Twitter: mixed-mode security?
I've been using HTTP anywhere (in Firefox), and whatever does that in Chrome, on both Linux and Windows, for some months or more. Suddenly tonight, I see that Chrome is complaining about mixed-mode security on Twitter -- but not on FB or any other sites I visit that way. Firefox isn't complaining about Twitter. Chrome is known to be pickier about this; a site I worked on had to test both cause Chrome would complain when FF did not. Can some other folks check Twitter over HTTPS/IPv4 tonight and see if they are also getting the slashed-out https indication on Twitter? Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA #natog +1 727 647 1274
On Wed, Jul 03, 2013 at 10:28:12PM -0400, Jay Ashworth wrote:
I've been using HTTP anywhere (in Firefox), and whatever does that in Chrome, on both Linux and Windows, for some months or more.
Suddenly tonight, I see that Chrome is complaining about mixed-mode security on Twitter -- but not on FB or any other sites I visit that way.
Firefox isn't complaining about Twitter.
Chrome is known to be pickier about this; a site I worked on had to test both cause Chrome would complain when FF did not.
Can some other folks check Twitter over HTTPS/IPv4 tonight and see if they are also getting the slashed-out https indication on Twitter?
I use Twitter via IPv4 (and exclusively the HTTPS scheme), and use Firefox, quite regularly (20-30 times a day). I know exactly what you mean when you say "mixed-mode security" (for readers: accessing a site using HTTPS, but the URLs referenced within that site (for things like CSS, images, etc.) might use HTTP). But what I don't know is where you've seen this. As in a step-by-step for where you commonly see it. Even if it varies, just make an itemised list of steps (from the point you hit http://twitter.com/ to wherever you see the issue) where you commonly see it. I can try to reproduce it there if need be, and/or do some analysis with either Firebug's Network tab or Wireshark, but I need a good starting point! :-) Also, and I probably don't need to tell you this, but too much code on webservers (doesn't matter where (front or back-end)) behaves different based on HTTP User-Agent string. (I could write my own rant about this completely unnecessary approach, but I'll spare folks) -- | Jeremy Chadwick jdc@koitsu.org | | UNIX Systems Administrator http://jdc.koitsu.org/ | | Making life hard for others since 1977. PGP 4BD6C0CB |
----- Original Message -----
From: "Jeremy Chadwick" <jdc@koitsu.org>
I know exactly what you mean when you say "mixed-mode security" (for readers: accessing a site using HTTPS, but the URLs referenced within that site (for things like CSS, images, etc.) might use HTTP).
But what I don't know is where you've seen this. As in a step-by-step for where you commonly see it. Even if it varies, just make an itemised list of steps (from the point you hit http://twitter.com/ to wherever you see the issue) where you commonly see it.
Generally, anywhere I go on twitter's site (since it's AJAX now, there really isn't anywhere you "go"), it's https and it's not crossed out, as Chrome does to indicate mixed-mode. As of tonight, I'm getting the "crossed-out https" indicator everywhere, even after a cache purge and a Ctrl-F5 reload.
I can try to reproduce it there if need be, and/or do some analysis with either Firebug's Network tab or Wireshark, but I need a good starting point! :-)
Remind me where Chrome identifies what's unsecure, and I'll go look it up.
Also, and I probably don't need to tell you this, but too much code on webservers (doesn't matter where (front or back-end)) behaves different based on HTTP User-Agent string. (I could write my own rant about this completely unnecessary approach, but I'll spare folks)
Sure. But this is "change in working environment, not apparently prompted by anything user-side". Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA #natog +1 727 647 1274
On Wed, Jul 3, 2013 at 8:21 PM, Jay Ashworth <jra@baylink.com> wrote:
----- Original Message -----
From: "Jeremy Chadwick" <jdc@koitsu.org>
I know exactly what you mean when you say "mixed-mode security" (for readers: accessing a site using HTTPS, but the URLs referenced within that site (for things like CSS, images, etc.) might use HTTP).
But what I don't know is where you've seen this. As in a step-by-step for where you commonly see it. Even if it varies, just make an itemised list of steps (from the point you hit http://twitter.com/ to wherever you see the issue) where you commonly see it.
Generally, anywhere I go on twitter's site (since it's AJAX now, there really isn't anywhere you "go"), it's https and it's not crossed out, as Chrome does to indicate mixed-mode.
As of tonight, I'm getting the "crossed-out https" indicator everywhere, even after a cache purge and a Ctrl-F5 reload.
This explains the meaning of the crossed-out https indicator: https://support.google.com/chrome/answer/95617?p=ui_security_indicator&rd=1
I can try to reproduce it there if need be, and/or do some analysis with
either Firebug's Network tab or Wireshark, but I need a good starting point! :-)
Remind me where Chrome identifies what's unsecure, and I'll go look it up.
From the chrome menu (the three lines at the top right), select Tools, then Javascript Console. That should give you an error where things went wrong, and tell you specifically what it's unhappy about.
Damian
Also, and I probably don't need to tell you this, but too much code on
webservers (doesn't matter where (front or back-end)) behaves different based on HTTP User-Agent string. (I could write my own rant about this completely unnecessary approach, but I'll spare folks)
Sure. But this is "change in working environment, not apparently prompted by anything user-side".
Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA #natog +1 727 647 1274 _______________________________________________ Outages mailing list Outages@outages.org https://puck.nether.net/mailman/listinfo/outages
On Wed, Jul 03, 2013 at 08:34:55PM -0700, Damian Menscher wrote:
On Wed, Jul 3, 2013 at 8:21 PM, Jay Ashworth <jra@baylink.com> wrote:
----- Original Message -----
From: "Jeremy Chadwick" <jdc@koitsu.org>
I know exactly what you mean when you say "mixed-mode security" (for readers: accessing a site using HTTPS, but the URLs referenced within that site (for things like CSS, images, etc.) might use HTTP).
But what I don't know is where you've seen this. As in a step-by-step for where you commonly see it. Even if it varies, just make an itemised list of steps (from the point you hit http://twitter.com/ to wherever you see the issue) where you commonly see it.
Generally, anywhere I go on twitter's site (since it's AJAX now, there really isn't anywhere you "go"), it's https and it's not crossed out, as Chrome does to indicate mixed-mode.
As of tonight, I'm getting the "crossed-out https" indicator everywhere, even after a cache purge and a Ctrl-F5 reload.
This explains the meaning of the crossed-out https indicator: https://support.google.com/chrome/answer/95617?p=ui_security_indicator&rd=1
Interesting. From Jay's description (and my lack of familiarity with Chrome), I assumed what he was describing was what the above doc classified as the "warning" indicator ("The site uses SSL but Chrome has detected insecure content on the page"). The "crossed-out https" thing is defined vaguely/ambiguously (how convenient), but looks to be focused on either expired or incorrectly configured certs, or "mysteriously malevolent stuff". The latter made me laugh because, hey, let's not be specific at all, nobody needs to know..... I've taken a look at the certs I get back (there's 3 involved; Verisign's primary CA, Verisign's extended validation CA, and the one for twitter.com) and I don't really see anything wrong with any of them. I verified the CN/CommonName looks correct (twitter.com), and that the validity range (e.g. expiry, before/after) are legit. I can dump them if need be, just let me know. -- | Jeremy Chadwick jdc@koitsu.org | | UNIX Systems Administrator http://jdc.koitsu.org/ | | Making life hard for others since 1977. PGP 4BD6C0CB |
participants (3)
-
Damian Menscher -
Jay Ashworth -
Jeremy Chadwick