Security, SSL and HTTPS – why should I care?

13 Feb
Security, SSL and HTTPS – why should I care?

Security, SSL and HTTPS – why should I care?

Security, SSL and HTTPS are three words that confuse many people. are ignored by many people. but are vital to the wellbeing of your family history data. They have always been mentioned in kiwitrees installation instructions but now might be the right time to act on the suggestions there.

2018 has already started out as the year we will all need to focus more on our family history web site’s security. But not just for the obvious reason, the risks of spammers, hackers and general internet craziness. All those things are important concerns, and they always have been. But now, in 2018, we are getting some serious  “help” from our friendly web browser designers!

Security, SSL and HTTPS

I won’t try here to explain the terms “Security, SSL and HTTPS”. You can easily google that if you need to, but I will explain why you need to care, and how to address the issue.

The keen-eyed technology-watchers among you may have spotted headlines like this in recent months:

From Google (Feb 2018): Chrome will mark all HTTP sites as ‘not secure’ starting in July

From Mozilla (Jan 2018): Effective immediately, all new features [in Firefox] that are web-exposed are to be restricted to secure contexts. Web-exposed means that the feature is observable from a web page or server, whether through JavaScript, CSS, HTTP, media formats, etc.

In layman’s terms, they are saying it is going to harder to ignore those “this site is insecure”  messages when you navigate around the web. These are what you might see now – but the terminology and “nagging” will get worse!

Chrome

Chrome

Firefox

Firefox

MS Edge

MS Edge

As a result, the time to act on the advice to secure your site has arrived, and none of us should ignore it any longer. If we do, apart from any security risk, which although small is not non-existent in kiwitrees, our users and visitors are going to get frustrated by the constant nagging from their browser, and search engines will start to ignore your website.

Of course, updating to HTTPS/SSL security is still not compulsory. If you cannot do it, or prefer not to, your kiwitrees website will still function exactly as it always has, and will remain as secure as it always has, which is in fact VERY secure. But I’m afraid your browser will increasingly nag you and your users about it. 🙁

So what do we need to do?

Well, these days it’s surprisingly easy. It used to be, until a year or two ago, an unpleasant fact that an SSL certificate (step 1 in the process) was an annual fee of $100 or more. But then LetsEncrypt joined the market, with the stated aim to “make encrypted connections to World Wide Web servers ubiquitous. By eliminating payment, web server configuration, validation email management and certificate renewal tasks, it is meant to significantly lower the complexity of setting up and maintaining TLS encryption.

In some cases, a commercial certificate is still required, but in the majority of kiwitrees installations, you should be able to easily implement a FREE LetsEncrypt certificate, and it is surprisingly easy to do. There should, in this case, also be no extra charge from your web host.

The first thing to note is that most web hosts should now have an automated installation package built into their control panel, whether cPanel, Plesk or something else. Here’s an example from my own Plesk control panel:

I don’t have access to cPanel with the same feature, but I have confirmed that it has been available since ver. 58 of cPanel. Whether your host provides cPanel, Plesk, or something else, they should be able to give you this feature, so pester them for it. It makes the process so much easier!

Assuming you have it, these are the steps to getting your site fully secure:

  1. In your hosts’ control panel ensure that “SSL”, or “SSL TLS” is enabled. Usually just a matter of ticking a box.
  2. Using the LetsEncrypt tool in that control panel, it’s a single click to create and install the certificate. Nothing more than that.
  3. Now you have access to your site using BOTH http://yourdomain.xxx  (not secure) AND https://yourdomain.xxx (secure).  But you don’t really want or need that. So the old solution was a complex “redirection” via a. “htaccess” file. But with kiwitrees, it couldn’t be simpler.  Just log in to your site using the secure https://yourdomain.xxx address. Go to Administration > Site administration > Site configuration, and scroll down to “Website URL”. In its drop-down box, you should see the https URL you used to log in. Select it, then click ‘save’ for that page. That’s it. Job done! Anyone visiting your site from now on, using either the secure or the old unsecure URL will be directed always to the secure https version.
pleask-letsencrypt

Plesk – LetsEncrypt

Important note for kiwitrees hosted sites

If your website is hosted here at kiwitrees.net then you have one of two web address types:

  1. A sub-domain site, with a web address in the form of yourname.kiwitrees.net.
  2. A site directed to your own personal web address, such as our-families.info (my own personal site) or yourname.co.nz, or yourname.com, or yourname.com.au, etc…

If you have an address of type 1 (and that means most of you), then relax. Your site has already been converted and is fully secured.

Unfortunately, for the time being, things are not so easy for the handful of us who use the personalised domain names (type 2 addresses). LetsEncrypt cannot yet provide the necessary connections to this sort of site that are needed for their system to work. There is hope it might be possible in future, but for now the alternatives are either don’t use https, or to pay ($NZ 100 per year) for a commercial SSL certificate.

kiwi
About The Author

Personal Website



5 Comments

jacoline » 27 Feb 2018 »

I can not visit my kiwitrees with my tablet with an older android version (4) because of this 🙁

kiwi

kiwi » 27 Feb 2018 »

I dont understand that statement.

What is the problem with the old Android? I cannot understand why just changing to https url would cause this. There must be more.

jacoline » 11 Mar 2018 »

Latest browser apps like firefox and crome which support SNI can not run at android 4.0. And standard browser for android 4.0 does not support SNI. If I remove the SSL I can visit my page.

    kiwi

    kiwi » 13 Mar 2018 »

    Yes, I see what you mean. Sadly the forced need to update hardware regularly is becoming “normal” 🙁

Have your say!

Have your say!