TOPIC:

I think the writer of the article has missed the point. HTTPS is about the integrity of the connection (i.e. can someone spy on my password). It has nothing whatever to do with the nature of the content at the other end.

We will always need to use our best judgement about what to connect to, and to be suspicious of anything that looks a bit "off".

Hi all, Just wanted to add my 2 cents.

Our club is very concerned about our FTH2 site with custom domain not being secure, and we would be willing to pay for a certificate to be added to our domain.

If there could be a way for us to upload our certificate via FTH2 admin UI, we would be willing to do so.

We love the features of FTH2 but may switch to a different system if there are no plans to add HTTPS security to custom domains.

As a software developer for a large corporation, I am also willing to offer my volunteer time and expertise in this area if programming or technical requirements are needed.

Sincerely,
Geoff Peters

gpeters wrote:

Hi all, Just wanted to add my 2 cents.

Our club is very concerned about our FTH2 site with custom domain not being secure, and we would be willing to pay for a certificate to be added to our domain.

If there could be a way for us to upload our certificate via FTH2 admin UI, we would be willing to do so.

We love the features of FTH2 but may switch to a different system if there are no plans to add HTTPS security to custom domains.

As a software developer for a large corporation, I am also willing to offer my volunteer time and expertise in this area if programming or technical requirements are needed.

Sincerely,
Geoff Peters

Understood... we are looking into this. However, it has to be a method that can be used for a lot of clubs, not just yours. If you would like to contribute your technical expertise, then PM me your contact info and I will try to get in touch with you to explore further.

References on mixed content issues... everyone who wishes to use https: should review these:

www.a2hosting.com/kb/security/ssl/secure...ontent-on-a-web-page
developer.mozilla.org/en-US/docs/Web/Sec...e_with_mixed_content
www.howtogeek.com/181911/htg-explains-wh...xed-content-warning/
www.brokenbrowser.com/loading-insecure-content-in-secure-pages/

Also, the following claims to find insecure content in a secure website:

www.jitbit.com/sslcheck/
www.whynopadlock.com/
www.sslchecker.com/insecuresources

Another HTTPS issue - the Toastmasters Podcast link is broken. When using the HTTPS version of the FreeToastHost site, it makes the link go to the HTTPS version of www.toastmasterspodcast.com/ , which doesn't work. You'll need to force that one to HTTP.

user wrote:

Another HTTPS issue - the Toastmasters Podcast link is broken. When using the HTTPS version of the FreeToastHost site, it makes the link go to the HTTPS version of www.toastmasterspodcast.com/ , which doesn't work. You'll need to force that one to HTTP.

fixed

Hi Steve,
I came across this article on how to set up Let's Encrypt for WordPress. I know it's not directly applicable to FTH but this general idea seems promising as a direction to go for adding Https to FTH custom domains.

torquemag.io/2017/02/add-free-ssl-certificate-wordpress-site/

Hi Steve, Just wondering if there are any updates on HTTPS for custom domains since we last chatted?
(I know it's only been a week since we talked).
Hope you are having a good weekend.
Best regards,
Geoff

Bump... I will be doing more work on this.

Good to hear, thanks Steve. I will let our club's exec team know the good news, as we are eagerly awaiting a more secure club website for our members Let me know if you'd like to bounce some more ideas off me.

Best regards,
Geoff

I am still working through this... However, it has come to light that we likely need to provide some sort of control to clubs/districts using FTH to allow them to determine what level of HTTPS enforcement policy they want to employ. Therefore, I strongly leaning in the direction of providing a drop-down for this in the Website Settings - Basic Settings tab that would allow indicating to use one of 4 different approaches for this.

Here are the four approaches that you would be allowed to select from (from least to most strict):

1. Do not enforce HTTPS (this would be the default)
   This one allows the use of HTTPS, but the system does nothing if you load your website w/ HTTP.
2. Enforce HTTPS
   This one would reload the website w/ HTTPS if a user tries to access it via HTTP. However this does nothing about insecure user content... that is left to the browser to determine what to do. In some cases, this would result in blank squares where insecure content would be.
   
3. Enforce HTTPS & Use CSP/Report Only
   This one would reload the website w/ HTTPS if a user tries to access it via HTTP. Additionally, it would employ a Content Security Policy (CSP) that would send reports of insecure content to the website admin.
   
4. Enforce HTTPS & Use Full CSP
   This one would reload the website w/ HTTPS if a user tries to access it via HTTP. Additionally, it would employ a Full Content Security Policy (CSP) developed for FTH that would block insecure content.
   

Sounds good to me, thanks Steve! That proposal in combination with the free Let's Encrypt certificates for custom domains would be ideal.

Best regards,
Geoff

Make no mistake, though. I am on the learning curve with this stuff... that is why it is taking a bit.

If we implement the Content-Security-Policy page header/meta tag (as an option) for dealing w/ mixed content issues, then some sort of notification will need to be generated to someone when club entered content is determined to be insecure.

A big question for me is how this notification should be done. My thought was to generate an email notification to the website admin as a simplification (we have that email address). However, this is problematic, since this would likely generate an email on every website load or refresh.

Another possibility is to use the internal messaging system to generate an internal admin message to be displayed when the admin is logged in. With this approach, the message stream could be checked for some key piece of text to see if the message was already sent to the admin. However, this is also problematic since the prior message may not be recent... some sort of "re-notifying" the admin may be appropriate to make them actually take action to resolve the mixed content issues.

Anyone have any thoughts on this???

Hi Steve, My thought is that the internal messaging system to generate an internal admin message, to be displayed when the admin is logged in, would be the most effective way to notify the admin. Also if a link from the message could be provided to a help page that explains how the issue could be fixed, then it would be easier for the admin to take action. Perhaps there could be a check box that would allow the admin to stop the message from keeping popping up, otherwise, it should appear every time an admin logs in.
Often the person who is listed as the admin email, may not be the person who would be able to act on the issue. (In our club the admin email goes to a former executive member who keeps track of our domain name, but isn't involved with the exec currently).

Just my 2 cents. Thanks,
Geoff

Right now the internal messaging system is just plain text that does not really support links. (I have already received some groans about that... lol) The internal messaging system will probably get an upgrade at some point. When I implemented it, I was not even sure that users would want to use it. However, over time I think people have started to see the value of an internal messaging system vs using email for all notifications.

Nice. Thinking of some other sites, for example Facebook has an internal messaging system but also allows users to receive an email notification for each on-site notification, but this email feature can be turned off on a per-user basis.

gpeters wrote:

Nice. Thinking of some other sites, for example Facebook has an internal messaging system but also allows users to receive an email notification for each on-site notification, but this email feature can be turned off on a per-user basis.

Well, we certainly are not Facebook (and do not aspire to be), but there is certainly potential for future improvements.

I am now able to generate Let's Encrypt SSL certs for custom domains... some progress. We need to test everything and fine tune it to make sure it actually works...

After that, I will need to run a loop to generate certs for all current custom domains and create code to create certs in the future.