Author Topic: Non secure HTTP website google phase 2 (Read 11719 times)

vreihen · « **Reply #75 on:** May 08, 2017, 07:48:16 PM »

Quote from: spweather on May 08, 2017, 12:39:25 PM

Like you I have used them for testing/fiddling but for a production Server, it seems like it would just be a source of additional overhead.

...that will quickly pay for itself a dozen times over when you need to replace the hardware due to upgrade or failure. Since the hardware is emulated in the VM, it requires zero config changes to migrate from one physical server to another. If you're running the enterprise version of VMware ESXi, you can even move a *running* VM (and/or virtual disks) from one physical server to another with zero downtime.....

dupreezd · « **Reply #76 on:** May 08, 2017, 09:38:19 PM »

Quote

move a *running* VM (and/or virtual disks) from one physical server to another with zero downtime.

*running* means a server or terminal server with users logged and running programs. Yep, it is actually quite amazing that you can do this. It is like unplugging your C: drive from one computer while it is running, plug it into another one and it just keeps going like nothing happened.

RickNY · « **Reply #77 on:** May 09, 2017, 01:04:36 PM »

FWIW -- You can also utilize a free Cloudflare account like I do for my website, and they'll provide you with a cert and SSL at no charge.. The problem is that there is still mixed content on my site (Hello, NOAA - looking at you) so some pages will still show a mixed content warning.

I use a Digital Ocean VPS Droplet running Debian that costs me $5/month.. And use Cloudflare Free with A records for my www site set to Cloudflare's servers for serving up my HTTP/HTTPS content.. That also requires setting DNS for your domain to Cloudflare's DNS servers - but I've found their DNS dashboard to be good. It works quite well.

www.indigopc.com

weather34 · « **Reply #78 on:** October 22, 2017, 09:19:15 AM »

hmmm next phase due anyday and its about to get really annoying if your website template is non https compliant , forget your own views about i dont care about google etc think about the visitors ,your visitors may be deterred by the next round of releases in reference to browsers and https .

excerpt

"In October Google is making changes to the Chrome browser and how secure browsing is handles. This change will impact millions of websites as Google pushes for a more secure web more aggressively than ever before. The Google Chrome browser will start marking any text input as “Not Secure” starting in October of this year. Any day now!"

forms , payment options is not the big issue here its the text input areas even the simple search or form input whether it carries anything secure or not..

firefox will in no doubt follow suit and sooner or later you can see speculation about mobile browsers(do a google search) just refusing to deal with non secure sites in any form..

and it still looks like most hosts are charging for the facility .. interesting times ahead still

brian

chief-david · « **Reply #79 on:** October 22, 2017, 09:42:04 AM »

I will guess mine will get blocked. When I talked about it with the school tech people-they did not seem to understand what is happening.

weather34 · « **Reply #80 on:** October 22, 2017, 09:46:41 AM »

Quote from: chief-david on October 22, 2017, 09:42:04 AM

I will guess mine will get blocked. When I talked about it with the school tech people-they did not seem to understand what is happening.

funny i had a similar conversation with an american head of tech dept here in istanbul a few months back she didn't seemed to grip in the importance outside of credit card stuff and didn't seem so bothered until one of the parents asked why there website is not secure , 3 days later it was all done. fact the school thrives on technology and privacy concerns with in the classrooms I thought it was priority at the time..

brian

ALITTLEweird1 · « **Reply #81 on:** October 22, 2017, 02:42:57 PM »

I got free ssl and im on 1and1. Not sure how updated that chart is.

Jáchym · « **Reply #82 on:** October 22, 2017, 06:11:24 PM »

It could be both ways, it could also mean people will see it more often, look it up, realize that on websites such as ours it is totally irrelevant and ignore it.

ALITTLEweird1 · « **Reply #83 on:** October 22, 2017, 07:00:14 PM »

If its free, why not do it. It definitely doesn't hurt.

Jáchym · « **Reply #84 on:** October 22, 2017, 07:38:39 PM »

Yes I completely agree with that unfortunately my provider does not offer this for free

jgillett · « **Reply #85 on:** October 22, 2017, 07:53:47 PM »

Quote from: Jáchym on October 22, 2017, 07:38:39 PM

Yes I completely agree with that unfortunately my provider does not offer this for free

Nor does mine, so it's either no https or move to another host. Not much choice...

RickNY · « **Reply #86 on:** October 22, 2017, 08:59:08 PM »

If you guys are really concerned about this, and are happy with your current hosting provider, take a look at Cloudflare.. They supply the SSL certificate free, it’s easy to set up, plus you get a number of security benefits of having them serve up your actual webpages instead of directly from your host. They basically act as a reverse proxy to your web hosting provider.. You also get the benefit of content distribution, which is not that big a deal for regional weather sites — but delivers page loads to visitors fast regardless of where in the world they are located.

