Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: Time for HTTPS?

  1. #1
    Web Guru Marc J's Avatar
    Join Date
    Feb 2007
    Location
    Edinburgh
    Posts
    3,019

    Default Time for HTTPS?

    Google recently announced that any page that has a form asking for payment details or has a password field in it will be marked in their Chrome browser as not secure, starting January 1st 2017. See: -

    Google Online Security Blog - Moving towards a more secure web
    Come in HTTP, your time is up
    Chrome to Label Some HTTP Sites ‘Not Secure’ in 2017

    Many MDD member sites have customer login sections. If this is through DJEP they're usually framed, I think, and so might be OK, but I've seen others that use their own forms and those really need to think about installing SSLs to enable HTTPS.

    Also, anything requiring Geo-location now requires HTTPS. This probably has less of an impact, unless you're trying to determine where the visitor is, of course.

    One plus is that if you do jump to HTTPS, you can then add a payment form (using, for example, Stripe, who insist on an SSL) relatively easily.
    In order to understand recursion you must first understand recursion.


  2. #2
    Senior Member discomobiledj's Avatar
    Join Date
    Sep 2007
    Location
    Worldwide
    Age
    38
    Posts
    2,433

    Default

    I've installed Let's Encrypt on all my domains so if any of my clients need/want it then it's there ready and waiting.
    Steve

  3. #3
    MDD Supporter
    Join Date
    Jan 2009
    Location
    Bristol
    Age
    41
    Posts
    2,945

    Default

    Quote Originally Posted by discomobiledj View Post
    I've installed Let's Encrypt on all my domains so if any of my clients need/want it then it's there ready and waiting.
    The major barrier for me is the ability to run multiple HTTPS sites off a single IP. Unfortunately I'm still on a Win2k8 server with IIS 7 so I can't use SNI. How are you doing it?

    Julian
    http://www.bristoldiscohire.co.uk - Quality Disco and Equipment hire for Bristol & Bath
    Weddings, Birthday Parties, Kids Parties, School Disco's, Quizes and more

  4. #4
    Senior Member discomobiledj's Avatar
    Join Date
    Sep 2007
    Location
    Worldwide
    Age
    38
    Posts
    2,433

    Default

    Quote Originally Posted by DJ Jules View Post
    The major barrier for me is the ability to run multiple HTTPS sites off a single IP. Unfortunately I'm still on a Win2k8 server with IIS 7 so I can't use SNI. How are you doing it?

    Julian
    It's all off the same IP but each one is registered against the domain name rather than IP.
    Steve

  5. #5
    Admin Shaun's Avatar
    Join Date
    May 2006
    Location
    Fife
    Age
    47
    Posts
    14,698

    Default

    I have a secure payment page using stripe. So things are already setup for HTTPS, thanks to Marc.

  6. #6
    Web Guru Marc J's Avatar
    Join Date
    Feb 2007
    Location
    Edinburgh
    Posts
    3,019

    Default

    Quote Originally Posted by discomobiledj View Post
    It's all off the same IP but each one is registered against the domain name rather than IP.
    SSL cerrts are usually issued against domains. The problem is that, traditionally, each has to be on a unique IP. Until SNI came along - which allows multiple SSLs sharing a single IP. But not every hosting platform supports SNI, nor every browser (although most modern browsers do, so that's less of an issue now).
    In order to understand recursion you must first understand recursion.


  7. #7
    Web Guru Marc J's Avatar
    Join Date
    Feb 2007
    Location
    Edinburgh
    Posts
    3,019

    Default

    Quote Originally Posted by DJ Jules View Post
    The major barrier for me is the ability to run multiple HTTPS sites off a single IP. Unfortunately I'm still on a Win2k8 server with IIS 7 so I can't use SNI. How are you doing it?
    Installing Let's Encrypt on any windows machine doesn't seem so straightforward. There are instructions at https://www.coderamblings.net/archiv...a-safer-place/, and the comments there claim to have had success on Windows Server 2008.

    You'll still need SNI support if you want them on the same IP, though. And I don't think that's supported in IIS 7, or it is but it's a workaround involving installing Apache (https://www.orderfactory.com/article...s-2008-R2.html).
    Last edited by Marc J; 09-11-2016 at 12:20 PM.
    In order to understand recursion you must first understand recursion.


  8. #8
    Web Guru Marc J's Avatar
    Join Date
    Feb 2007
    Location
    Edinburgh
    Posts
    3,019

    Default

    Quote Originally Posted by Shaun View Post
    I have a secure payment page using stripe. So things are already setup for HTTPS, thanks to Marc.


    For the record, Shaun's uses a paid SSL cert. I wouldn't recommend using Let's Encrypt for taking credit card details. That's just a personal thing at this point, though, I'm not saying you can't...just that I wouldn't.
    In order to understand recursion you must first understand recursion.


  9. #9
    Senior Member
    Join Date
    Feb 2015
    Location
    Reading, Berkshire
    Age
    36
    Posts
    948

    Default

    Let's Encypt seems useful for Google's new "loving SSL" websites requirement.

    It's expensive to pay around £40 a year for an SSL certificate for a website that doesn't carry any payment transactions.

    Shame TSO Host don't support it, and appear to be avoiding answering whether they will or won't support it.

  10. #10
    Web Guru Marc J's Avatar
    Join Date
    Feb 2007
    Location
    Edinburgh
    Posts
    3,019

    Default

    Quote Originally Posted by rth_discos View Post
    Shame TSO Host don't support it, and appear to be avoiding answering whether they will or won't support it.
    They're listed on Web Hosting who support Lets Encrypt under "Waiting/Delayed".

    https://twitter.com/tsohost/status/722448514228318208
    In order to understand recursion you must first understand recursion.


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •