Topic: SSL

[yamiacaveman]

Recently, when I was looking through the posts I believe I came across someone using a ssl (https://www.xxx.com) with the weather template used here. I was wondering how hard that would be to implement.

My host offers a free I guess you would call it a shared certificate, and with a push (mostly from Google) to use only secure web sites, I was wondering how hard it would be to switch over.

I have a forum started, just like this smf forum and recently I switched it over to a ssl site. Ok before I continue those of you who know me also know I really don't know much -- so with the "Help of my Host" the site was changed to https.

Two problems I ran into, first the redirect in cpanel did not seem to be working so my host added a few lines of code to my .htaccess file.
2nd after they did that my site worked (https://) but the formatting was way out. So my host directed me to http://wiki.simplemachines.org/smf/Repair_settings.php  neat little thing with that I was able to go in and correct all my URL's that still pointed to the http stuff -- like the themes, after I changed those url's to the https:// in the program, so far all is good.

So my point: Would I have to go through the whole template looking for all the URL's to change or wouldn't there be that many?

At this point just looking for opinions, and or first hand experience.

Thanks for any comments!

[Jáchym]

Hi,

several users of Meteotemplate now use https. There were some problems when the first one tried it, but I already fixed them.

The major problem was with loading external scripts.

In the original scripts I often referenced them by for example:

<script src="http://....."></script>

This was the case for loading many scripts from public CDNs (Highcharts, jQuery etc.).

A simple solution to this is use only the two slashes, like this:

<script src="//......">

This will guarantee you it will work for both http and https. In your case I guess it will not be so difficult to change the URLs, you could do a simply find/replace all in some more sophisticated code editor. It is better to use the "//" notation than "https" because some of the external sources might not be available over the https protocol.

One other thing I also had to make sure is that all sites have the <!DOCTYPE html> at the beginning, otherwise it did not correctly display the CSS.

[Maumelle Weather]

It is something I have looked at, but have decided not to implement at this time, mainly because my site does not ask for any information, outside of a cookie, whether it is personal, financial, etc. I will go to SSL if and when my webhost requires it.

[yamiacaveman]

There have been more and more article like this:  Google wants everything on the web to be travelling over a secure channel. That’s why in the future your Chrome browser will flag unencrypted websites as insecure, displaying a red “x” over a padlock in the URL bar,
and “The goal of this proposal is to more clearly display to users that HTTP provides no data security.”

I just wondering if this is like a major movement that will be coming down the road soon, and should I or all of us get prepared to switch?

For what I use it for, I don't think I need it, I collect no money, passwords or stuff like that, but again do I also want a red padlock on my site?, lol.

[Jáchym]

This is exactly what we discussed here some time ago in a different thread.

For our weather websites, using https is absolutely useless - there are no user authentications, sensitive information being exchanged between the user and the server.

But as it was pointed out, the problem is that Chrome (and others will follow) as of January 2017 will lable http sites as insecure.

As much as I absolutely favor https, I only do so in cases where it makes sense. In this case however, it is a problem because a normal user who has no idea what https means will only see "insecure" and might simply close the site thinking there is some kind of malware on the site which Google detected.

I guess there is not much we can do. Now it is Chrome, but Ive already read FF is going to do the same thing and that pretty much covers 85% of all internet users.

[nincehelser]

I just wondering if this is like a major movement that will be coming down the road soon, and should I or all of us get prepared to switch?

Unfortunately, there does seem to be an "encrypt everywhere" movement.  High security may sound nice, but it's a double-edged sword.

For example, if the devices in your home only talk through encrypted channels, you have little hope of catching "bad behavior", such as some random hacked device with a microphone eavesdropping on your conversations and sending them somewhere on the internet. 

Encryption should be used where it makes sense, but it shouldn't be applied blindly to everything.

[Jáchym]

it shouldn't be applied blindly to everything.

Which unfortunately is not going to be the case:
http://www.pcworld.com/article/3118164/security/google-chrome-to-start-marking-http-connections-as-insecure.html

[yamiacaveman]

Yes Jachym, that's the kind of articles I have been reading for a while now.

