Author Topic: Adding HTTPS/SSL to the forums  (Read 3854 times)

SRVADM

  • Server Admin
  • Administrator
  • Member
  • *****
  • Posts: 4
Adding HTTPS/SSL to the forums
« on: 06 March, 2017, 05:38:29 pm »
Greetings all!

Google have sent notice that they will soon be marking websites that ask for passwords over unencrypted connections as insecure*, and the TOMM Forums currently fall into that category. The web community is expecting other browsers to follow suit over the next few months/years. So that everyone can continue to easily access the forums no matter your browser, we're migrating over to using HTTPS/SSL instead of plain HTTP.

If all goes well, no one should notice any difference as the change should be transparent to users (unless you're already getting warnings, which should now disappear)

We will however be doing this as a step-by-step migration to allow any issues to be brought to my attention so that they can be mitigated or fixed. The current plan is as follows:

  • Mar 6th: Turn on SSL connections to the forums, asking members to try it out and see if they encounter any issues. The site is available via https://forums.tomm.com.au/ - please give it a go and report any errors!
  • Apr 2nd: If all goes well, redirect all connections from the http site to the https, again seeking feedback. If anyone missed this post, this is when they may run into errors so let us know via the TOMM contact form.

Known issues:
  • When you first visit the https version of the site, your browser may show that there is "mixed" secure content. I have found the only way to fix this was to close all browser windows and start again - a forced reload of content was insufficient . If it persists, you may need to clear browsing data/history.

If you find you can't load the encrypted site, please return to the unencrypted site (http://forums.tomm.com.au/) and post a reply here. Both sites are hosted from the same database, so their contents are identical.

* Google: Non-Secure Collection of Passwords will trigger warnings in Chrome 56
Quote
Chrome currently indicates HTTP connections with a neutral indicator. This doesn’t reflect the true lack of security for HTTP connections. When you load a website over HTTP, someone else on the network can look at or modify the site before it gets to you.

A substantial portion of web traffic has transitioned to HTTPS so far, and HTTPS usage is consistently increasing. We recently hit a milestone with more than half of Chrome desktop page loads now served over HTTPS. In addition, since the time we released our HTTPS report in February, 12 more of the top 100 websites have changed their serving default from HTTP to HTTPS.

Studies show that users do not perceive the lack of a “secure” icon as a warning, but also that users become blind to warnings that occur too frequently. Our plan to label HTTP sites more clearly and accurately as non-secure will take place in gradual steps, based on increasingly stringent criteria. Starting January 2017, Chrome 56 will label HTTP pages with password or credit card form fields as "not secure," given their particularly sensitive nature.

In following releases, we will continue to extend HTTP warnings, for example, by labelling HTTP pages as “not secure” in Incognito mode, where users may have higher expectations of privacy. Eventually, we plan to label all HTTP pages as non-secure, and change the HTTP security indicator to the red triangle that we use for broken HTTPS.

[Ed:Switch over date moved back lots due to availability
« Last Edit: 01 April, 2017, 05:48:00 pm by SRVADM »
Server whisperer