This website does not supply identity information

So you’ve installed your SSL certificate and added a rewrite rule to ensure that anyone coming to your site comes in through HTTPS, not HTTP. (If you haven’t, there’s another post in the pipeline that you might want to read!). Everything seems OK, until you notice the little grey warning triangle in the address bar. It looks something like this:

Screenshot from 2015-12-18 16:51:48

(As you can see, this screenshot was taken from Firefox and it may be a little different on other browsers.) It tells you two things: first, that your SSL certificate doesn’t include anything to verify that you are who you say you are, and second, that something that’s being displayed on, or at least used by your site is not being accessed via HTTPS.

Your first reaction on discovering this might well be mild alarm. You have just paid out for an SSL certificate and gone through the not inconsiderable hassle of installing it, only to find that anyone visiting your site is going to be confronted with a message that seems to cast doubt on your integrity!

The fact of the matter though, is that only one of these issues needs attention. The chances are you made a deliberate decision to go for a low-end certificate because (a) it was much cheaper, and (b) it gave you all the security you needed. That was, in all probability the right decision. Verifying who you are is clearly crucial if you’re a bank, the government, or a major corporation, but is more-or-less meaningless for the rest of us.

What may be important though, is that in retrieving the information it is displaying, your browser also had to access another URL in clear, that is without going through SSL. That communication might just possibly have been intercepted and modified by one of the many ne’er-do-wells that infest the internet. It probably hasn’t, mind you, but it might have been, and consequently the browser is warning your visitor not to place 100% reliance on the contents of your site. Which is fair enough, even if from your point of view it seems to have the potential to spread unnecessary alarm and despondency among visitors to your site.

The good news is that the problem is usually relatively easy to locate. All you need to do is to check the HTML that’s being sent to your browser and find the HTTP reference. There are numerous tools to help you do this. All browsers will allow you to view the page source, page information and media information. What you’re looking for is an href attribute or an img tag that refers to a URL using HTTP. The simplest thing is probably to view source, hit Ctrl-F and search for ‘HTTP’ (assuming your browser works like that).

Fixing the problem may not be so easy, depending on how the HTTP reference got there in the first place. In the highly unlikely event that it was manually hard-coded you can simply find the offending file and change it. More likely it’s a reference in a post or a page to an image or to another site. In that case you’ll have to edit the post or page and update the link to HTTPS. Of course, if the target URL doesn’t support SSL you’re stuck! Well, not quite: if it’s the URL of an image you could consider copying the image to your server and linking to that instead. The same might even go for chunks of HTML, or whole pages, but the complexities are likely to mount up rapidly if you take this course.

Assuming however that you manage to get over these hurdles you’ll have the satisfaction of seeing the warning exclamation mark change to a padlock. It will still be grey, of course, not green, because as it rightly pointed out, ‘This website does not supply identity information’. The only way you’ll get around that is by getting a more expensive SSL certificate and satisfying the provider that you really are the rightful owner of the site. But that’s a whole nother post!