Cloudflare’s free plan works fine for sites like ours. Also there is no ad injection or anything goofy like that.

Additionally many hosting providers have optimized arrangements with them that let you enable it directly from Cpanel (1and1 I know is one of their optimized partners)

Be advised if you remotely load some things from non-HTTPS sources (one example being spc.noaa.gov) visitors are still going to get a warning because of mixed secure and non-secure content.

ValentineWeather · « **Reply #87 on:** October 23, 2017, 05:28:27 AM »

I purchased through SSLs.com for $14.95 3 year plan for 1 domain. Installed myself, GODaddy doesn't offer free certificates either.

Jáchym · « **Reply #88 on:** October 23, 2017, 07:37:15 AM »

Once my provider makes it free I will consider it and most likely transfer to https. Until then I will keep things the way they are, in terms of security it is totally useless because there are no private data being handled on my site.

weatherc · « **Reply #89 on:** October 23, 2017, 07:41:18 AM »

You should ask your provider for Lets Encrypt. Its free and works well for our purpose. I have runned it on my own server for months now.

One thing to remember when switch to HTTPS...Every content shown/used on the site (js, css, images etc) need to be in HTTPS, else it fails. Can sometimes be tricky with external content....

ValentineWeather · « **Reply #90 on:** October 23, 2017, 07:54:51 AM »

You can test site here: https://www.ssllabs.com/ssltest/

[ You are not allowed to view attachments ]

Jáchym · « **Reply #91 on:** October 23, 2017, 10:44:57 AM »

Quote from: weatherc on October 23, 2017, 07:41:18 AM

You should ask your provider for Lets Encrypt. Its free and works well for our purpose. I have runned it on my own server for months now.

One thing to remember when switch to HTTPS...Every content shown/used on the site (js, css, images etc) need to be in HTTPS, else it fails. Can sometimes be tricky with external content....

I know, the problem is that they dont want to make it free... obviously....

Images can be bypassed. Load them with PHP (will let you load http even on https) and then temporarily save them on your server as https. Works in 99% cases.

weatherc · « **Reply #92 on:** October 23, 2017, 10:48:38 AM »

Quote from: Jáchym on October 23, 2017, 10:44:57 AM

Images can be bypassed. Load them with PHP (will let you load http even on https) and then temporarily save them on your server as https. Works in 99% cases.

I do that but do not even temporaily save the image, i just use

Code: [Select]

header('Content-Type:'.$type);
readfile($file);

Jáchym · « **Reply #93 on:** October 23, 2017, 11:19:15 AM »

Yes, it depends if you want to use the same image repatedly, then it is faster to temporarily save it (or cache it).

weatherc · « **Reply #94 on:** October 23, 2017, 11:21:04 AM »

Thats true.

Bunty · « **Reply #95 on:** October 24, 2017, 01:59:03 AM »

Quote from: ALITTLEweird1 on October 22, 2017, 07:00:14 PM

If its free, why not do it. It definitely doesn't hurt.

My provider does it for free but the visitor has to manually punch in https://

ALITTLEweird1 · « **Reply #96 on:** October 24, 2017, 09:10:34 AM »

When i switched, all of my links changed to https... i only had to do a few things myself.

weatherc · « **Reply #97 on:** October 24, 2017, 09:34:46 AM »

Quote from: Bunty on October 24, 2017, 01:59:03 AM

My provider does it for free but the visitor has to manually punch in https://

You can do a redirect HTTP => HTTPS.

At least Firefox force HTTPS even if type like "domain.com" wihtout any http/https in addressbar once HTTPS have been used once. It need a cleanup of FF caches before it allow HTTP for that domain again.

Jasiu · « **Reply #98 on:** October 24, 2017, 09:48:44 AM »

Quote from: ALITTLEweird1 on October 22, 2017, 02:42:57 PM

I got free ssl and im on 1and1. Not sure how updated that chart is.

With my 1and1 account I get one certificate for no additional costs. Have to pay for each additional domain.

Jasiu · « **Reply #99 on:** October 24, 2017, 09:52:15 AM »

Quote from: Bunty on October 24, 2017, 01:59:03 AM

My provider does it for free but the visitor has to manually punch in https://

I found this bit of code to put into the .htaccess file on a Linux server which redirects http accesses to https:

Code: [Select]

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

News:

Author Topic: Non secure HTTP website google phase 2 (Read 11719 times)