Masking & forward from a NON ssl url to a ssl url

OK - I am forwarding my NON ssl url (with masking) to a SSL url.

In chrome it displays as NON-secure - ok I understand that - displays the weakest link in this forwarding chain.

Question - if my initial non ssl url does not encrypt, but it forwards to a ssl url, which does encrypt, as far as my website user, their info is safe and being encrypted, correct?


The unencrypted part can be manipulated by a MiTM.
Which means there is no guarantee that they would be redirected at all.
They would be at the mercy of whomever controls that insecure connection.

In short: If any part of it is unencrypted then it is insecure; And anything that was received insecurely could have been tampered with.


OK - thanks.

So the best way still is to purchase a SSL cert, apply to my initial url, which then forwards to the main url which has SSL.

SSL to SSL is safest - no link is UNencrypted.



That is an incorrect assumption.
It should display the status of the last page [now being shown] - not how it got there.


I would disagree on "having to pay for a cert".
LE certs are free and can be used wherever most paid certs are being used.


Please explain exactly what is meant by "masking" in that statement.


URL masking means the address bar will show when the site content is loaded in an iframe from somewhere else. I commonly have seen this used in conjunction with hosting platforms that only offer use of a custom domain with a paid plan. This method allows the domain name registrant to host the site from and have it look like the visitor is at without paying the host.

It makes direct access to any page other than the home page impossible. That can be overcome if the party seeking URL masking is able to use a reverse proxy instead of an iframe.

There could certainly be other uses. What I described is simply the one I have seen most often.


Thanks everyone for your reply.

I understand now that a SSL certificate CANNOT be applied just to a domain name what I have now? It can only be attached to the actual website, correct?

Someone asked what I mean by Masking - also seen the term used "cloaking", "iFrame", correct?

So I own domain but I want it to forward to

So because the url I am forwarding to is either long, messy, hard to remember, does not have my company name (for branding & brand recognition), etc, I only want shown in the users browser url bar, regardless of what page of that website they view.

My situation is where the domain I own (and want to display in browser url bar) is not secure (non ssl) and it forwards to a secure ssl (https://) url


1 Like

Who provides the hosting for that long+messy name?
Maybe they could just host (one of) your domain name(s) there [directly].


The classic example of this issue is the SSLStrip attack. As the attacker, you continually proxy the connection to the real site, always deleting the HTTPS redirects.

Alternatively, you can redirect users to your own (attacker-controlled) HTTPS site, which can be unrelated to the real site, or a mimicry of it, or again a proxy that forwards contents back and forth to the real site.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.