Oh, and I didn't mean to start another thread, sorry.

Again, I am still wondering how hard it is going to be to change the templates.

I wonder how the consumers are going to take it: I guess some will take it seriously and avoid those sites marked by their browser and I guess some will be informed and not worry, and of course there are those who won't care at all.

[Jáchym]

Which template in particular are you talking about?

It is actually not so difficult I think. My template is already 100% compatible with HTTPS and I think the other templates (Saratoga, Leuven and PWS) are also either completely compatible or you would only need to change a few links.

[yamiacaveman]

Well, I use the Saratoga templates and just wondering if anyone actually made the change to HTTPS, how did it go, and how many folders, and files did they have to root through and change the url's.

Just curious, because sometime down the road it may be in our best interest???

[tbrasel]

I use https with Saratoga templates. The switch took place with no issues with added guidance from Suresupport.com. I had a few script urls in which needed the https applied, but mostly just switching or adding the https to your url web pages is where most of my effort was applied.

I can verify it appears to help with search engines. I was like back on page 7 or 9 last summer, however now the website is on page 2 & 3 of google. Other than switching to https, no changes had taken place.

[Jáchym]

I use https with Saratoga templates. The switch took place with no issues with added guidance from Suresupport.com. I had a few script urls in which needed the https applied, but mostly just switching or adding the https to your url web pages is where most of my effort was applied.

I can verify it appears to help with search engines. I was like back on page 7 or 9 last summer, however now the website is on page 2 & 3 of google. Other than switching to https, no changes had taken place.

which is sort of sad.... as I mentioned previously, https is great, or in fact not great, it is essential, but only where it makes sense. I cannot afford paying twice as much just to get a certificate that would be completely useless to me other then ranking higher in Google, with no benefit to the user whatsoever. Fortunately my template is already number one when you search weather website templates, which shows it is still possible to achieve good ranking if you have quality content and lot of references.

[yamiacaveman]

Thanks for the response tbrasel!

Good to hear it wasn't to bad. That was kind of my biggest concern, finding all the URLS to change, as long as it is not too bad, this winter might be a good time to make the switch.

[tbrasel]

I use https with Saratoga templates. The switch took place with no issues with added guidance from Suresupport.com. I had a few script urls in which needed the https applied, but mostly just switching or adding the https to your url web pages is where most of my effort was applied.

I can verify it appears to help with search engines. I was like back on page 7 or 9 last summer, however now the website is on page 2 & 3 of google. Other than switching to https, no changes had taken place.

which is sort of sad.... as I mentioned previously, https is great, or in fact not great, it is essential, but only where it makes sense. I cannot afford paying twice as much just to get a certificate that would be completely useless to me other then ranking higher in Google, with no benefit to the user whatsoever. Fortunately my template is already number one when you search weather website templates, which shows it is still possible to achieve good ranking if you have quality content and lot of references.

SSL did not cost me one dime Sir, it was already on the server. All I had to do was flip the switch. (Hence Suresupport.com)
Research has been my best friend !

[yamiacaveman]

I did notice tbrasel that when I clicked on your link https://www.nwarwx.com/ you did indeed have the HTTPS but no green or green lock showing, will this give the "Red" padlock warning from Google in the future?

[tbrasel]

Where I have "images" embedded no green, but other pages are https://nwarwx.com/wxnoaaiod.php

[Jáchym]

Yes, unfortunately my provider does not offer this for free

[tbrasel]

I did notice tbrasel that when I clicked on your link https://www.nwarwx.com/ you did indeed have the HTTPS but no green or green lock showing, will this give the "Red" padlock warning from Google in the future?

I am absolutely still learning SSL & the WWW.

However, I think some of the images on my frontpage still utilizes http: instead of the https:, thus I speculate the reason for the red.

When I have time to go through front page associated scripts, I will then verify I am using all https for my image links. I get to go on vacation for about 3 weeks, here in about a week, thus some down time.

[yamiacaveman]

Yes, I see you do have the green padlock on your other pages. Ok, so like you said some more digging!

