OK - I am forwarding my NON ssl url (with masking) to a SSL url.
In chrome it displays as NON-secure - ok I understand that - displays the weakest link in this forwarding chain.
Question - if my initial non ssl url does not encrypt, but it forwards to a ssl url, which does encrypt, as far as my website user, their info is safe and being encrypted, correct?
The unencrypted part can be manipulated by a MiTM.
Which means there is no guarantee that they would be redirected at all.
They would be at the mercy of whomever controls that insecure connection.
In short: If any part of it is unencrypted then it is insecure; And anything that was received insecurely could have been tampered with.
URL masking means the address bar will show example.com when the site content is loaded in an iframe from somewhere else. I commonly have seen this used in conjunction with hosting platforms that only offer use of a custom domain with a paid plan. This method allows the domain name registrant to host the site from example.net/my-free-site and have it look like the visitor is at example.com without paying the host.
It makes direct access to any page other than the home page impossible. That can be overcome if the party seeking URL masking is able to use a reverse proxy instead of an iframe.
There could certainly be other uses. What I described is simply the one I have seen most often.
I understand now that a SSL certificate CANNOT be applied just to a domain name what I have now? It can only be attached to the actual website, correct?
Someone asked what I mean by Masking - also seen the term used "cloaking", "iFrame", correct?
So because the url I am forwarding to is either long, messy, hard to remember, does not have my company name (for branding & brand recognition), etc, I only want my-company-name.ca shown in the users browser url bar, regardless of what page of that website they view.
My situation is where the domain I own (and want to display in browser url bar) is not secure (non ssl) and it forwards to a secure ssl (https://) url
The classic example of this issue is the SSLStrip attack. As the attacker, you continually proxy the connection to the real site, always deleting the HTTPS redirects.
Alternatively, you can redirect users to your own (attacker-controlled) HTTPS site, which can be unrelated to the real site, or a mimicry of it, or again a proxy that forwards contents back and forth to the real site.