Why my website no green lock


#1

My website is : https://www.diandiandongli.cn

https is OK,but no green lock

I checked it ,it said:The SSL certificate used to load resources from https://hm.baidu.com will be distrusted in M70. Once distrusted, users will be prevented from loading these resources. See https://g.co/chrome/symantecpkicerts for more information.

but https://hm.baidu.com is chinese baidu give me this code.

why?

thank you


#2

The Chromium console says:

Mixed Content: The page at ‘https://www.diandiandongli.cn/’ was loaded over HTTPS, but requested an insecure image ‘http://pub.idqqimg.com/qconn/wpa/button/button_old_11.gif’. This content should also be served over HTTPS.

This could be the more important reason why you don’t see the lock now.


#3

To expand on what user @shoen posted, you need to serve all external resources securely. Change the link from http://pub.idqqimg.com/qconn/wpa/button/button_old_11.gif to https://pub.idqqimg.com/qconn/wpa/button/button_old_11.gif or //pub.idqqimg.com/qconn/wpa/button/button_old_11.gif, and do the same for all external resources. If you are using Wordpress, you can install the Really Simple SSL plugin.

As to the Baidu code, they are using distrusted certificate, probably Symantec PKI. There’s nothing you can do about that; it’s up to them to obtain a proper certificate.


#4

Good,solved.Thank you.


#5

Good,solved.Thank you.


#6

HI, Schoen
i got to knew about Let’s Encrypt yesterday. Already my host advice me to install ssl on the cpanel, which i did. Can you pls check its status of all pages and is it safe for payment,input vital information now.
Here is the address: http://academy.soarontech.com.ng

Thanks team


#7

Hi @soarontech,

There are many aspects to web security, not all of which are related to HTTPS and not all of which are visible to a visitor to the site. Therefore the overall question of whether your site is “safe” is a complicated one and not one that I’m able to answer. For example, as discussed in some earlier forum threads, HTTPS sites can still be vulnerable to hacking because the HTTPS security only protects transmitted information against interception by network operators, but doesn’t guarantee that the site’s software or infrastructure itself is secure.

In terms of HTTPS security, your site has a mixed content error which will prevent some browsers from marking the connection as secure. This is due to some hard-coded non-HTTPS resources loaded in the page.

For example in one place your site refers to

<link href='http://fonts.googleapis.com/css?family=Lato:100,100italic,300,300italic,regular,italic,700,700italic,900,900italic' rel='stylesheet' type='text/css'>

This is an insecure stylesheet reference and needs to be replaced with the corresponding HTTPS link.

The service https://www.whynopadlock.com/ will scan your site for mixed content problems and explain which resources are being loaded insecurely if you can’t tell.


#8

I’m grateful Schoen, i’ve learnt and done the few changes i can.


#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.