You are still not using https?


(Jochen Abitz) #1

#Time to change this:

Here is my blog post to switch your RapidWeaver site to https:

I hope it will help you to do this.
Please backup before you start. I am not responsible for any damage or data loss.


(Greg Schneck) #2

Another way to check manually entered links is to output to a local folder and then use your favorite search tool to look for “http://” - You can identify which pages in your project need to be updated. If you have hundreds of coded urls you can use “search/replace” in the local file set to update, then upload the files with FTP. You can then fix your project links as time allows. (Knowing that you can’t publish them until they are fixed, else the corrected ones will be overwritten.)


(Paul Russam) #3

If you have PlusKit then you can use FindPlus that is inserted in the Edit menu when the PlusKit plugin is in a project.
Like @1611mac suggested in his example, you can search for http:// and keep replacing any entries you find with https:// until no more results are returned.


(Rob D) #4

It is great that this kind of informational resource has been added to our community! :beers:


(Tomas Jakobs) #5

I am afraid to be the one who’s ending the show… sorry for this in advance.
transfering a website to https sounds really easy but it isn’t just about adding the “s” to your links.

switching to https doesn’t mean a website is more secure. It opens up several chances for hackers and nasty ppl to break in aswell. To give you an example. You open up your browser and start typing jochenabitz.de. The initial request will be made default http before redirected to https, an ideal opportunity for everybody who’s owning a hotspot playing man-in-the-middle.

My point: Switching from http to https is not as easy as it looks like. You have to dig deeper and should read more about additional securing techniques like SRI, HSTS etc. A good start are observatory.mozilla.org or ssllabs.com/ssltest.

it should look like this…

A couple of weeks I’ve posted here my wish to RW and addon developers to take care of SRI and all the 3rd party JS libs they are using from all over the net. This makes everything harder if you want to harden your website.


(Jochen Abitz) #6

Hi Tomas,
thank you for your post. You are right, that there is always not only black and white. But this does not change the way you have to include it into your RapidWeaver project. If you have no access to 3rd party developer stuff like some old stacks, you will have a problem.
I wanted to show the basic installation of https into a RapidWeaver project. It is better to use it nowadays.
Most RapidWeaver sites do use a contact form and mainly this is what https will secure. And if you as a website visitor will see a lock icon, all should be fine. If you use online payment on your site, the process is already secured by the service you have included.

The point is: There is no 100% security on the web. And if you use a service like Cloudflare, you have to thrust them.

As you can see, there are many shades of grey:

https://www.ssllabs.com/ssltest/

But thanks for your post. We all know there is always a step further.


(Tomas Jakobs) #7

Ja I support you in calling people to move to https and in waking up those, who are still serving uncrypted sites via http. When speaking about security there is no “a bit of security” or “basic” or “advanced”. There is secure (at this time) or simply unsecure. It’s like playing soccer. The ball is either in or out the goal (except Germans playing against Britons in Wembley).

Maybe I am a little obsessed about Website Security. But I even do not trust 3rd Party CDNs like Cloudflare anymore with their wildcard certs. Did you know that customers on Cloudflare sharing same cert like XXX sites? The backside of wildcard certs.

Security is about authentification aswell. And their latest “Cloudbleed” incident (https://en.wikipedia.org/wiki/Cloudbleed) doesn’t make everything better. If you would use a CMS on a Cloudflare SSL site, you now would have troubles to inform all your customers changing their passwords.

Do not rest on your SSLLabs A. SSLlabs mostly checks shakehands, ciphers and the cert itself while mozilla.org is more universal.


(Jochen Abitz) #8

There is no security for 100%. Never. But I can understand you If you want to make it as secure as possible. Mozilla has some very specific security warnings. This is ok. And If you want to make the connection as secure as possible, you should have an eye on this. You can decide how much further you want to go.

Did you know that apple.com does not have a redirect to https?


(Tomas Jakobs) #9

We should make clear what we’re talking about. I see we both have different understandings what “100% security” really means.

For many years there are plethora of mechanisms and techniques for secure websites. There are all these certs, chiphers, pinnings, policies XSS protections, black- and whitelistings etc. But only a minority of website owners, admins or webmasters uses them. Why? Most of them do not know anything but keep selling websites to their customers. Of course everybody is free to say “there is no 100% security” and of course there is nothing to say against it. It’s a true statement. But it’s obscuring the lack of knowledge. It’s a lame excuse sounding to me like “someday it will rain again”. This is a true statement aswell. My point is: Do not look and compare yourself with bad ratings or narrow minded people. Keep looking for perfection!

There is a gold-standard of website security, this is the 100% bar. This is the A+ in moz://a’s observatory test. This is the current state of technology only valid for today. Tomorrow the next leak could appear or the next chipher could rendered obsolete. Last week some scientist demonstrated a SHA1 collision on two different PDFs. Do you know what this means? All Microsoft Exchange 2008/2010 Outlook Web Access and ActiveSync Front-Ends are now broken. They are all using SHA1 by default.

The bottom line is: Switching to https might be easy but this makes no website more secure. This is not a single step it’s more a process that should be done well, otherwise it’s just eye-candy.


(Jochen Abitz) #10

SSL will not make a website secure. It will only make a very small part of the communication of the browser and web server better. If you want to make your website safe, you have to do more. I agree with you.


(Greg Schneck) #11

Hi…I use 3rd party for our cart system and they handle the security for online purchases but with Googles migration plan to flag ALL non-secure web pages in Chrome I want to make the move to SSL. So in all honesty, it is Google (Chrome) making me decide to do this… not a real need of “super” security. Though I will be happy to have SSL on entire site.

Reference: https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html


(Tomas Jakobs) #12

Here in Europe the EU Directive for privacy and data security is the final wake-up for many website owners using https (original document here: http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679)

In short all personal data starting with the IP address of your website visitors has to be protected with adequate and current technologies “by design and by default”. If you use Google Analytics without telling this to your customer, then you might risk a cease-and-desist warning by authorities. And the sanctions are high, far too high for smaller companies.

Because of unclear status of Safe Harbor for almost a year between 2015 and 2016 many websites are at risk getting cease-and-desist warnings without knowing anything about this. And who knows in which direction Trump will go on Privacy Shield in the next years?


(Dominick Designs Websites & Tech Training Seminars LLC) #13

Hello @PaulRussam I know this comment was made a long time ago, but is there a way to “find and replace” or do I need to go to each page and manually replace text?


(Paul Russam) #14

Sorry but this is still the way to go, there is a find in RW now (I think) but no replace.