Topic: Please make your sites https:// secure or regret it

[weather34]

If you have ignored the rant and raves about the importance of making your sites secure then by the end of the year you just might have regretted it. Don't take the view "I have nothing personal displayed, I don't have any payment methods , I have nothing worthy etc.."

Chrome browser by the end of year and make no mistake others will either follow or have made the shift to block all non secure content entirely right now you see annoying popups but eventually it will be just blank spaces or non loading of pages..

Here is the list to ponder over and you can bet you have at least one of these ?

1.Executables downloads ....  .exe , .apk , .dmg
2.Archives .. zip ,rar, iso etc...
3.Documents  PDF , docx , txt..
4.The big one to consider   images !!!   png,jpg,gif,svg ......
5. Media mp3,mp4, video content !!!

basically all mixed content and the year 2020 was predicted to be the year security would be heavily focused on in the browser developments on desktops and devices. I have ranted about https:// for a few years now and
often I saw a lot of ignorance or the view its another money making method but I could see what the future had in store and the fact most major browsers implemented cautions in stages but it is expected by end of 2020 it won't be a caution...

https:// secure will also give you the future benefits of using HTTP/2 and the big trust factor..

so if you haven't do it now make your site secure ... unfortunately some hosts will be reaping the reward putting a price tag on the implementation but that may be down to labour/time all employees want paying ....

do it today ...

[galfert]

It is also good to know that getting an SSL Certificate doesn't have to cost anything. You can get a free SSL Certificate from Let's Encrypt or CAcert. So don't get taken.

Setting up HTTPS doesn't explicitly require an SSL Certificate, but the browser will complain that it can't verify the connection if there isn't a root certificate trust installed.

[92merc]

And even if you have GoDaddy, you don't have to buy their certification.  They will lead you to believe that.  But you don't.  I'm running SSLforFree certs on my 2 sites.  It's about 20 minutes of work every 3 months.  After doing it a few times, it's not so bad.

Since GD is using CPanel, and a lot of other hosts are as well, I could probably whip up a manual on getting going.

[azkiwi]

Since GD is using CPanel, and a lot of other hosts are as well, I could probably whip up a manual on getting going.

I'd be interested in a manual for go daddy..


Ken

[92merc]

When I have to do my next update, I'll create one with pictures.

[PaulMy]

I am with GoDaddy and hesitant to pay their extra ssl cost for my domains hosting, and if you could share your setup that would be much appreciated.

Thanks,
Paul

[92merc]

It's a 3 day weekend for me, so I have time to spare.  I just went through my update a week ago.  But I'll do it again so I can make a manual.  I'll PDF it and put it here.

[chief-david]

Mine has been transferred on the school server. So far so good.
The rest is to be seen.

[CamarilloWX]

Here is a link to a YouTube video that walks you through how to set up a free GoDaddy SSL certificate.
https://www.youtube.com/watch?v=GPcznB74GPs&feature=youtu.be

You have to do this every 90 days but its nice not having to pay GoDaddy.   The first time it took me about half an hour to do it and I just paused the video at each step as I proceeded through the steps.  After a few times it took me less than 10 minutes each time.  I moved from GoDaddy to another host a few months ago and they include one SSL Cert for free so I no longer have to do this.

[vinesweather]

Thanks for the reminder, it was on my to do list. Just did my sites manually.

[lddaly]

Warnings will start with Chrome 82, scheduled for a stable release on April 22, and blockings will begin in Chrome 83 with certain types of files. Here’s the official timeline from Google:

[CNYWeather]

It's a 3 day weekend for me, so I have time to spare.  I just went through my update a week ago.  But I'll do it again so I can make a manual.  I'll PDF it and put it here.

Does it still take the same amount of work/time to renew it each time when it expired every 3 months or whatever it is?

[92merc]

I can do my 2 sites in about 10 minutes. 

[galfert]

Let's Encrypt SSL Certificates last for 90 days. They state that they limit it for two reasons.

• A shorter key lifetime limits exposure if a key is compromised.
• They encourage automation for renewal. Therefore the short key lifetime is no less convenient than longer ones once automation for renewal is implemented.

[92merc]

I just watched the video.  I think SSLforFree is a bit easier.  You don't have to make those folders shown in the video.  Their verification process does all of that automatically.  You just need to make absolutely sure you have your FTP login info handy.

Starting at 4 minutes, it is close to what I do.  But instead of all that copy/paste stuff he's showing, you can upload the file directly that you had downloaded from SSLforFree site.

I might see if I can do a record video option and post it to Youtube.  It'll be more current that what the previous video shows.

[casacota]

There is a very simple and free alternative: www.cloudflare.com
Works with any existing page without any server side changes.

[vinesweather]

Hi
Since changing to https none of my images that are loaded from www.bom.gov.au will load. (except in explorer) From reading this is because bom.gov.au is not secure, which is bizarre being an Australian government site. Is there anything I can do to get the images to load?
Many thanks
Chris

[casacota]

Note that forcing https is only intended for some types of files (executables, documents, and other) but HTML and images are not affected. Unless you are offering some sort of downloads  http will continue working as usual. For weather sites no problem, with an important exception: if you use geolocation services then https is mandatory, but this is not new.

[vinesweather]

Note that forcing https is only intended for some types of files (executables, documents, and other) but HTML and images are not affected. Unless you are offering some sort of downloads  http will continue working as usual. For weather sites no problem, with an important exception: if you use geolocation services then https is mandatory, but this is not new.

