Support community for TTG plugins and products.
NOTICE
The Turning Gate's Community has moved to a new home, at https://discourse.theturninggate.net.
This forum is now closed, and exists here as a read-only archive.
You are not logged in.
There seems to be a rising wave everywhere I look that converting sites to the more secure https:// from http:// will be a necessity in the very near future. Whereas this would dramatically increase what I spend for hosting I've been dragging my feet on doing so. Since the members of this forum are a pretty savvy bunch I'd really like to hear what all of you have to say on the topic. Will it be necessary, inevitable, unavoidable? Should I do it now or wait and see what shakes loose in the coming months? I know some of you have made this transition already. Was it easy, difficult, painful, a nightmare, or what?
Regards Mark
Offline
I switched to https a few months ago using a certificate from letsencrypt (free). It was a pretty simple change; other than changing all hardcoded links in Backlight I added a rewrite rule to .htaccess to force all incoming http traffic to https.
I am self hosted, though, and I don't know if your provider will allow you to use a certificate from letsencrypt.
Last edited by charlie.choc (2017-08-21 21:19:42)
Charlie
www.stalkinglight.com
Offline
Hi Mark,
The HTTPS protocol is used to encrypt data during transfer between the browser and your website. If you're not dealing in sensitive data -- banking or credit card information, personal info such as social security or passport numbers, etc. -- then you don't need it.
Much of the recent hullabaloo surrounding HTTPS is due to a policy change Apple is asserting in its App Store, requiring apps to connect to online services via HTTPS. Not every app needs such security, but rather than police individual apps for protocol, they're setting a blanket policy. I think that makes good sense.
HTTPS will yield no benefit to delivering or securing your images, though. And even when using our Cart or Fotomoto features, it's a nonissue, as payments are transacted via PayPal or Fotomoto, respectively, and they're using HTTPS. Payment information is NEVER collected by, or input directly into Backlight.
I hope that helps.
Cheers,
Matt
Offline
I have a different take on it. SSL should be used whenever any personal information is submitted online. That could be as simple as a contact form. Without SSL, you are letting your customer's details be submitted across the Internet for those with ill intent to capture.
Of course, many or most of us don't use SSL and do have user submitted data such as that sent from contact forms. This is largely due to the potential technical difficulty and financial cost of setting up SSL. SSL also typically requires a dedicated IP address per domain. I would love to see a secure transport option that did not require certificates, so that a secure mode could be switched on for sites with less critical information, such as contact forms and login pages, but not credit card details, without the need for expensive add-ons or complicated setups.
Apple's HTTPS enforcement can be problematic. For example, how would we write an iOS client for Backlight that could talk to the majority of Backlight sites that aren't configured with SSL? This issue would affect any iOS client that interfaced with back-end content management systems, such as a Wordpress client. On that point, I'll need to see whether Wordpress has found a way around this, to see what options we may have for the future.
Offline
Google uses https as a factor in search engine ranking, fwiw. How much difference it makes I have no clue.
Charlie
www.stalkinglight.com
Offline
Should be noted that if you don't have https, when you login to your admin page, you are sending your username and password in the clear.
Offline