SSL - HTTPS Everywhere

SSL - HTTPS Everywhere

Released: 11 October, 2017

IMPORTANT!     Please digest this information to make an informed decision about the future of your Adobe Business Catalyst website.


HTTPS Everywhere - A Google initiative: 

For the past 3 years Google has been educating the public about security problems with HTTP (HyperText Transfer Protocol), and encouraging site owners to adopt HTTPS.

What is HTTP?

HyperText Transfer Protocol (HTTP) is the protocol over which data is sent between your browser and the website that you are connected to.  

What is HTTPS? 

HTTPS is the secure version of HTTP. The 'S' at the end of HTTPS stands for 'Secure'. It indicates that all data communicated between the browser and the website is encrypted. HTTPS is widely used to protect confidential data interactions such as online banking and online shopping transactions.

Why HTTPS Everywhere?

Google wants to provide users a better experience where browsing the web is always a private interaction between the user and the website. Their goal is to protect privacy and combat widespread cyber-crime such as identity theft, eavesdropping, man-in-the-middle attacks, and data interception/manipulation. Having websites served over HTTPS helps address these threats and paves the way for the next leap in web based application development.

To encourage this shift Google has added HTTPS as a ranking signal, improving the search position of websites served over the HTTPS protocol. As a result HTTPS is being widely and very rapidly adopted. This is essentially driving a sea-change where HTTPS becomes the default protocol of the World Wide Web.

How can I upgrade my site to https secure protocol?

HTTPS uses SSL (Secure Socket Layer) to encrypt information end-to-end between the website and the user.  Serving your website over HTTPS requires purchasing a SSL Certificate from Adobe containing your encryption key.

My Website already uses https urls when exchanging sensitve data, so why do I need to consider this change?

Websites on Adobe's Business Catalyst platform have always had the benefit of serving pages over https where needed using a dedicated secure url assigned to each site i.e. https://(yoursitename) (N.B. This dedicated, secure url will continue to be available and still used for payment processing to leverage the PCI level 1 compliance of the server.)

But, for your entire website to be served over HTTPS, while still being indexed in Google under your domain (and to receive Google's ranking boost), you need to have a dedicated SSL certificate installed on your site/domain. This means all URL's for your entire website change from insecure http://www.yourdomain.etc to secure https://yourdomain.etc.

My Website uses a CDN (Content Delivery Network) such as Cloudflare with SSL already active on my domain. Does this mean my site is already benefitting from https URL's?

No. Unfortunately not. An external SSL certificate via Cloudflare only encrypts data between the site visitor and Cloudflare servers. You will still require SSL for the data served between Business Catalyst and Cloudflare. Encryption must exist end-to-end to be valid.

What's involved and how much will this cost?

Four separate phases are necessary to successfully complete the update.

Phase 1.  Purchase SSL Certificate US$80.00:

The annual cost for the SSL certificate is US$80 (AU$109/NZ$119).

The certificate must be purchased from Adobe (via the Partner Portal of your Business Catalyst Partner/Developer). You will need to provide your credit card details to proceed with the purchase. (note: If you are on a Platinum Plan with 10 x Admin-User License, SSL certificate is included in your plan). 

Phase 2. Install SSL & modify DNS:

1hr = Provided FREE for OnCentre clients. Otherwise $95 +gst 

Note: 1 hour developer input is needed to install the certificate and to make changes to your management configuration and domain name DNS records. This is provided FREE, without charge to clients/sites managed via OnCentre(BC) paying monthly host management fees to Webside Ltd (formerly OnCompany Ltd). 

A one hour charge of $95+gst applies for sites/clients managed via other BC partners without a monthly Service Level Agreement with Webside Ltd.

Phase 3. Update templates and page assets to https:

For a page to be validated as secure all the assets rendering on the page must also be served over HTTPS urls. The means updating any http url's for images; stylesheets; javascripts; videos; fonts; iframes; embeds; external libraries and frameworks and everything else contributing to the page behind the scenes.

This work will be carried out on a time billing basis. For small sites not heavily modified, this may only require an hour or less.  Whereas sites that regularly add new content or contain regularly updated blogs, web apps, and other dynamic content, will likely require between 2 hours to 8 hours of development work to complete.

For larger sites, including ecommerce stores, online member communities and portals, the process of tracking down and updating all the assets may take 5 hours to 15 hours to complete. Or, in some cases, large scale sites with high-level complexity may require 20 hours or more to complete.

