Referrer policy hide the referrer of self-signed certificates - windows

I can't seem to get the referrer on a 3rd party XHR request to a development server with a self-signed certificate.
After complying to chrome's use of SAN instead of CN and registering my self-signed localhost certificate, I got the green dot for this request in Dev Tools security panel, but I also get the following:
This request does not comply with Chrome's Certificate Transparency policy.
I've tried to use Chrome Group Policies to disable it, but it did not work.
Have anyone else stumbled upon this issue? Any good know solutions for debugging 3rd party XHR requests?

The current workaround (hopefully not a permanent solution) is just using Mozilla FireFox instead of Google Chrome.

Related

CORS ajax call to self-signed secure URL

I have a website hosted on domain-a.com, which we are about to install an SSL certificate on. The certificate is issued by a CA so it will be trusted by browsers.
After pageload on domain-a.com, an ajax call is made to domain-b.com using CORS to retrieve some additional information to display on the page.
I have two questions:
Do I also need to install an SSL certificate on domain-b.com? What will happen in the users browser if I don't?
If I do install an SSL certificate on domain-b.com, but I use a self-signed certificate as opposed to one issued by a CA, will that work, or will there be warnings/errors thrown by the user's browser?
I set up some test pages to see how this behaved, and it looks like you do need to install SSL on domain-b.com. Most browsers I tested blocked the nonsecure content. Others gave a warning. The same things happened if domain-b.com had a self-signed certificate. The connection was still blocked.
The simplest and cheapest solution I found was to install a free SSL certificate from StartSSL on domain-b.com. This CA seems to be recognized by the browsers I tested on so the connection to domain-b.com works fine. If anyone sees any issues with this that I'm not thinking of, please let me know.

Chrome cant POST to https, but GET using a self signed SSL-cert?

We have a site in a S3 bucket configured to serve static HTML. The HTML app is an AngularJS app. The AngularJS app requests its data with ajax through HTTPS with a self signed certificate to our backend API. All the GET requests work fine, but when we POST,PUT or DELETE in chrome the ajax requests get canceled.
All types of requests works in Firefox.
Our solution has been to disable HTTPS but that does not seem like a long term solution. Bought certificates is not an option for us.
We have noticed that the requests works in some versions of chrome. Is this something normal in chrome? Is there any way to avoid this?
Thanks for any kind of answer that might help us!
Yes Tyler! You are right! Chromes very much dislikes certificates that is not signed by a trusted authority.

SSL seems to be not installed properly

I have a certificate for a domain example.com. So, every request in my application (MVC 3) is being redirected to the https://example.com. But the problem is, I can see the padlock icon in the Firefox browser
but one second later it disappears and I see that there is no certificate ?
I have no clue what's going on, can somebody enlighten me ? The application is being hosted on Windows Server 2008 R2.
The "...which is run by (unknown)" message is just a message telling you that the certificate only verifies the web site name, not the owner. The message is not very clear and has been reported as a bug to Mozilla.
The "Your connection to this site is only partially encrypted" message means that you're fetching at least some HTTP data as a part of your HTTPS page (check your font/image/media links on the page) and the data fetched via HTTP is not secure. A secure page should only link to HTTPS content, or someone listening to the connection may be able to the insecure communication and figure out what is done over the secure link. For example, if your cookies are not set as secure, they'll be sent over clear text too when fetching data from your site.
All in all, the SSL cert seems to be installed ok, but your page needs some updates to only link to secure content.

Can I ignore/refuse https access to certain places of my heroku app?

I'm developing on Heroku a site with a couple of subdomains. One of them is signup (as in signup.myapp.com) which requires SSL access -- of course! But the rest of the subdomains, such as www, do not require https to access.
The problem is that the client only purchased an SSL certification for signup.myapp.com. This means that, when a user tries to access other places of my site with https (such as https://www.myapp.com), SSL certification does not validate and browsers tell the user that the site could be malicious... not good for branding.
I tried to make the site redirect from https to http, but of course this failed, because SSL was checked before the redirect could be sent.
Is there a way that I can deny access to these places of my site from https, so that users encounter, for instance, a 404 page instead? Or, do you know of any other ways to handle this situation? (the client is reticent to acquire a new SSL certificate, specially a wildcard certificate).
Unfortunately, you need a certificate for each of the domains (or a wildcard one as you mention), see e.g.:
How to redirect https to http without any SSL Certificate
The problem is that certificate is the first thing checked, way before anything else happens. If that fails, browser will typically display "get me out of here!"-kind of notification. There's no built in support for SSL-to-non-SSL transition.
You can shut down https://www.example.com (i.e. make your Web server not listen on port 443), but that of course won't yield a 404, also bad for branding.
With just one non-wildcard certificate, the only thing you can do is put all the pages under that domain. I.e. instead of https://signup.example.com/a/b/c, you need to do https://www.example.com/signup/a/b/c or something along those lines.
On the other hand, you can buy the certificate for under $100/year (or $150 total for 2 years) at GoDaddy:
http://www.godaddy.com/ssl/ssl-certificates.aspx
so, depending on your context, it might just pay off to pay this instead of doing any additional development.

SSL : sec_error_unknown_issuer

I'm getting the sec_error_unknown_issuer on my website : https://www.lceonline.co.uk/
The error occurs when I add an item to the cart then click checkout (The checkout page seems to cause it) The SSL Certificate is with Globasign
It seems that this error only occurs in Firefox. Does anyone have a solution or can point me in the direction of one? Little bit of a struggle.
Cheers Guys
Each browser has an installed list of what is called "Root Certificates". If the issuer's certificate is not in this database, then the browser will reject the cert with the message that you are seeing.
Firefox and Internet Explorer use independent lists of root certs. You may want to speak to your issuer, or a different issuer, about getting you a cert that is acceptable in all major browsers.
It should also be noted that a cert can be denied by the browser with a similar error if it depends on intermediate certificates in the cert-chain and the server has not been correctly configured to deliver all the required certs to the browser. This can be tricky to diagnose as browsers will cache and re-use intermediate certs, even if they were originally requested from a different server.

Resources