CODEWITHSUNDEEP
httpsssl-security
ne1410s
ne1410s

Reputation: 7102

Lead Forensics and SSL

We have an ASP.NET website on IIS. We have a Lead Forensics link. Which has been working fine prior to switching to require SSL on all pages. It is something similar to:

<script type="text/javascript" src="http://lead-123.com/js/8303.js"></script>

Since requiring SSL however, the tracking no longer seems to be working.

Obviously this is caused by the request to http link from the original https page. But the following two attempts are also failing:

src="//lead-123.com/js/8303.js"

src="https://lead-123.com/js/8303.js"

Visiting the https URL to the tracking script shows that it is being served (albeit with security errors).

I'm sure Lead Forensics have considered this. Does anyone know if there are any conventions or workarounds that can somehow be used so that security errors aren't reported on the site and for tracking to work? I can't find any documentation on this, and attempts to contact them haven't proven successful to date.

**

Update

I'm not sure the script is hosted on the https link after all. (It only responds in my browser after I have successfully received a response from the http link). Nevertheless, I am still looking for a convention on how to handle this situation, or whether a separate link is provided if using SSL, or indeed whether the technology is even capable of working over SSL.

Upvotes: 0

Views: 2449

Answers (2)

Matthew
Matthew

Reputation: 726

Call Lead Forensics support. They can configure a secure endpoint for the tracker upon request:

<script type="text/javascript" src="https://secure.leadforensics.com/js/XXXXX.js"></script> 
<noscript>
<img src="https://secure.leadforensics.com/XXXXX.png" style="display:none;" />
</noscript>

Upvotes: 5

Shaan
Shaan

Reputation: 193

There is nothing you can do about this. The CN (Common Name) name assigned to this certificate is *.leadforensics.com; however, they kept giving other domain names bound to this certificate.

ERR_CERT_COMMON_NAME_INVALID is the error which we get.

As this entire process runs in background, thus browser doesn't open JS and PNG file, and tracking doesn't happen.

I am not sure how Lead Forensics can even do this!

We can easily create a workaround, by using HttpWebRequest class and overriding X509 event to always true - but creating such a workaround would violate the security norms and may mask other vulnerabilities.

So I've asked Lead Forensics to correct it.

Upvotes: 3

Related Questions