SSL issue with links in https pages


I hope this is the best forum to ask this in…

I have an SSL cert installed to have a secure commerce area. Some of the pages have external links to non-secure sites like say The padlock icon breaks and warns that there’s unauthorized content. The hosting provider says it’s because the external links need to be https links. Obviously that can’t be done to a non-secure external site.

So the question is: do external http links break security on a secure https page? If so, is there a work around other than removing external links?

Thanks guys.

No, http links do not break the security, that wouldn’t be the reason for the icons.

Images, scripts, iframes with an http:// source would

Thank you Dan.

The closest thing to that would be an AddThis pop-up with the following code snippets:

<script type="text/javascript" src=""></script>
<script type="text/javascript">var addthis_pub="the";
  var addthis_brand = "The";
  var addthis_header_color = "#fcf8de";
  var addthis_header_background = "#655601";
                <a href="" onmouseover="return addthis_open(this, '', '', '[TITLE]')" onmouseout="addthis_close()" onclick="return addthis_sendto()"><img src="../graphics/share.gif" width="16" height="16" alt="share this site"> share</a>

Would that be an issue?

Yes it would, it’s one of the 3 things I listed :slight_smile:

OK… here’s a weird one.

Apparently AddThis has a cert on their domain so when I put https in front of their link, my SSL page doesn’t break. I also have a static http link (no js) and the page doesn’t break. So does that mean that javascript is OK with a https link?

What’s weird about it? Now everything on your page is secure, so the SSL icon appears.

If visiting a webpage causes the browser to make a non-encrypted request, then the page is not completely secure. Images, scripts, and iframes cause HTTP requests. Links do not.

Any reference to a non secure image path or script or html page will cause the lock icon to break, on a page which already has SSL installed. The lock will be on, only if the entire website is referring links with https.

Not links, links can point anywhere.

Great explanation! Now it really clicked for me. In fact, I made a test page with nothing more than http links in a blank page and called it as a https page and the page passes w/flying colors.

There are many people like me who are unclear… like the stupid sys admins at the host who wrote “Anything linking to http:// on an [URL=“https:///”]https:// url is going to cause the lock to not be fully secured”.

Hi all.

having this problem. And i believe it is the stat counter script i added. So, understanding the problem is great, but how to get around it. If i add https to the stat counter script code will it affect the stat counter reading our site. Or is there another way that works?

many thanks and also for someone starting this thread.

StatCounter offers secure tracking code to upgraded members.

Lovely Dan thanks. Haven’t upgraded yet as i only put it in a few days ago and was seeing how it went, though i love it.

So if i upgrade and pay, is all i have to do is changed the code, or do they give me a new bit of code once my account is paid upgrade?

The first place you should look for information about a specific site is on that site:

you are of course correct, though my default mode is to obtain validation from someone i’m communicating with. although a fan of technology i’m a hippy luddite at heart and like real people who know stuff to inform me first :slight_smile:

Thanks for the link though, appreciate your time and effort.