7.0: An issue with non-SSL Websites


#1

I’ve ran into another issue with mixed content that I’d like to bring up.

The SSL Problem

As you probably know, it’s 2019 and the push for websites to use HTTPS (i.e. SSL) is growing. That’s definitely not a bad thing, but it presents a problem for websites that don’t use HTTPS.

In the current version of Surreal, we force HTTPS on all pages except the editor. In the editor, you’ll get bumped to the HTTP or HTTPS version depending on your website’s URL. We did this because if we forced HTTPS and you’re editing a website that doesn’t support HTTPS, you’d see a mixed content warning in your browser:

uSaLL

However, as time progressed browsers stopped showing this warning and, instead, they just stopped loading insecure content. That means your website would appear “naked,” without any styles or scripts.

These days, browsers are very aggressive in letting you know a website is not being served over HTTPS. For example, load any website over HTTP and you’ll see this in your address bar:

image

Firefox goes even further and shows this message when you’re filling out a form on an HTTP website:

image

How it Affects You

This isn’t a bad thing. Users should be informed of insecure websites. However, we find ourselves in a transitional period where many websites are still using HTTP and that creates a bit of a problem.

In Surreal CMS 7.0, all pages use SSL, even the editor. This provides more security for you and your users, and it keeps up with browsers and their aggressive stance against insecure websites.

Unfortunately, this means if your websites aren’t using HTTPS, you probably won’t see any scripts or styles in the editor — not a great experience. :frowning:

This is a tough problem from a development standpoint.

Of course, the easiest way to prevent this is to secure your websites. SSL certificates have been somewhat expensive in the past, but these days many hosts offer them for free through Let’s Encrypt.

Moving Forward

I’d love to tell you that I have a solution for this problem, but as of right now I don’t. I’m more than happy to tell everyone to switch to HTTPS, why HTTPS is important, etc. — but realistically I know not everyone will be able to make the switch right away.

I’ve experimented with swapping links in the editor — basically changing the source to load insecure content through a secure proxy that we control. So far, I’ve had limited success with this, and I’m not confident that this approach will resolve the issue 100%, but I’ll continue looking into it.

This problem has held up progress on the new version quite a bit, and today I’ve decided that launching the beta is more important than solving this right away. I’ll definitely circle back to it, but in the meantime I’m going to focus on getting the new website done and the beta launched.

If you have any questions or thoughts on this, I’d love to hear them!


7.0: Soft Launch
#2

I hate the fact that all sites are being forced to use https. If a site is merely displaying information, I don’t think it should be labeled as insecure. I use hosting that makes using the free SSL easy, so not a huge issue for my clients, it’s just the principle of the matter.


#3

Well, a huge benefit of SSL is that it prevents man-in-the-middle attacks even for informational sites.

These attacks aren’t always malicious. Some ISPs have been caught injecting JavaScript into insecure websites for advertising and other various reasons. Here’s an example:

When a website is server over HTTPS, this sort of things isn’t possible, so there are still benefits. Namely, making sure the content you want your visitors to see isn’t modified by anybody — be it your ISP, their ISP, a government, etc. :slight_smile:


#4

Who am I to stand in the way of progress? :blush:


#5

Not an ideal situation. Yes, the world is moving to HTTPS, but it still seems a wee-bit premature to force this on everyone.

Would the simplest solution just be to allow users to stay on the current version of Surreal if they prefer? On another thread I think you said you’d give users a year or so to transition (before pulling the old version), but is there any reason you couldn’t extend this indefinitely and just allow users to transition if and when they’re ready to fully embrace HTTPS on all their sites?


#6

No, I believe you will have to fully embrace HTTPS sooner or later. Eventually Google Chrome and other browsers will show a full page warning that lets you know the website you are visiting doesn’t have SSL/TLS and is putting you at risk.

As someone who has experimented with man in the middle attacks, I can assure you that you want to secure your websites. It is very easy for someone to redirect your traffic to their device and then inspect or modify it before you get the data.

SSL/TLS is important on so many different levels. It is now a ranking signal for Google search results. Websites that use HTTP/2 and SSL load faster.

I’m more likely to leave a website that is non secure for a better one (especially if I am submitting information).

If your web hosting provider doesn’t support free automated SSL/TLS certificates, leave them and find a better provider.

You shouldn’t be paying for certificates anymore unless your making a donation to a certificate authority that gives free SSL/TLS certificates. Free automated certificates happen in the background with very little work on your behalf. Let’s Encrypt certificates are also much more secure than 1 year paid certificates as Let’s Encrypt’s certificates expire after 90 days.

I don’t believe the old version of Surreal CMS should have to be online forever. It creates more work for @cory and that prevents him from working on more important stuff like future updates and features.

I welcome @cory’s decision on this as it protects the security of our clients.

Very much looking forward to version 7.0.


#7

I am my hosting provider, and yes, I provide free automated SSL/TLS certificates. :slight_smile:

Personally, I have no trouble with this, but I still think it’s premature to force it upon everyone.


#8

It’s not ideal, and I haven’t ruled out finding a solution — I’m just deprioritizing it so I can get the beta out sooner.


#9

I wonder how many websites that are powered by Surreal CMS don’t use SSL/TLS?


#10

Going by URLs, it’s less than 10%. However, I know there are plenty of sites that do support it but simply haven’t been updated in the CMS, so it’s hard to say definitively.


#11

Ideally we should be using SSL and HSTS to stop man in the middle attacks. I have recently added most of my sites to the HSTS preload list. In the age of GDPR I would say SSL is essential even if you only have a contact form.