0

We have an ASP.NET website on IIS. We have a Lead Forensics link. Which has been working fine prior to switching to require SSL on all pages. It is something similar to:

<script type="text/javascript" src="http://lead-123.com/js/8303.js"></script>

Since requiring SSL however, the tracking no longer seems to be working.

Obviously this is caused by the request to http link from the original https page. But the following two attempts are also failing:

src="//lead-123.com/js/8303.js"

src="https://lead-123.com/js/8303.js"

Visiting the https URL to the tracking script shows that it is being served (albeit with security errors).

I'm sure Lead Forensics have considered this. Does anyone know if there are any conventions or workarounds that can somehow be used so that security errors aren't reported on the site and for tracking to work? I can't find any documentation on this, and attempts to contact them haven't proven successful to date.

**

Update

I'm not sure the script is hosted on the https link after all. (It only responds in my browser after I have successfully received a response from the http link). Nevertheless, I am still looking for a convention on how to handle this situation, or whether a separate link is provided if using SSL, or indeed whether the technology is even capable of working over SSL.

ne1410s
  • 6,864
  • 6
  • 55
  • 61
  • I've fought with this service a bit as well. I created a local proxy endpoint using Web API. Routed the tracking callback (the .aspx call they make from within their Js) to the local (and https) endpoint. Using HttpClient, I form up the request, ignore SSL and I get a response back, however, it's always a 403 (Forbidden). I'm probably not validating with the png download doing it this way, not sure, but I'm in the process of trying to get more detail from Lead Forensics on the issue. Please update if they have enabled TLS support. – Matthew Nov 07 '16 at 22:30
  • I'm not going to suggest this as an answer since it doesn't work, but if you're interested, this is my forwarder: https://gist.github.com/Morgma/5e04f4732de4efa22ddc3804afd3c5e7 – Matthew Nov 07 '16 at 22:33

2 Answers2

5

Call Lead Forensics support. They can configure a secure endpoint for the tracker upon request:

<script type="text/javascript" src="https://secure.leadforensics.com/js/XXXXX.js"></script> 
<noscript>
<img src="https://secure.leadforensics.com/XXXXX.png" style="display:none;" />
</noscript>
d-_-b
  • 21,536
  • 40
  • 150
  • 256
Matthew
  • 706
  • 9
  • 12
3

There is nothing you can do about this. The CN (Common Name) name assigned to this certificate is *.leadforensics.com; however, they kept giving other domain names bound to this certificate.

ERR_CERT_COMMON_NAME_INVALID is the error which we get.

As this entire process runs in background, thus browser doesn't open JS and PNG file, and tracking doesn't happen.

I am not sure how Lead Forensics can even do this!

We can easily create a workaround, by using HttpWebRequest class and overriding X509 event to always true - but creating such a workaround would violate the security norms and may mask other vulnerabilities.

So I've asked Lead Forensics to correct it.

Toby Speight
  • 27,591
  • 48
  • 66
  • 103
Shaan
  • 151
  • 8