Chrome seems to be today the most used browser according to W3Counter
Global Web Stats from W3Counter
Date Internet Explorer Firefox Google Chrome Safari Opera
April 2016 9.6% 9.7% 57.2% 13.4% 4.1%
It used to be Internet Explorer for the longest time.
Admittedly, Chrome is a much better browser, but it will now come at a price for web sites : http sites will be flagged as not secure, starting January 2017. It is right around the corner.
We are now facing the same necessity as what happened with Desktop and unsigned apps that show as “This app can potentially harm your computer”. True or not, I can see how cohorts of uninformed users already vaguely anxious when Internet is concerned, will shy away from good old http site.
Just done some quick reading up about this.
Sounds like a nightmare (again)
If I am getting this right, it basically comes down to:
[quote]Start a new hosting space
Copy everything to it
Buy a certificate
Certify the new space
Create redirects for everything on the old site
Recode any links in your apps that look for the old http: versions
Hope that Google treats your ‘new pages’ in the same way as the old[/quote]
That is OK. They will eventually have to worry about it.
At any rate, there will probably remain massive number of sites which will never switch. For my own, I will only add SSL to sites that are popular and geared toward general public.
[quote=287382:@Jeff Tullin]Start a new hosting space
Copy everything to it
Buy a certificate
Certify the new space
Create redirects for everything on the old site
Recode any links in your apps that look for the old http: versions
Hope that Google treats your ‘new pages’ in the same way as the old[/quote]
That was not my experience at all with 1701’s ServerWarp. Phillip added the certificate right away, and all I have to do is use https instead of http. No need to move files.
In the case of ServerWarp, you can indifferently use http or https. So links won’t be broken. I messaged to Phillip to find a way to have http traffic automatically redirected to https. The document you link to states to use redirect 301, I am trying to find a simpler way, but that is the idea.
[quote]@Jeff T Recode any links in your apps that look for the old http: versions
Again, no.[/quote]
That would be a relief, since all my older software versions would break overnight…
Pretty sure I read a Google document that suggests every page has to have its own 301, though.
Says friendly stuff.
But I dont get it.
Lets Encrypt:“lets site operators turn on and manage HTTPS with simple commands” Me: Great! Lets Encrypt:“The agent software completes one of the provided sets of challenges. Lets say it is able to accomplish the second task above: it creates a file on a specified path on the https://example.com site. The agent also signs the provided nonce with its private key. Once the agent has completed these steps, it notifies the CA that its ready to complete validation.
Then, its the CAs job to check that the challenges have been satisfied. The CA verifies the signature on the nonce, and it attempts to download the file from the web server and make sure it has the expected content.” Me: errr…
Michel, where would you get the certificates, some place like Comodo or KSoft or is it best to get it from your hosting company? And do you have to change the content of the site or can you just simply move it all over?
I get it from the hosting company. It is way less trouble. So I can ask for assistance if needed. I tried to install a certificate myself a few years back, it was not easy.
Actually, I don’t have any moving to do. All the user has to do is to place https:// in front of the domain and page directory, it works just the same. What may be necessary, is to redirect users to the same page over https.
[quote=287449:@Jeff Tullin] Lets Encrypt:“lets site operators turn on and manage HTTPS with simple commands” Me: Great! Lets Encrypt:“The agent software completes one of the provided sets of challenges. Lets say it is able to accomplish the second task above: it creates a file on a specified path on the https://example.com site. The agent also signs the provided nonce with its private key. Once the agent has completed these steps, it notifies the CA that its ready to complete validation.
Then, its the CAs job to check that the challenges have been satisfied. The CA verifies the signature on the nonce, and it attempts to download the file from the web server and make sure it has the expected content.” Me: errr…
No doubt it will make sense eventually.[/quote]
That entire process is automated. If you can follow instructions you can get a SSL cert from Lets Encrypt.
Let’s Encrypt is cool but the certs only last 3 months. The process can be automated if your SSL terminator and web server are either the same or work together and you have configured as so. Most hosting providers (Including us) re-sell Comodo which are 3 year certs.
The cert itself enables encrypted traffic but the cert does not have to be recognized by the browser for the encryption to work. So as browsers push to all-encrypted traffic you will start seeing more self-signed certs too. The SSL companies are the only ones who stand to benefit from ubiquitous SSL. Let’s Encrypt is a great effort but there should be more than 1 free provider that the browser recognizes.
Let’a Encrypt certificates are trusted by all major browsers. Like Phillip said though, they are short term certificates, so you’ll really want to have their client running on your server to automatically handle the certificates.
I sent an email to Geoff about a year ago suggesting they do exactly this for Xojo Cloud and offer free SSL for all users. I don’t use Xojo Cloud myself, so I don’t know if this happened, but I still think it would be a good idea. Especially with these changes coming.
My site’s certificate expires this year and I plan to switch to Let’s Encrypt soon.