flash insecure in ssl?

[grandmasterC]

Hello,

I've got a site where user's are asked to login, once they are logged they are supposed to be able to view a page with a flash movie, but for some reason the browser asks if you want to display the insecure content?

Why is flash breaking the ssl? Is it something to do with activeX?

any help would be much appreciated

thanks

[grandmasterC]

I was right it was to do with the activeX calls to the macromedia servers. For anyone else just change the codebade and plugin space to use https instead of http.

eg

pluginspage="https://www.macromedia.com/shockwave/download/index.cgi?P1_Prod_Version=ShockwaveFlash" type="application/x-shockwave-flash"

codebase="https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,29,0" width="227" height="352">

enjoy.

[Neil Hillman]

I'm trying to figure SSL out, and I keep getting the "This page contains both secure and non-secure items" message. Why is that? Does every graphics and link on your page also have to be remapped to include "https://"?

[grandmasterC]

Hey Neil,

Every URL reference for images, swf and the activeX controllers has to be made with https://

If you look at the code in my post above you can see I have changed the URL called by activeX from http to https, this will solve your problem.

gmc

[Neil Hillman]

Yes, I can understand why for references like "pluginspage" and "codebase" but for IMG tags!? What are you gonna do, load an unsecure GIF?
It seems a bit excessive to me...

[grandmasterC]

Hi,

If the reference for your image is relative then there is no prob, you WON'T have to change anything. Only when there are specific calls to http from https will the encyption be broken.

hope that helps,

gmc

[Neil Hillman]

Yes, but the problem with that is that I don't have my own Verisign certificate, so I am using my hosts, which means that my images are at:
www.<mydomain>.com
whilst my SSL pages are at:
www.<myhost>.com/<mydomain>/
so I can't use relative linking...

It's okay, it just means I have to change all my graphics to
www.<myhost>.com/<mydomain>/<filename>
...it's just a bit of a pain...

[grandmasterC]

I'm afraid so

But why not pay $90 and get your own certificate? It would be a lot easier and look more professional. Forget Verisign they are overpriced, look at Thwate or GeoTrust certificates instead they are a lot cheaper and many people use them instead.

gmc

[Neil Hillman]

Oh, we definately do intend on getting our own SSL certificate, it's just with Verisign they insist on you building the site first, then they send someone to try to "ethically hack" your site, before they will issue the certificate. So I'm having to build the site using my hosts certificate until they approve it.

Thanks for the info on Thwate & GeoTrust, I might try those instead. They both seemed to be nearer the $200 mark than $90, but that's still better than Verisign's $400!