch!

You’re welcome. Glad I could help. :slight_smile:

Your site is green and clean now. :-TU

If you want to get rid of the “obsolete cryptography” (“gammal kryptografi” in my image), and instead get “modern cryptography” in Chrome, you should, as I suggested in my first post, make TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xC02F) the prefered cipher suite. Your server configuration prefers ciphers with 256-bit key, but actually AES_128_GCM is more secure than AES_256_CBC. And AES_256_GCM is currently only supported by IE on Windows 7+.

Want do do more? :slight_smile: Add an HSTS-header with a long duration (180+ days) and a preload-token. Then you can submit your site here, to be included in Google’s preload-list.

You can test your site:
https://sslanalyzer.comodoca.com/?url=metamorphpublishing.com
https://www.ssllabs.com/ssltest/analyze.html?d=metamorphpublishing.com

And here is a good read: SSL/TLS Deployment Best Practices

Next step? HTTP/2. :slight_smile:

[attachment deleted by admin]

Ok you went way beyond my knowledge with that last post! I saw how you had mentioned a cipher in that first post, and had I been unable to figure anything out with my simpler stuff, I would have asked again. But I think you’re talking drugs that may be way above my head as far as programming and writing code!

The list of supported ciphers (followed by key-size), in prefered order:

Name (ID)
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xC030) 256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xC028) 256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xC014) 256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9F) 256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6B) 256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) 256
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x88) 256
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9D) 256
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3D) 256
TLS_RSA_WITH_AES_256_CBC_SHA (0x35) 256
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x84) 256

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xC02F) 128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xC027) 128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xC013) 128
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9E) 128
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67) 128
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) 128
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xC012) 112 WEAK (key size)
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x45) 128
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x16) 112 WEAK (key size)
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9C) 128
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3C) 128
TLS_RSA_WITH_AES_128_CBC_SHA (0x2F) 128
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x41) 128
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xA) 112 WEAK (key size)

The cipher in bold should be moved to the top, and those in italics may be removed.

I wouldn’t even know where to find them! That’s why I’ve only been making the most basic of changes to my html and such!

It’s nice from you JoWa to share these.

In apache, how would you recommend to do that?
SSLCipherSuite ??:??:??:??
SSLHonorCipherOrder on

See, you may as well be speaking Greek to me, as far add I can understand. Not to say I can’t our won’t learn it, but it’s going to take me some time!

I’m now in the process of going through each and every blog post I’ve put up over the last six months, replacing the images. Some, I’ve discovered, were lost through the migration, I assume, but I can replace them. All my “regular pages” are now showing green!

Mozilla has a useful wiki-page with three compatibility-levels: https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations
Avoid “Old backward compatibility”.

Yes, a list of cipher suites may look like a pile of random nonsense. A cipher suite consists of several parts. Here is a simple explanation:

Cipher suites are written like this: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, which breaks down into the following parts:

ECDHE: the key agreement mechanism.
RSA: the authentication mechanism.
AES_128_CBC: the cipher.
SHA: the message authentication primitive.


Great info. Thanks :-TU

There are wordpress plugins which force rewrite to https. Or you can use a .htaccess. Saves you having to go through possibly hundreds of images and links.