[parsoli]

Most are using Let'sEncrypt.  With Meteotemplate, there is still code calling http: instead of HTTPS: which will cause a lack of green lock as well as the cert and it's trusted provider as well.  If you look below, this is a return with Google Chrome showing insecure loading of things like stylesheet

Mixed Content: The page at 'https://weather.parsoli.net/indexDesktop.php' was loaded over HTTPS, but requested an insecure stylesheet 'http://fonts.googleapis.com/css?family=PT+Sans:400,700&subset=latin,cyrillic-ext,latin-ext'. This request has been blocked; the content must be served over HTTPS.
indexDesktop.php:1 Mixed Content: The page at 'https://weather.parsoli.net/indexDesktop.php' was loaded over HTTPS, but requested an insecure stylesheet 'http://fonts.googleapis.com/css?family=PT+Sans+Narrow:400,700&subset=latin,cyrillic-ext,latin-ext'. This request has been blocked; the content must be served over HTTPS.
indexDesktop.php:1 Mixed Content: The page at 'https://weather.parsoli.net/indexDesktop.php' was loaded over HTTPS, but requested an insecure stylesheet 'http://fonts.googleapis.com/css?family=Roboto:100,300,400,500,700,900&subset=latin,cyrillic-ext,latin-ext'. This request has been blocked; the content must be served over HTTPS.
jquery.min.js:4 Synchronous XMLHttpRequest on the main thread is deprecated because of its detrimental effects to the end user's experience. For more help, check https://xhr.spec.whatwg.org/.send @ jquery.min.js:4
(unknown) Meteotemplate:  Loading Block Radar U.S. 5.0
(unknown) Meteotemplate: Selected layout: vertical
(unknown) Meteotemplate: Selected region: lot
(unknown) Meteotemplate: Selected national order: down
(unknown) Meteotemplate: Block loaded in 0.0028 s.
indexDesktop.php:1 Mixed Content: The page at 'https://weather.parsoli.net/indexDesktop.php' was loaded over HTTPS, but requested an insecure image 'http://i.imwx.com/web/radar/us_radar_plus_usen.jpg'. This content should also be served over HTTPS.
indexDesktop.php:1 Mixed Content: The page at 'https://weather.parsoli.net/indexDesktop.php' was loaded over HTTPS, but requested an insecure image 'http://radar.weather.gov/ridge/lite/NCR/LOT_loop.gif'. This content should also be served over HTTPS.
indexDesktop.php:1 Mixed Content: The page at 'https://weather.parsoli.net/indexDesktop.php' was loaded over HTTPS, but requested an insecure video 'http://audioplayer.wunderground.com/gooselakewx/morris.mp3'. This content should also be served over HTTPS.
2indexDesktop.php:1 Mixed Content: The page at 'https://weather.parsoli.net/indexDesktop.php' was loaded over HTTPS, but requested an insecure image 'http://icons.wxug.com/i/c/k/partlycloudy.gif'. This content should also be served over HTTPS.
2indexDesktop.php:1 Mixed Content: The page at 'https://weather.parsoli.net/indexDesktop.php' was loaded over HTTPS, but requested an insecure image 'http://icons.wxug.com/i/c/k/clear.gif'. This content should also be served over HTTPS.
2indexDesktop.php:1 Mixed Content: The page at 'https://weather.parsoli.net/indexDesktop.php' was loaded over HTTPS, but requested an insecure image 'http://icons.wxug.com/i/c/k/snow.gif'. This content should also be served over HTTPS.
indexDesktop.php:1 Mixed Content: The page at 'https://weather.parsoli.net/indexDesktop.php' was loaded over HTTPS, but requested an insecure image 'http://icons.wxug.com/i/c/k/partlycloudy.gif'. This content should also be served over HTTPS.
2indexDesktop.php:1 Mixed Content: The page at 'https://weather.parsoli.net/indexDesktop.php' was loaded over HTTPS, but requested an insecure image 'http://icons.wxug.com/i/c/k/clear.gif'. This content should also be served over HTTPS.
indexDesktop.php:1 Mixed Content: The page at 'https://weather.parsoli.net/indexDesktop.php' was loaded over HTTPS, but requested an insecure image 'http://icons.wxug.com/i/c/k/partlycloudy.gif'. This content should also be served over HTTPS.
https://weather.parsoli.net/homepage/blocks/naSatellite/naSatelliteLoader.p…satellite%2Fsatellite_anim_e.html%3Fsat%3Dgoes%26area%3Dnam%26type%3D1070x Failed to load resource: the server responded with a status of 403 (Forbidden)
https://weather.parsoli.net/fonts/digital-7-mono.ttf Failed to load resource: the server responded with a status of 404 (Not Found)
VM65:1019 DOMException: A network error occurred.
https://weather.parsoli.net/fonts/digital-7-mono.ttf Failed to load resource: the server responded with a status of 404 (Not Found)
graph.php?theme=dark:1 Mixed Content: The page at 'https://weather.parsoli.net/indexDesktop.php' was loaded over HTTPS, but requested an insecure stylesheet 'http://fonts.googleapis.com/css?family=PT+Sans:400,700&subset=latin,cyrillic-ext,latin-ext'. This request has been blocked; the content must be served over HTTPS.
graph.php?theme=dark:1 Mixed Content: The page at 'https://weather.parsoli.net/indexDesktop.php' was loaded over HTTPS, but requested an insecure stylesheet 'http://fonts.googleapis.com/css?family=PT+Sans+Narrow:400,700&subset=latin,cyrillic-ext,latin-ext'. This request has been blocked; the content must be served over HTTPS.
graph.php?theme=dark:1 Mixed Content: The page at 'https://weather.parsoli.net/indexDesktop.php' was loaded over HTTPS, but requested an insecure stylesheet 'http://fonts.googleapis.com/css?family=Roboto:100,300,400,500,700,900&subset=latin,cyrillic-ext,latin-ext'. This request has been blocked; the content must be served over HTTPS.
highcharts.js:11 Mixed Content: The page at 'https://weather.parsoli.net/indexDesktop.php' was loaded over HTTPS, but requested an insecure stylesheet 'http://fonts.googleapis.com/css?family=PT+Sans:400,700&subset=latin,cyrillic-ext,latin-ext'. This request has been blocked; the content must be served over HTTPS.

