Browser Security Warnings

This is from my friend, Chris Weekly.

I think it is necessary for us to be precise when we talk about “security popups” as there are many different kinds.

Some of these are always preventable, some are unavoidable in certain scenarios, all vary according to the browser version and its user config.

Anyway here’s a kickstart:

  1. SSL Certificate Warnings (various) – Triggered on HTTPS URL’s on domains with an expired or self-signed certificate. 
  2. Insecure Content Warnings – Triggered on HTTPS URL’s when the page contents embed references to HTTP resources (images, iFrames, stylesheets or scripts).
    This is preventable by proper JSP/taglib usage. Note it is ok for links to use http:// even in https:// pages as they’re not automatically followed.
  3. HTTPS to HTTP Redirection Warnings – Triggered when an HTTPS request triggers a redirect to an HTTP URL.
    This is unavoidable in some scenarios but should be avoided by design whenever possible.
  4. HTTP/HTTPS Switch Alert – Triggered when simply navigating from HTTP to HTTPS or back.
    This is out of our control, but most browsers don’t have this on by default, and users tend to turn this global setting off after seeing it once or twice (on any site) as it’s so common and harmless.
  5. Content not under this site’s control (New) – Apparently resulting from the recent Microsoft security patch.
    I believe this is triggered by scripts which are not on the same domain as the page requested.
    This is most likely to arise w/ 3rd-party tracking pixel-related scripts.  Needs more investigation.

    Update: I may have made an incorrect assumption that it related to recent MS security updates; it might instead be triggered by attempts of javascript on one domain to interact w/ the page on another domain. Which script and whether this is in fact the root cause of #5 is TBD. 

There are others but I think these are the main ones we’ve been dealing with lately.

Thanks,
Chris

Leave a Reply

Your email address will not be published. Required fields are marked *