I am now using WD to download the images I require and then upload them which is working fine. Probably what I should have done from the beginning.

[92merc]

OK, Disclaimer:  I am a novice video editor.  So bear with me!  This is also a very short, down and dirty how to.  I'm not 100% positive it's all that is needed for you to setup HTTPS from scratch as I already have certificates uploaded.  I didn't really want to destroy all of my certs and start from scratch.  But I think this video should get people in the right direction.

I also didn't mention in the video, you can create and account with SSL for free.  This way when you login to the site, and then go through the cert process, you can just click on the renew option and get your files.  You can then have it email you when your cert is about to expire.  I like to do it about a week before, just in case I'm out of town.

https://youtu.be/YFqPiGUWHbY

[PaulMy]

Thanks,
I've watched the video and will put some time aside soon and see if I can follow instructions...

Enjoy,
Paul

[DaleReid]

I'm interested, but wonder:
a) If I do nothing, other than irritating a Chrome user, will anything happen to my access to the info on my site?  I use Firefox.
b) If I start to go through the video and make a mistake, it is completely screwed up and I have to try to get a reset to basic by the website provider?  Mine is currently GoDaddy.  Is there a failsafe mode where unless all the stuff is right, it will go back to a non 's' type of site? 
c) If one uses the certificate production from GoDaddy, is that automatically updated every three months, or do I have to go through this all the same even if bought the service from them, rather than use a free site?

Thanks for the video, it was interesting but I'll have to say I'm not sure that I can do it without watching again and making notes.

[92merc]

You can actually go through all the steps, right up to the last bit about the .htaccess file.  Until you do that step, none of your traffic will be FORCED to use HTTPS.  Regular HTTP traffic will work as normal.

So that gives you time to test it out.  See if you have any images that are not secured.  You basically looked for "mixed" traffic.  Something on your site that isn't secured and should be.  There are sites out there that you can use as tools to inspect your pages and find out what isn't secured.

The "site certificate" will need to be updated every three months.  So the part where you download a new ZIP file, install the certificate.crt and private.key files, will need to be done every three months.

Will the world end without HTTPS?  No, not really.  Chrome will probably complain.  But since most of our content isn't delivering files or other things that can infect a computer, it's not a real threat.  But knowing Google, they'll probably push the warnings at some point stating your site is a "potential threat" or something named close to that.  My guess, you'll have a couple of years before it gets to that point.  Maybe longer.

If you buy the Google one, I would think they'll be doing the main work and installing it on your site.  But I have no first hand knowledge of that.  Worst case, the cert you buy will be good for what ever years you pay for.   You may have to go through those steps to install it.  But it can be good for years worth.  At that point, it's more a matter of what you are willing to pay.

If you are thinking of buying a cert, you can shop around for that, just as you would have for a website hosting provider.  I think we'll eventually get to the point where hosting companies will start providing them at low or even no cost.  Some hosting providers are setting up a way to get the Let's Encrypt certs automatically, so you don't have to go through the hoops I outlined.  But of course GoDaddy wants to charge you for certs, so they have no incentive to get that going.  Not until the competitive eventually forces them to.

[vinesweather]

I'm interested, but wonder:
a) If I do nothing, other than irritating a Chrome user, will anything happen to my access to the info on my site?  I use Firefox.
b) If I start to go through the video and make a mistake, it is completely screwed up and I have to try to get a reset to basic by the website provider?  Mine is currently GoDaddy.  Is there a failsafe mode where unless all the stuff is right, it will go back to a non 's' type of site? 
c) If one uses the certificate production from GoDaddy, is that automatically updated every three months, or do I have to go through this all the same even if bought the service from them, rather than use a free site?

Thanks for the video, it was interesting but I'll have to say I'm not sure that I can do it without watching again and making notes.

The only issue I found is my links to images to the Bureau of Meteorology. They do not use https yet which has raised a few questions. The way around it I used WD to download the image then upload it.

[sky_watcher]

Chrome browser by the end of year and make no mistake others will either follow or have made the shift to block all non secure content entirely right now you see annoying popups but eventually it will be just blank spaces or non loading of pages..

so if you haven't do it now make your site secure ... unfortunately some hosts will be reaping the reward putting a price tag on the implementation but that may be down to labour/time all employees want paying ....

do it today ...

I followed SSLforFree to get and install the certificate - relatively easy to follow.

A point to bear in mind is if you are using the website to capture readings from your weather station. It is unlikely that your weather station will be able to handle https. My HP2550 certainly couldn't and I lost readings from the moment I set automatic redirection from http to https.

I run my web server (Apache) on my own system, so I don't have the problem that may arise from the configuration restrictions on a commercial server.  My solution may not be available to everyone.

I was able for fix it by exempting the directory with the capture script from being redirected to https with the following httpd config code. You will need mod_rewrite or equivalent for your server. I put the script into ssl.conf so that if SSL is not active, it will not be loaded. The directory is the name of the directory holding the scripts and site_name is is the name of the host site. In my case, http site and the https site obviously have the same name.

<VirtualHost *:80>
ServerName brigadoon.power.on.net:80
RewriteEngine On
RewriteCond %{HTTPS} !on
RewriteCond %{THE_REQUEST} !directory
RewriteRule ^ https://%{HTTP_HOST}%{site_name}
</VirtualHost>

Hope this helps if you are running your own server to receive weather station data.