7.0: An issue with non-SSL Websites


#1

I’ve ran into another issue with mixed content that I’d like to bring up.

The SSL Problem

As you probably know, it’s 2019 and the push for websites to use HTTPS (i.e. SSL) is growing. That’s definitely not a bad thing, but it presents a problem for websites that don’t use HTTPS.

In the current version of Surreal, we force HTTPS on all pages except the editor. In the editor, you’ll get bumped to the HTTP or HTTPS version depending on your website’s URL. We did this because if we forced HTTPS and you’re editing a website that doesn’t support HTTPS, you’d see a mixed content warning in your browser:

uSaLL

However, as time progressed browsers stopped showing this warning and, instead, they just stopped loading insecure content. That means your website would appear “naked,” without any styles or scripts.

These days, browsers are very aggressive in letting you know a website is not being served over HTTPS. For example, load any website over HTTP and you’ll see this in your address bar:

image

Firefox goes even further and shows this message when you’re filling out a form on an HTTP website:

image

How it Affects You

This isn’t a bad thing. Users should be informed of insecure websites. However, we find ourselves in a transitional period where many websites are still using HTTP and that creates a bit of a problem.

In Surreal CMS 7.0, all pages use SSL, even the editor. This provides more security for you and your users, and it keeps up with browsers and their aggressive stance against insecure websites.

Unfortunately, this means if your websites aren’t using HTTPS, you probably won’t see any scripts or styles in the editor — not a great experience. :frowning:

This is a tough problem from a development standpoint.

Of course, the easiest way to prevent this is to secure your websites. SSL certificates have been somewhat expensive in the past, but these days many hosts offer them for free through Let’s Encrypt.

Moving Forward

I’d love to tell you that I have a solution for this problem, but as of right now I don’t. I’m more than happy to tell everyone to switch to HTTPS, why HTTPS is important, etc. — but realistically I know not everyone will be able to make the switch right away.

I’ve experimented with swapping links in the editor — basically changing the source to load insecure content through a secure proxy that we control. So far, I’ve had limited success with this, and I’m not confident that this approach will resolve the issue 100%, but I’ll continue looking into it.

This problem has held up progress on the new version quite a bit, and today I’ve decided that launching the beta is more important than solving this right away. I’ll definitely circle back to it, but in the meantime I’m going to focus on getting the new website done and the beta launched.

If you have any questions or thoughts on this, I’d love to hear them!


7.0: Soft Launch
#2

I hate the fact that all sites are being forced to use https. If a site is merely displaying information, I don’t think it should be labeled as insecure. I use hosting that makes using the free SSL easy, so not a huge issue for my clients, it’s just the principle of the matter.


#3

Well, a huge benefit of SSL is that it prevents man-in-the-middle attacks even for informational sites.

These attacks aren’t always malicious. Some ISPs have been caught injecting JavaScript into insecure websites for advertising and other various reasons. Here’s an example:

When a website is server over HTTPS, this sort of things isn’t possible, so there are still benefits. Namely, making sure the content you want your visitors to see isn’t modified by anybody — be it your ISP, their ISP, a government, etc. :slight_smile:


#4

Who am I to stand in the way of progress? :blush:


#5

Not an ideal situation. Yes, the world is moving to HTTPS, but it still seems a wee-bit premature to force this on everyone.

Would the simplest solution just be to allow users to stay on the current version of Surreal if they prefer? On another thread I think you said you’d give users a year or so to transition (before pulling the old version), but is there any reason you couldn’t extend this indefinitely and just allow users to transition if and when they’re ready to fully embrace HTTPS on all their sites?


#6

No, I believe you will have to fully embrace HTTPS sooner or later. Eventually Google Chrome and other browsers will show a full page warning that lets you know the website you are visiting doesn’t have SSL/TLS and is putting you at risk.

As someone who has experimented with man in the middle attacks, I can assure you that you want to secure your websites. It is very easy for someone to redirect your traffic to their device and then inspect or modify it before you get the data.

SSL/TLS is important on so many different levels. It is now a ranking signal for Google search results. Websites that use HTTP/2 and SSL load faster.

I’m more likely to leave a website that is non secure for a better one (especially if I am submitting information).

If your web hosting provider doesn’t support free automated SSL/TLS certificates, leave them and find a better provider.

You shouldn’t be paying for certificates anymore unless your making a donation to a certificate authority that gives free SSL/TLS certificates. Free automated certificates happen in the background with very little work on your behalf. Let’s Encrypt certificates are also much more secure than 1 year paid certificates as Let’s Encrypt’s certificates expire after 90 days.

I don’t believe the old version of Surreal CMS should have to be online forever. It creates more work for @cory and that prevents him from working on more important stuff like future updates and features.

I welcome @cory’s decision on this as it protects the security of our clients.

Very much looking forward to version 7.0.


#7

I am my hosting provider, and yes, I provide free automated SSL/TLS certificates. :slight_smile:

Personally, I have no trouble with this, but I still think it’s premature to force it upon everyone.


#8

It’s not ideal, and I haven’t ruled out finding a solution — I’m just deprioritizing it so I can get the beta out sooner.


