Security Alerts on SL Web Pages

I'm using Internet Explorer, and I keep my security alerts turned on. Why, I don't know, since I really don't know much about what they mean when they come up, but somehow it makes me feel safer.

Occasionally when going from one page to another, I'l get a Security Alert "You are about to view pages over a secure connection." Or I'll get "You are about to leave a secure connection." Occasionally, I'll get two such alerts from the same page, as different parts of the page load.

When I access anything on the blog on the SL site, I get multiple of those Security Alert messages. Alternating between "You are about to view pages over a secure connection" and "You are about to leave a secure connection." Like ten, twenty, thirty or more. They go on forever. I think that the more reples that a blog entry has, the more of the security alerts that I hit.

The only way I can view the blogs is to turn off the security alerts. Which is probably no big deal.

But I have to wonder- this can't be normal web page function, can it?

I have been getting more of those lately as well, especially looking around on XStreet. I understand why, due to moving between unsecure and secure all the time, but not sure why the increase in messages. I wonder if windows have upped their security as you appear to get it when images are on the page from external sites.

Hi Amity,

I'm not a great expert, but I know IE (partcularly versions 7 and tends to be a little over fastidious in providing these alerts.

Without knowing what your settings are or what version you're on it's difficult to be specific with a solution.

It may just be, that with the updates to the SL website, there is more mixing of domains and secure and non-secure (https and http) modes in the same page.

First thing is make sure you're fully up to date with the latest release of whichever version you're using.

Then, if it's secondlife.com which is being particularly painful, you could try adding all related domains to your trusted sites list as follows:

1. In Security/Trusted Sites/Sites, add *.secondlife.com to the Trusted Sites list.
2. Still in that dialog, Uncheck the box "Require server verification (https)"
3. Click OK.

Or ..in IE8 Tools/Internet Options/Security/Custom Level/Display Mixed Content:Enable

Or.. switch to another browser, Firefox is good.

If you want some more specific info, just post more details and I'll try and help.

For these very specific messages:

The one that says "You are about to view pages over a secure connection" can safely be turned off.

The one that says "You are about to leave a secure connection" is ok to turn off. Just keep in mind that if you're at a site that requires several pages to complete a transaction (registering, paying for something, etc.), and it starts out with a secure connection, you won't get a warning if it switches to insecure. Usually this isn't a problem, but it does mean that if you're entering confidential information at all, you should check on each and every page to be sure you still have an encrypted connection.

It's not just IE, Firefox does this too - because it's supposed to. Neither one is being fastidious when it comes to mixed mode alerts.


Yes, there is. It's the result of having the web site built by people who don't give security the importance it deserves, and testers who don't know enough to test for it.


No, no, NO!. Do you really trust secondlife.com to never be cracked?


Or find Jiras that relate to this and vote for them. Create new Jiras if you've found a new instance.

Mixed content means having a secure page with images and/or links to the same site that aren't secure. Most of the time there's nothing wrong with mixed content, but it could be an indication of a security hole. I'm sure many people turn off warnings for mixed content, and I don't know of any published cases where a breech occurred as a result, but it's still bad.

A properly designed commercial web site will derive the protocol (i.e. the choice between http and https) for images and internal links from the protocol used for the current page. That means that if you go to a secure site (https in the address bar), then everything on that page related to that site should also be https.

The reason you don't see the mixed content messages on most sites is that they automatically change the images, etc. to use https - even though the brand logo is the same image. They do this because the best way to ensure that private data is encrypted and that the images are authentic is to do everything over a secure connection, not just the little bit typed by the user. (They may also be motivated to avoid question from users who get these messages.)

The fact that you get mixed content on the SL web site says that they didn't do this. Maybe they just don't understand security, or maybe they made a conscious decision to save cycles by not encrypted images (foolish, since they should be cached locally). And maybe it will never indicate a real security hole on secondlife.com, just bad design. But if you turn off the message, then some day you may wind up at a phishing site or cracked site and miss out on an important warning.

So don't disable the mixed content warning. Yell at the web site developers to put more effort into understanding security.

I'm not indifferent to what you're saying Kidd, but unless Amity is actually going to stop using the website in the meantime, a sensible middle ground is a reasonable approach.

I'm not particularly advocating turning off all security alerts, I was suggesting that you can decide to "trust" sites where your exposure is small, that you know well and use often, rather than click through a lot of warnings.

Obviously retaining as high a level of security checking as possible is the way forward, but useability has to have its place too.

I agree that design is of the essence in many cases, however as the use of inline frames has become more prevalent over the past few years (particularly cross domain) it's not always simply a case of making sure the current site references are all tickety boo.

I'm guessing you're probably not a great fan of the old iframe, but it does a job and if used appropriately and competently it's not all bad! Well that's my view anyway.

Those alerts are another reason why I don't use that site for anything but account needs.

Something like this is kinda what I suspected.

I appreciate the help others offered as to what I can do to access the site without getting choked in the security messages, and I understand that I'm probably better off turning them off (since I really wouldn't be able to recognize which one is an alert to which I should actually pay attention rather than ignore).

But it's more likely I'll just skip the blogs and catch the summaries on the forums, for as long as that lasts.