7.0: An issue with non-SSL Websites


#8

It’s not ideal, and I haven’t ruled out finding a solution — I’m just deprioritizing it so I can get the beta out sooner.


#9

I wonder how many websites that are powered by Surreal CMS don’t use SSL/TLS?


#10

Going by URLs, it’s less than 10%. However, I know there are plenty of sites that do support it but simply haven’t been updated in the CMS, so it’s hard to say definitively.


#11

Ideally we should be using SSL and HSTS to stop man in the middle attacks. I have recently added most of my sites to the HSTS preload list. In the age of GDPR I would say SSL is essential even if you only have a contact form.


#12

Hi Cory. I’ve started to ask my clients to get SSL. However, I’ve noticed that several of my clients websites work both with http and https. Have they been set up incorrectly by the web hosts? I presumed that once a client had https that a visitor using http would be automatically forwarded (is this the right word?) to the https URL?


#13

SSL or TLS is free these days using Let’s Encrypt. If your not hosting your client’s websites, tell them to move to a web host that gives free SSL certificates if there current one doesn’t.

Most sensible web hosts allow the Auto SSL feature in cPanel to work. Auto SSL will obtain a free SSL certificate automatically and renew the certificate without any interaction. However some web hosts are greedy and see that they can make money from the basic necessity of security, they instead disable free automated SSL certificates through AutoSSL and instead force their customers to purchase SSL certificates through them or manually install free ones. Contrary to popular belief, paid domain validated SSL certificates are not anymore secure than a free one from Let’s Encrypt. A web host that has been known to disable AutoSSL is GoDaddy.

Yep, that’s one way of describing a redirect. When you have an SSL certificate, your website can still load insecurely over HTTP. To fix this issue, you have to setup a redirect in your htaccess file (assuming the server runs Apache).


#14

Your web server can be configured to serve content over both protocols, so you need to tell it to redirect HTTP to HTTPS. If you’re using a control panel of some kind (Plesk, cPanel, etc.), there’s usually an option in the website’s settings that let you do this.

If you’re configuring Apache yourself, you’ll want to do something like this:

# HTTP 
<VirtualHost *:80>
  ServerName www.example.com
  Redirect / https://www.example.com/
</VirtualHost>

# HTTPS
<VirtualHost *:443>
  ServerName www.example.com

  # SSL & website config here...
</VirtualHost>

If you’re configuring nginx yourself:

#HTTP
server {
  listen 80;
  server_name www.example.com;
  return 301 https://$server_name$request_uri;
}

#HTTPS
server {
  listen 443 ssl;
  server_name www.example.com;

  # SSL & website config here...
}

If you’re using Let’s Encrypt, or certbot, from the command line, make sure you select the correct option before finalizing the installation (redirect):

certbot-https


#15

Suppose Mark is using cPanel. Wouldn’t a htaccess file be easier?


#16

I haven’t used cPanel in years, but if they don’t have the option in the GUI then .htaccess is probably the way to go.

I just did a quick search and there are tons of results that recommend this for cPanel.

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

I’m sure tons of sites use it, but the Apache docs recommend against it — not sure if it’s for semantics or performance. :man_shrugging:


#17

Almost every cPanel account I have used, has had that code (or something similar) in a htaccess file.

Unfortunately, shared hosting users can’t change the vhosts file so I believe the htaccess method is the only way. Fairly sure that AutoSSL in cPanel does support enforced HTTPS but it might be disabled by default.


#18

Thanks for all your help. A client has contacted me to say that their host has said:

" > Please keep in mind that our SSL certificates have huge advantage compared to the free ones, because our system is installing our ones automatically and also the free certificates lately are actually no longer being trusted by Google. Our certificates are certified and are always trusted. A free SSL is self-signed which can cause issues."

I was hoping this client would move to a web host that has SSL for free, using LetsEncrypt. However, after this message I am concerned the free certificates / LetsEncrypt are no good?

Or is the web host lying to get £50 a year from my client?


#19

I haven’t got a clue what cPanel or htaccess is.

I was hoping my clients web hosts would sort this stuff out?

Or is this something I’m going to have to get involed with?


#20

Technically that is true if they are referring to self signed SSL certificates which are commonly automatically generated by certificate providers. However, Let’s Encrypt SSL certificates are not self signed and require the domain to be validated. AutoSSL or certbot will do everything needed to validate the certificate and also install the certificate as well.

If that message is implying that Let’s Encrypt isn’t any good then yes, the web host is lying to get £50 a year from your client. Let’s Encrypt is free thanks to donations by organisations like Mozilla, Cisco, EFF, OVH, Google Chrome, Internet Society, Facebook, IdenTrust (another certificate authority) and the list goes on. These organisations recognise that a secure web needs free SSL certificates.

So just to make it clear, Let’s Encrypt SSL certificates are 100% fine and safe to use on your client’s website. They are trusted by all major internet browsers which means that the green lock will show.

Let’s Encrypt certificates are not self-signed.

Many web hosts position Let’s Encrypt as a bad thing because Let’s Encrypt is offering the same product/service that the web host is charging for (in this case, SSL). As a reminder, Let’s Encrypt is the same thing as a paid DV SSL certificate, except free.


#21

cPanel is a popular control panel software for servers that allows web hosting providers to give their customers access to an easy to use control panel that helps them manage their website.

htaccess is a file that exists in the website directory and allows you to change settings for server software known as Apache.

A good web host will be more than happy to setup a http to https redirect.

Well if your not reselling hosting, then no you shouldn’t have to. Although reselling hosting might be something you might want to look into.


#22

Hi Jeremy. Thank you for your replies. They have been most helpful. Thanks again


#23

I’m concerned that the move to https is going to be too difficult / technical for some of my clients. Will it be possible to use both version 7 and 5 of Surreal? Version 7 for clients that have moved to https and version 5 for those who haven’t.


#24

In the past, I’ve left previous versions online for at least a year for major upgrades. However, upgrading is all or nothing.

The bigger issue with HTTPS isn’t Surreal — it’s how browsers continue to degrade them with warnings and such. I expect in two years we’ll see 85-90% of websites on HTTPS, if not more. Might as well get it out of the way :slightly_smiling_face:


#25

No worries Mark. Happy to help a fellow Surreal CMS user.


#26

You mean HTTPS, not HTTP.


#27

Yep, good catch! Updated