#9

I wonder how many websites that are powered by Surreal CMS don’t use SSL/TLS?


#10

Going by URLs, it’s less than 10%. However, I know there are plenty of sites that do support it but simply haven’t been updated in the CMS, so it’s hard to say definitively.


#11

Ideally we should be using SSL and HSTS to stop man in the middle attacks. I have recently added most of my sites to the HSTS preload list. In the age of GDPR I would say SSL is essential even if you only have a contact form.


#12

Hi Cory. I’ve started to ask my clients to get SSL. However, I’ve noticed that several of my clients websites work both with http and https. Have they been set up incorrectly by the web hosts? I presumed that once a client had https that a visitor using http would be automatically forwarded (is this the right word?) to the https URL?


#13

SSL or TLS is free these days using Let’s Encrypt. If your not hosting your client’s websites, tell them to move to a web host that gives free SSL certificates if there current one doesn’t.

Most sensible web hosts allow the Auto SSL feature in cPanel to work. Auto SSL will obtain a free SSL certificate automatically and renew the certificate without any interaction. However some web hosts are greedy and see that they can make money from the basic necessity of security, they instead disable free automated SSL certificates through AutoSSL and instead force their customers to purchase SSL certificates through them or manually install free ones. Contrary to popular belief, paid domain validated SSL certificates are not anymore secure than a free one from Let’s Encrypt. A web host that has been known to disable AutoSSL is GoDaddy.

Yep, that’s one way of describing a redirect. When you have an SSL certificate, your website can still load insecurely over HTTP. To fix this issue, you have to setup a redirect in your htaccess file (assuming the server runs Apache).


#14

Your web server can be configured to serve content over both protocols, so you need to tell it to redirect HTTP to HTTPS. If you’re using a control panel of some kind (Plesk, cPanel, etc.), there’s usually an option in the website’s settings that let you do this.

If you’re configuring Apache yourself, you’ll want to do something like this:

# HTTP 
<VirtualHost *:80>
  ServerName www.example.com
  Redirect / https://www.example.com/
</VirtualHost>

# HTTPS
<VirtualHost *:443>
  ServerName www.example.com

  # SSL & website config here...
</VirtualHost>

If you’re configuring nginx yourself:

#HTTP
server {
  listen 80;
  server_name www.example.com;
  return 301 https://$server_name$request_uri;
}

#HTTPS
server {
  listen 443 ssl;
  server_name www.example.com;

  # SSL & website config here...
}

If you’re using Let’s Encrypt, or certbot, from the command line, make sure you select the correct option before finalizing the installation (redirect):

certbot-https


#15

Suppose Mark is using cPanel. Wouldn’t a htaccess file be easier?


#16

I haven’t used cPanel in years, but if they don’t have the option in the GUI then .htaccess is probably the way to go.

I just did a quick search and there are tons of results that recommend this for cPanel.

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

I’m sure tons of sites use it, but the Apache docs recommend against it — not sure if it’s for semantics or performance. :man_shrugging:


#17

Almost every cPanel account I have used, has had that code (or something similar) in a htaccess file.

Unfortunately, shared hosting users can’t change the vhosts file so I believe the htaccess method is the only way. Fairly sure that AutoSSL in cPanel does support enforced HTTPS but it might be disabled by default.


#18

Thanks for all your help. A client has contacted me to say that their host has said:

" > Please keep in mind that our SSL certificates have huge advantage compared to the free ones, because our system is installing our ones automatically and also the free certificates lately are actually no longer being trusted by Google. Our certificates are certified and are always trusted. A free SSL is self-signed which can cause issues."

I was hoping this client would move to a web host that has SSL for free, using LetsEncrypt. However, after this message I am concerned the free certificates / LetsEncrypt are no good?

Or is the web host lying to get £50 a year from my client?


#19

I haven’t got a clue what cPanel or htaccess is.

I was hoping my clients web hosts would sort this stuff out?

Or is this something I’m going to have to get involed with?


#20

Technically that is true if they are referring to self signed SSL certificates which are commonly automatically generated by certificate providers. However, Let’s Encrypt SSL certificates are not self signed and require the domain to be validated. AutoSSL or certbot will do everything needed to validate the certificate and also install the certificate as well.

If that message is implying that Let’s Encrypt isn’t any good then yes, the web host is lying to get £50 a year from your client. Let’s Encrypt is free thanks to donations by organisations like Mozilla, Cisco, EFF, OVH, Google Chrome, Internet Society, Facebook, IdenTrust (another certificate authority) and the list goes on. These organisations recognise that a secure web needs free SSL certificates.

So just to make it clear, Let’s Encrypt SSL certificates are 100% fine and safe to use on your client’s website. They are trusted by all major internet browsers which means that the green lock will show.

Let’s Encrypt certificates are not self-signed.

Many web hosts position Let’s Encrypt as a bad thing because Let’s Encrypt is offering the same product/service that the web host is charging for (in this case, SSL). As a reminder, Let’s Encrypt is the same thing as a paid DV SSL certificate, except free.