Google Chrome HTTPS- July 2018

Hi,

In July this year Google is going to be changing the omnibox in Chrome 68 to display all HTTP sites as ‘Not Secure’ https://security.googleblog.com/2018/02/a-secure-web-is-here-to-stay.html.

Having looked through my own site I can see that there’s going to be a lot of pages showing this with the exception being my contact form and guestbook which redirect visitors to HTTPS. The main sticking points for me at the moment are my charts and radar pages which use external sources that don’t use HTTPS.

I’m left wondering what effect this ‘not secure’ message is going to have on visitor numbers and whether it is worth changing to HTTPS.

What are peoples thoughts and opinions on this change?

Ross

For me personally and my web host, I would have to pay close to $200 US a year for the SSL. that is about 60 for the ssl certificate and the rest for a static IP address they say is necessary for that to work right. That is expensive for me , I do not get a lot of visitors anyway. I can go through my templates and see what needs to be changed for any sites that are SSL already . However, perhaps for me, it would be time to consider abandoning my whole web presence, redirecting until my host service expires in January 2019 and say bye.

I would recommend in your case, to explore your templates for any changes to https, now. test the changes in urls and then make the leap.

That’s crazy when many webhosts offer SSL for free 8O

I am with Hostmonster and it isn’t free. I am told that I can get a low cost certificate, but would need to do fix my templates so that things work fine, plus a redirect until users are comfortable with the new urls. I am not savy on templates, Wim can verify that for me.

So I think I am going to ride this one out for now and see if Hostmonster changes policy and prices. =Being retired limits what one can spend. If I had thousands of hits a month, sure, but nada.

I did some digging and found this: A private SSL certificate requires its own dedicated IP address
Changing to a Dedicated IP Address Requires Time to Propagate

When switching to a dedicated IP, the IP address of your website will change, and the DNS will subsequently need to propagate (update) worldwide, which requires approximately 4 to 8 hours.

This means that some visitors will be able to view your website at the new IP address immediately, while others will not be able to see it for up to 8 hours after the change to a dedicated IP address. Planning ahead can minimize the impact. For example, we don’t recommend switching to a dedicated IP address when you are in the middle of a promotion or advertising campaign.

Have you read this thread?

Folks, here are some tips on changing to SSL…

1: If you have to change your IP address have your Host lower your TTL 48 hours before switching IP addresses. That will mitigate propagation to an extent…
2: See if your host provides for Let’s Encrypt SSL/TLS Certificates. Let’s Encrypt Certificates are free but have to be renewed every 90 days.
Many Hosts provide free or low cost (one time) setup for Let’s Encrypt and many automate the Renewal for Let’s Encrypt certs
3: You have to make sure all images are called using the https address for your domain or relative links ie…
img src=“https://yourdomain.com/image.jpg” or img src=“/image.jpg”
4: You can force visitors to use the https address by adding a .htaccess redirect

FWIW :wink:

-Bob

Has anyone using the Leven2.8 template made the leap?

I am not a commerce site, no information should exchange (I do have a contact form, and definitely it can disappear), it is just a neutral site. I do not see the need to get the blessings of the Google operation at this time whether or not i am secure. I do have a notice on my page that I am secure and not going to make the leap. I also have SiteLock, which isn’t ssl but checks for malware and I can easily disable all site trackers if needed.

that being said, I am going to be a rebel and not make the leap right now. I do see that i have to have a certificate for each subdomain as well. that can be expensive.

Not sure why you need a static IP to use HTTPS? Unless you access the website via the IP then it is irrelevant. The DNS service resolves your domain name to IP, and if your server address does change then presumably your hoster also updates your DNS record.

It depends on the host, some hosts are setup so they can only add a SSL/TLS cert if a domain has a dedicated IP address, others have modified their
systems to allow private certificates for shared IPs.

-Bob

Maybe his host doesn’t have SNI implemented? The whole $200 + fixed IP thing is very strange, I had 3 SSL domains on my shared hosting account using Let’s Encrypt and it didn’t cost me anything extra :?

HostMonster Web Hosting Help
SSL Certificate Information
Summary

An SSL Certificate is responsible for creating secure communication between client and server. HostMonster provides a free shared SSL Certificate available to all accounts residing on a shared IP address.
What is an SSL Certificate

SSL is the Secure Socket Layer protocol which is responsible for creating secure communication between client and server. This is done by both server and client authentication and the negotiation of an encryption algorithm and cryptographic keys.

Internet users associate SSL with the padlock that appears in your browser’s address bar when you enter the secure area of a website. They know to look for this before entering any personal or financial information online. If information is entered on an unsecured website, the data is transmitted from your computer to the webserver un-encrypted and viewable in plain text. Anyone ‘sniffing’ packets on the network or on the internet can capture your information and use it fraudulently.

HostMonster does provide a free shared SSL Certificate available to all accounts residing on a shared IP address. For more information about the Shared SSL Certificate, Click Here.

To utilize the SSL protocol with your domain, the HostMonster server needs to have a Private (non-shared) SSL Certificate installed specifically for your domain. This can only be done if your account has a Dedicated IP address. For information about purchasing a Dedicated IP address, please Click Here.

Please note, for Standard and Pro accounts, you can only have one Dedicated IP and one SSL Certificate. This is because you will have only one cPanel. For VPS, dedicated, and reseller accounts, you can have multiple Dedicated IP and SSL Certificates because you can create multiple cPanels within your account.

Once you have purchased a Dedicated IP for your HostMonster account, you may continue with one of the following knowledgebase articles:

Purchase a Comodo trusted Private SSL Certificate via your HostMonster cPanel
Generate a self-signed certificate via your HostMonster cPanel SSL/TLS Manager
Purchase a trusted Private SSL Certificate through a 3rd party

Note: SSL Certificates are domain specific. When renaming the main domain please be aware that the SSL Certificate for the old main domain will not work after the rename process. The new main domain name will require a new SSL Certificate.

Note: Since SSL Certificates are Domain/IP specific, you must first Purchase a Dedicated IP before purchasing or having an SSL Certificate installed on your account. They will NOT work with a shared IP address.

Maybe, hosting companies shouldn’t still be using SSL, it has been insecure for years now. So yes it sounds like like they don’t have SNI enabled.

Either way, I am not doing the ssl thing. My agreement with Hostmonster ends in January. then I might just forget it. I still have Weatherlink 1.0 and 2.0.
With WL 2.0, I asked if they would have an url as they do for the 1.0 and that is yet to come, if ever.

I just don’t think I want an expense for some sight such as mine that can go days with no visitor and then other days with more. I guess the original post was someone wanting to have SSL and how to go about it.

For me Hostmonster has been wonderful to work with . they have people on 24/7 to get help via chat or even phone. Cost isn’t an issue and I have full control. If the site is down they are up quickly.

No one is really using SSL any longer, all Certificates issued today are TLS Certificates…

But we have been calling it SSL for almost 2 decades and it is hard to change the Common name for something #-o

-Bob