[parsoli]

Just for $hits and giggles, changed all the http://fonts.googleapis.com/......in main.php to https://....
Then took out of blocks the NOAA weather radio and the naSatellite map block
Removed forecast block

Now I have a green lock.

I'm finding many of the images hosted by external websites whether it's WU, Googleapis, NOAA.....are served both in HTTP and HTTPS.  I think it goes back to a few of your comments about the "secure" end is near and most should start coding with https in mind if possible.

[parsoli]

Oh yes.  Another point.  After I enabled SSL/HTTPS for my weather site and had Google re-crawl/re-index my site, I went from a normal position of # 52 to position # 7 when searching the name of my city and "weather".

No bad.....

[vreihen]

Yes, unfortunately my provider does not offer this for free

As parsoli mentioned, LetsEncrypt it is a 100% free certificate authority:

https://letsencrypt.org/

The big gotcha with them (if you can call it that) is that they require you to use a software program to frequently request a new certificate with very short lifetimes.  There are multiple open-source software packages available to automate this on various web-hosting platforms, so it is just a matter of rolling up your sleeves if you're using a web server and have console access to install software.  They really are trying to lower the barriers for SSL adoption on *every* web server.

I have personally not set up LetsEncrypt or CertBot yet, but it is on my project list to test it at some point in the next month or so.....

[Jáchym]

The problem is that you cant simply replace all links with https, eg. the asteroids page will stop working if you do that, even "//" will not work. It must be http, and there are others. Unfortunately untill all pages are https there will likely to be mixed content

[graculus]

As parsoli mentioned, LetsEncrypt it is a 100% free certificate authority:

https://letsencrypt.org/

The big gotcha with them (if you can call it that) is that they require you to use a software program to frequently request a new certificate with very short lifetimes. 

Interesting  So far my free-with-hosting LetsEncrypt certificates have always automatically renewed.