Trying to set up a secure site


#1

I am trying to set up a secure area for the site, for the exchange of info like phone numbers, insurance numbers, and personal info.

I have purchased a SSL from COMODO and installed it so it shows that it is active. For the main URL, but not for the URL’s that are redirected. But when i use the https it show my site as not secure. (This site includes HTTP resources).

Is this because of the URL’S that are not SSL? I am confused, so any help would be appreciated.

Walt


#2

“This site includes HTTP resources” makes it sound like you have some objects (images/pics perhaps) that you are either linking from a non-HTTPS site, or linking AS HTTP from your own site, where you should be linking same as HTTPS resources.

Navigate to the page that gives you that warning, then “view source” or “view page source”, then use search or find-in-page for the view source window to find each instance of “HTTP”. You will likely find image links that need to be HTTPS instead of HTTP.

If you can give a link to an example page, then we can help you find the HTTP references.


#3

yeah but existing HTTP sites will have thousands of links to HTTP images/ pages

Just paying for a SSL from COMODO is merely STEP 1. Do you have to track down all the 1000s of images links and pages links that an existing site has? That could take a long time

what about a forced redirect? any user hitting an existing link to one of these HTTP images / pages is REDIRECTED to the same resource but with HTTPS. is that the solution?


#4

It depends how the site is built and where those links are stored, and how the images themselves are stored. There may be thousands but I’ve seen instances where all an admin had to do was set a checkbox in the admin area of the CMS. I’ve also seen instances where someone needs phpMyAdmin skills to make large changes with a few keystrokes. Wordpress probably has a Plugin to make a one time update to the database.

There is no single answer, but if you’re chasing down 1000’s of links manually yes that job is enormous and you should explore other options.

BTW, not sure what class of certificates are being purchased from Comodo, perhaps your site needs ownership identity but everyone should keep in mind that for basic transport layer encryption the new free option is https://letsencrypt.org/ which the dreamhost panel fully supports.


#5

Lakerat what are your thoughts on the need to be legacy compatible? Android keep 2 separate versions to be legacy compatible. they have a http version and a https version

[quote]But we also need to be legacy compatible. We want someone with an old Android tablet or one they bought that doesn’t have Google’s software available to be able to visit using a browser that can’t use certificates or might have difficulty rendering sites that have them. If you visit http://www.androidcentral.com (notice the use of http versus https) you’ll see the info icon. You can click on that icon and it will tell you that your connection isn’t secured.

Many sites are this way, so be sure to update all your bookmarks to use the https address!

Chrome isn’t the only browser that helps make sure you’re safe on the web. Microsoft, Mozilla, Apple and everyone else wants your experience to be the best it can be so you keep using their products. But Chrome gives plenty of details to help you know what’s going on and we want to make sure you know how to find them.[/quote]

they seem to infer that if you go the https route some users will no longer be able to access your site (because basically IT’S TOO MODERN FOR THEM!)


#6

Compatibility issues will always be present. We still have production code that alters the experience for IE6 users, a 15 year old browser, unbelievably still used in some environments.

You’re really hi-jacking another users thread and dragging it off topic tho…


#7

IE6 is used by some companies and large organisations. My own workplace has Vista and some old IE version; though is a few weeks to months away from implementing a Windows 10 and Office 365 setup.

I am no advocate of legacy. So would suggest 100% HTTPS.
If the original user is using a CMS solution, it may be some plugins are not HTTPS-compatible.

If using a static-page or SSI type of web site, it would be poorly designed to use absolute URIs rather than relative URIs to link pages/images. But easily fixed. Just whack the whole site into a folder and run find/replace changing http:// to https://


#8

relative URLs to link pages/images all the way monjo, this provides benefits way beyond SSL

100% HTTPS? what’s wrong with going onto your site and making an announcement, check these 2 announcements out, see what you think

  1. http://www.windsorsafaripark.org.uk/viewtopic.php?f=3&t=1109

  2. http://ufoforums.co.uk/viewtopic.php?f=13&t=1257

basically I attacked my two sites which had the very lowest visitors … to “TEST THE WHOLE SSL thing” out, I have another 3 which are busier and 1 which is very busy, I’m doing that last

I seem to have sorted my 2 smallest sites out (listed) above, I think it all works and from the announcements I made visitors/ users/ members now have the choice, they can see the site in http or https which is where the relative URLs to link pages/images. with relative urls it is possible to view/ interact with the website in either https or https you can choose

I know a lot of people say put on forced redirect forcing all visitors to view the site in https well I don’t know, for the moment I have no redirect operating, what do you think?


#9

I think this has been discussed before on this forumGoogle encourages the use of HTTPS. And, looking at the content and style of your web sites, they wouldn’t appear especially mobile-optimised - i.e. your users are generally going to be viewing your web site on a desktop computer, so there’s no reason HTTPS would not work.