Unsecured Form Warning when Secured Form is Submitted on iPhone

baldwinandlyons

Asked on June 4, 2015 at 11:45 AM

I have a form set to be secure. I just tested the form on my iPhone, and I got a message saying the form is not secure. See screenshot. Why am I getting this warning on a secure form?

Page URL: https://secure.jotformpro.com/form/51466069477971
KadeJM

Replied on June 4, 2015 at 1:42 PM

To my understanding you are getting an "unsecured" form message on iPhone even though your form is set as secured.

I tested this on my end but so far I seem to be unable to replicate the issue just yet. Both browsers are showing the forms are secured with associated lock icons in upper left corner of the url address bar.

I noticed in your screenshot you are "submitting" it which leads me to believe that you might possibly be experiencing the problem right at that point in time.

Does your form appear to be secured on your end before submitting? And is during the submission when this happens possibly?

I tried this in a separate test on my end again afterwards during submit but I could not replicate it there either

Are you using Mobile Safari when this happens?

May we have your permission to test this during submit directly on your form?

Mobile Safari:

Mobile Chrome:
baldwinandlyons

Replied on June 4, 2015 at 2:34 PM

I received the warning right after clicking the Submit button. I was using mobile Safari. You may test directly with the live form as long as you put TEST into one of the fields so we know which ones are not real submissions.
Mike

Replied on June 4, 2015 at 4:09 PM

I was not able to reproduce the issue using iOS emulator at https://www.browserstack.com.

Are you still facing the submission issue with your iPhone? Do you get any errors if you open the following submission domain?

https://submit.jotformpro.com

Thank you.
baldwinandlyons

Replied on June 5, 2015 at 9:37 AM

I still get the warning message upon submission on my iPhone. I did not get any errors or warnings when I visited the https://submit.jotformpro.com link.
KadeJM

Replied on June 5, 2015 at 11:55 AM

Thank you kindly for the update about this matter.

Looking at it again I was able to replicate the same issue that you've reported to us above.

Please allow me some more time to investigate this problem more in-depth and I will respond again about the issue as soon as I know more about it including a possible solution if any.
KadeJM

Replied on June 5, 2015 at 12:41 PM

I believe I've found the cause and a solution.

The solution to resolve the issue is to use either of the following links below and leave out the "/form/" in which it should work -

#1 https://www.jotformpro.com/51466069477971

or

#2 https://secure.jotformpro.com/51466069477971

It seems that the culprit of the problem is likely due a flaw in Mobile Browsers that has caused it to ignore ssl if there is an extended domain (with additional prefixes in it's url address).

What has lead me to this conclusion you ask?

It's simple. By default your location determines your server for your forms which in your case is http://www.jotformpro.com/form/51466069477971 because you are a subscriber hence your www.jotformpro.com domain. The problem with it though is that we have many many servers and many many users so for some you may sometimes end up with www.jotformpro.com/form/xxxxx as an example.

When you secure a form you can use either https:// or https://secured so it's safe to rule that out of the equation. I then noticed in my tests when I removed the "/form/" on the secured link then it was re-enabled and the form was secure again as the address bar security lock reappeared.

The reason this doesn't happen on Desktops because your computer was programmed to recognize the extended urls as it's already smart enough to know that. Whereas on Mobile Devices such as iOS in this case it looks like this security issue for browsers was obviously overlooked it appears and so it went unnoticed. I believe would need to be a browser hotfix done by Apple as I'm not really sure of any other way around it other than to change the url manually as above.

Before:

After:
KadeJM

Replied on June 5, 2015 at 12:45 PM

Also, the reason I didn't catch this at first was because I was using the link from your forms provided by our admin panel when I original inspected it so that lead me to believe there wasn't a problem at first and I do apologize about any inconveniences that this may have caused you.
thespanishfactory

Replied on June 6, 2015 at 8:50 AM

I had a similar problem using the secure form using embedding the code:

This issue was produced in Android & mobile deceives, in desktops was working.

I have changed "secure" by "www" in the URL as you advised and now it is working again on mobiles, after several months without a solution..

This need to be fixed for good because the default embedding code that JotForm is providing looks like to be wrong and does not work properly with SSL. The half of our clients are connecting by mobile..
Jan

Replied on June 6, 2015 at 12:07 PM

@thespanishfactory

Please open a new thread if you have any issues or concerns so that we can assist you properly. For now, I created a separate thread about your inquiry. This is the URL of the new thread: http://www.jotform.com/answers/583323

We will attend to it shortly. Thank you for understanding.
thespanishfactory

Replied on June 6, 2015 at 5:20 PM

I do not have any issued as this was solved, i just wanted to add this here in order people knows what is going on and give them the chance to understand the problem. Can i participate in the forum as a user?
KadeJM

Replied on June 6, 2015 at 6:32 PM

@thespanishfactory

No problem, As far as I know we do allow it but I think Jan felt based on your response that you were reporting a similar issue which was the reason for your issue being split off into a new thread.
baldwinandlyons

Replied on June 8, 2015 at 9:32 AM

I wouldn't call this a "flaw in mobile browsers," I would call it a flaw with JotForm. The URL that JotForm generates needs to be compatible with mobile browsers. The majority of my audience for this survey is on mobile devices.

I have already sent out an email containing a link to the survey, so I cannot change the URL now. The security warning pop-up makes us look untrustworthy to our customers. Is there a way to get the form to be trusted without changing the URL?
KadeJM

Replied on June 8, 2015 at 1:16 PM

I've looked at it some more as of more recently and other than the workaround I have provided I'm not really sure of a better solution currently as of right but but know that I'm still investigating it to look for a better solution.

I did additionally do some further testing including other links and this does currently appear to be more involved within the form urls so I do apologize about blaming it on the browser as I think I was probably out on a branch with an incorrect thought that lead me there.

Because of the nature of this issue I think at this point it is best to send a bug report about a possible stripped security layer when your ssl forms are viewed on mobile with the extended url address. Our developers will look into the issue as soon as they are able to do so and they're able to apply a necessary fix then we'll go ahead and update you here as soon as more is known and done.
baldwinandlyons

Replied on June 8, 2015 at 3:04 PM

Are you submitting the bug report, or is there additional action I need to take?

Thank you.
Mike

Replied on June 8, 2015 at 4:14 PM

Kade has already submitted the ticket.

I am also testing this to provide our developers with additional details.

Thank you for your cooperation in this matter.
Mike

Replied on June 8, 2015 at 5:22 PM

It seems that at some very specific cases the form is trying to load the files via regular http:// connection, so that it is being considered as only partially secure.

We will get back to you as soon as we have any updates.
thespanishfactory

Replied on June 12, 2015 at 7:34 AM

Well, the solution you provided in this post (adding www) does not work any more. This morning a saw all my forms not showing in my website

Please check https://www.jotformpro.com/51466069477971
Your connection is not private
Attackers might be trying to steal your information from www.jotformpro.com (for example, passwords, messages, or credit cards).

NET::ERR_CERT_COMMON_NAME_INVALID

Why you changed this and you did not advise? Do not you see that for many many users the form a key in their business?
Jan

Replied on June 12, 2015 at 8:48 AM

@thespanishfactory

We will answer your inquiry in the thread that you created.
http://www.jotform.com/answers/587214-AGAIN-Unsecured-Form-SSL-Warning-when-Secured-Form-is-Submitted-on-MOBILE#0
thespanishfactory

Replied on June 12, 2015 at 11:32 AM

Yes sure, I am still waiting your reply
Jan

Replied on June 13, 2015 at 9:34 AM

Seems like you are not logged in when you posted that reply.

Unfortunately we don't have an update yet regarding this issue. It is still being investigated by our developers. We will notify you (baldwinandlyons) via this thread once an update is available.

Thank you for your patience.
thespanishfactory

Replied on June 13, 2015 at 9:40 AM

@Jan what about me, you told me that you will reply in my new post but the only thing i got was 2 nonsense replies not dealing with the root of the problem. The customer service is just ignoring my request
thespanishfactory

Replied on June 13, 2015 at 9:42 AM

I had to contact the founder via twitter in order to get help
Jan

Replied on June 13, 2015 at 11:22 AM

@thespanishfactory

Sorry for that. The post above my last reply was from a user that is not logged in, so I thought it was from the thread starter. I can see that you already have a thread regarding your issue. The problem is that whenever you post a reply to your own thread, it gets down the queue. The threads are automatically assigned to us by our tool. If we cannot fix your issue, we escalate it to our next level. So please be patient and don't post multiple replies on your own thread from time to time because your thread will go down the queue.

Hope you understand. Thank you.
thespanishfactory

Replied on June 13, 2015 at 11:32 AM

@Jan

After I have received two absurds replies in my post, I have properly replied them. You have been responding a lots of more post in this forum after I replied you and you have delivered ignored my replies and failed to provide me any update at all, giving me not other alternative than try to ask and ask and ask for the help that I am still waiting.
alp_deniz

Replied on June 22, 2015 at 8:39 AM

Hello,

Secure mobile form issues have just been fixed. Please let us know if it persists.

Thank you for letting us know.

Kind regards
tjacobson

Replied on July 31, 2015 at 12:16 PM

I noticed that your last response indicated that the secure mobile form issues were fixed on June 22, 2015.

I think the issue may have reemerged as I have had a couple of calls from our customers indicating that they are getting the message "This form is not secure. Are you sure that you want to submit it?" when they click submit on our forms. I also was able to recreate the same issue on my phone. I tried using one of the solutions earlier in this thread by removing the /form/ from the URL but I got the same error message upon submission.

Do you have any other suggestions on what we need to do to fix this?
KadeJM

Replied on July 31, 2015 at 1:37 PM

Thank you for informing us about this matter again if that is the case. However, we consider the original issue here to be resolved.

But, as you have stated you are experiencing a re-emergence of a similarly related issue I have moved over here to a new thread where we can check it as a new separate issue for you.