SSL - Will old full links with "http" work in the new ssl environment?


(Greg Schneck) #1

I’m planning an SSL install. During the “migration” period will old “http” full links work in the SSL environment?. (I realize I need to ensure any manual links are set to https or change to relative links, etc.) Or once SSL propagates will these old full “http” links return errors?


Ssl certificate
(Doug Bennett) #2

Will probably cause errors or pages not to load.
https://www.whynopadlock.com/index.html

If it’s a link leaving your site it would be okay but images CSS JavaScript etc all need to be https.


(Greg Schneck) #3

Hi… thanks for the link to the tool… Appreciate it much.
I finally made it thru the Chat Queue with my provider and they said it would resolve but with a warning… That’s fine as I should be able to fix the full links rather quickly.

Againn… thank you for replying and thanks for the link.


(LJ) #4

In my (limited) experience moving from http to https the old pages did not resolve from cached google search results - had to move quickly with htaccess to get them back. If your provider has something set up that’s useful - if not, the following script in htaccess should work (linux):

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301


(Greg Schneck) #5

Thanks for the rewrite rule… Appreciate it.


(Greg Schneck) #6

I should add that my concern was more for what happens during population of the new “https” url where some requests may come in a “http” and some “https.” ie: No matter what I do I cannot perfectly “sync” anything I do to accommodate the change to “https” at the very instant it implements on various servers.


(Doug Bennett) #7

Until you do a redirect any requests that comes in http should still function as a normal http request. Having the certificate allows you to use https and that allows the browser to show the user they are secure.
It doesn’t force you to use https. You should still be able to access as http until you apply the redirects.
So I wouldn’t apply the htaccess redirects until you clear up the http files in the site.


(Tomas Jakobs) #8

Caution with mixed content via http and https. when transfering to https you should really check all your included assets, javascripts and frameworks they work on https aswell. otherwise your customers will get strange warning messages. It took me several days to check my own website and it made me to think about what 3rd party stuff I am using when it’s coming down to SRI (subresource Integrity).

Though https alone doesn’t mean that a site is secure. I strongly recommend observatory.mozilla.org and ssllabs.com/ssltest as testing tools.


(Dave) #9

Interesting @jakobssystems I tested several of my sites - across the board Mozilla rated them F while Qualys SSL Labs rated them A. And, it didn’t matter whether it was a very expensive certificate from Entrust - or a free one from Let’s Encrypt.


(Tomas Jakobs) #10

While SSLlabs checks web server’s SSL implementation, cert, ciphers etc. Mozilla does a broader approach and is aiming to developers and website creators taking advantage of the latest web security features. I named them both for two reason:

  1. They do not work with fear. They just check your website and show you the results. Others try to offer you security products (like sucuri.net)

  2. Their test suits are transparent and under steady development. Mozilla is a brand I would give more attention than on any other SEO or security company.

The mix of both ratings counts. My goal is to get at least an A on both… A+ is superb but sometimes not possible!

Btw. there is no difference where your cert comes from or how expensive it was. If your server is misconfigured, sending old or unsecure ciphers to your clients than an expensive cert is rendered useless. I am using Let’s encrypt too and very happy with it.

THis is my best website made with RW so far ;.) A+ on both…


(Greg Schneck) #11

Thomas… thanks for the links and info… appreciated.


(Dave) #12

Awesome - can you elaborate on what steps you followed to pass:
• Content Security Policy
• HTTP Strict Transport Security
• X Frame Options

Many thanks!

Dave


(Tomas Jakobs) #13

Hi Dave,

there is no single switch or manual existing, it depends on the server and your website. Some settings can be done in Apache2 config files, some in .htaccess and the rest in your HTML code.

Mozilla gives you a good start with their explanations and suggestions. There are several tools for setting up correct chiphers etc like https://mozilla.github.io/server-side-tls/ssl-config-generator/ or to get correct hashes for SRI ressources https://www.srihash.org

Here’s a good tool for CSP: http://cspisawesome.com and finally here’s the registration for HSTS https://hstspreload.org

Welcome to the journey to safety Dave!