0

I just moved several interrelated sites from a server that does not support TLS 1.2 to one that does to specifically stop chrome's site is insecure message. There a 4 separate websites one of which has 2 pages Demo.aspx and Rater.aspx. All sites use https:// and the server supports TLS 1.2 and has a valid certificate chain. All sites load without any security warning, including Demo.aspx, but Rater.aspx does not (it is the only one).

Rater.aspx is a older and somewhat large one page asp site, so I figured there must be a http:// reference somewhere, and I found a few which I converted to https://.

I have gone over the site many time, and there is nothing I can see that should be causing the insecure flag.

Your Connection to this site is not secure. Certificate (valid) Cookies (1 in use)

Is there a tool that will tell me what chrome is picking up on so I can fix it?

If it would be helpful I can provide a link to the page, just did not want to do it here.

Thanks!

kpg
  • 589
  • 6
  • 28
  • Did you try looking in the Security tab of your browser's developer tools? What did it tell you? – mason Aug 31 '20 at 17:23
  • @mason You have recently allowed content loaded with certificate errors (such as scripts or iframes) to run on this site. -- so even though I corrected the issues I am being penalized? – kpg Aug 31 '20 at 19:56
  • Interesting....I didn't know it would do that. If that's the case, you might want to take it up with Google. You might also check [this question](https://stackoverflow.com/questions/44145936/chrome-active-content-with-certificate-errors). – mason Aug 31 '20 at 20:51
  • @mason I saw that question after your initial response, clearing did not resolve it and I keep getting a NID cookie (google preferences) linked to a less secure domain I reference so that's probably what's causing it. The other sites also reference the same domain but don't get the NID cookie so they don't get the warning. – kpg Aug 31 '20 at 21:18

1 Answers1

0

As @mason pointed out Chrome's Security Tab in developer tools provides information on what is causing the Not Secure message and ultimately led to the discovery of an unused iframe pointing to a less secure domain.

I found the offending domain name on the Application tab under Local and Session storage (no actual data was being stored). A project search for that name found the iframe.

Of note is that the insecure server was https:// and has a valid SSL certificate but it does not support TLS 1.2.

kpg
  • 589
  • 6
  • 28