PDA

View Full Version : HTTPS and Insecure Site Warning on AW



AW Admin
03-08-2017, 04:38 PM
It means that we are not currently using https.


We need to purchase a security certificate.
Take the server offline.
Move to a new server.
Install the certificate.



We have purchased the certificate.
We are picking a date to install it.
We will do this very soon.
We've been working on this quite a while; it's just server move and install that's left, and that means shutting off AW.


What does the Insecure Flag Mean?


HTTPS and SSL certificates are ways to protect the data you send to the site/server and it sends to you.
The flag means that AW is not currently using HTTPS, and that data you send to the server and it sends back (like posts) isn't encrypted.


We don't perform transactions on the site.
We don't send financial data.
We aren't sending private data, of the sort you might at a bank, for instance.


But Google search listing, the Chrome web browser, the Firefox browser and versions of all other browsers will start flagging any site that doesn't use HTTPS as insecure.
Nothing has changed; AW isn't insecure, but we will be using HTTPS as soon as possible.

Here's some more information (https://nakedsecurity.sophos.com/2016/09/09/google-to-slap-warnings-on-non-https-sites/):

2017 is the Year of HTTPS and SSL
(https://www.theedesign.com/blog/2016/2017-year-ssl-https-websites)

When Will This Happen?


We don't have a definite date; soon. When we know the date, we'll announce it widely since we'll have to turn AW off for a day or two.


Questions?

If you have questions, please ask them here or PM AW Admin (http://absolutewrite.com/forums/private.php?do=newpm&u=21746) or MacAllister.

TrinaM
04-30-2017, 01:24 AM
Just thought I'd chime in as a techie who has moved a bunch of folks to SSL -- if you're moving servers, anyway, check for some that offer the free Let's Encrypt SSL. It works great. I know you've already bought it for this year, but...next year will come before you know it. And Let's Encrypt is fully automated, so once you're on it...you're pretty much there. You'll likely have some tweaking to get rid of mixed content warnings (old links in posts that have http:// in them) but your software probably has a plugin to handle that.

I put off going to SSL for a long time. I have to say, it turned out to be so much easier than I thought!!!

AW Admin
04-30-2017, 04:29 AM
Let's Encrypt isn't a durable certificate*, and won't really work for us because you have to keep renewing it.

It's also not compatible with the server security and malware protection services we use.

We've purchased a durable high-end SSL certificate but it requires a moar modern OS etc. so we might as well upgrade the RAM etc.

The difficulty is getting the schedules of three people who all have fulltime jobs synced in order to actually do the server upgrade and move all the databases, do QA, etc.


*I like them hugely, and use them on sites I run that are smaller, but they do have to be renewed frequently.

Layla Nahar
04-30-2017, 05:54 AM
... getting the schedules of three people who all have fulltime jobs synced in order to actually do the server upgrade and move all the databases, do QA, etc...

btw - thank you in advance for all of it

AW Admin
05-01-2017, 04:49 PM
btw - thank you in advance for all of it

You are most welcome.