These are ballpark numbers. Each site is different and we cannot guarantee how long the work will take. Much depends on how page resources are referenced. For example: Images specified using "relative paths" (being the internal address to the image file such as src="/images/file-name.jpg") will not require image urls to be updated. Whereas images using absolute urls where the address includes the http domain (e.g. src=" http://www.mydomain.etc/images/file-name.jpg") will require all images to be updated before the site can be validated for https. 

Discounted Rate: For OnCentre(BC) clients paying monthly host management fees to Webside Limited, the $95/hr rate will be capped at 10 hours.  Any additional hours needed to complete the task will be discounted to $50/hr. 

Phase 4. Deployment, Reindexing and SEO: 

Once your pages and resources have been updated and all url's validated for https, we will switch the default domain to permanently use HTTPS secure URL's.  Following this your website will require re-indexing in Google. To complete this we will create a new integration with Google Webmaster Tools/Search Console and publish/submit new robots.txt file and new xml sitemap. Again the time to complete this task will vary based on the scale and complexity of the site. Small sites will generally require 1 hour. Larger sites may take 3 to 7 hours +.  

Is this shift to HTTPS essential? What happens if I do nothing?

This is not a mandatory requirement. But is strongly recommended.

Obviously, remaining on the http protocol foregoes the SEO benefit that Google is providing for https sites. This benefit is unlikely to be significant in the short term. But that will change over time. 

But the primary and most compelling reason to act isn't search ranking. The more important factor to consider here is the shift that's occurring in the minds of website visitors and across the web. As public awareness about secure browsing grows, users are opting more and more to choose secure sites. This preference is being reinforced by browser alerts making it very obvious when a page is secure and presenting warnings when a page is not.

Browser Alerts in Chrome

Google Chrome warning alerts have become more prominent over time and will continue to be strengthened in future Chrome releases.

Google has stated that they will soon start displaying red warning labels on "all" http web pages as shown in the fourth image on right.

Mozilla (Firefox) has taken this a step further announcing they will be completely phasing out serving any http pages in the Firefox browser. This means sites that are not secure will not be accessible in Firefox. The date this change will occur is yet to released.

I'm confused about whether I need to do this? I don't run an online business and I don't want unexpected costs. What should I do? 

If you operate a personal blog or a small static website to promote your business, but you don't rely on Google for visitors/traffic and your site isn't generating leads/revenue or growing reputation, then, while I would still recommend proceeding, there's unlikely to be any imminent downside for you if you don't. Although, it's worth noting that upgrading a site such as described would be minimal. e.g. Phase1 US$80; + Phase 2 Free + Phase 3 & 4 $95.  A small investment to retain position/relevance and keep up with your competitors.

There are few other circumstances I can think of where ignoring this shift won't end up being negatively consequential for you in the medium term. Ideally your site should be served over https secure urls within the next three to six months to avoid being left behind.

If any of the following statements apply to you then I strongly urge moving ahead as soon as possible.

  • My site relies on Search Engines to get visitors/traffic.
  • My site has, or is seeking to have, a high search ranking.
  • My site is an online business (or a primary driver of revenue).
  • My site is a membership portal with member-generated content.
  • My site is an e-commerce store.
  • My site takes bookings. 
  • My site has submission forms
  • My site needs to keep up with online trends and user expectations.

So you're saying I have to go ahead with this?

No. You can choose not to do this. That would not be the best choice, but it's still yours to make.


I object to having this forced on me!

We share your frustration. As developers we're forced to confront paradigm's of this magnitude every 12 to 18 months. It's a challenge. Technology moves fast and we have to adapt to keep up with it.  We have mixed views on Google's HTTPS initiative. But the future is coming whether we want this or not. It is not our role to force change on you. Our role is simply to inform you of what's coming, and to help you prepare for it so your business remains competitive.

Can I independently verify these facts?

Absolutely. Please visit the following links

Can you provide a more accurate estimate of hours for upgrading my site? 

Yes. Once you have submitted your details we will undertake an inital assessment and advise a time/cost estimate. If you are happy to proceed then we'll place the order with Adobe for your SSL certificate and move ahead to complete the second phase.

Phase 3 is where the heavy lifting takes place. This phase begins with a thorough audit of your site's structure and resources to map the development workflow. These insights will provide a more accurate gauge of the development input (time/cost) needed to complete the upgrade. If this is greater than the initial assessement then a revised estimate will be provided with details of the work required. You are not obliged to proceed and no further work will take place without your agreement.   

So, what happens if I decide not to continue?

>We will first endeavour to find a way forward. In most cases the upgrade won't be an expensive exercise. But, if your site's requirements are extensive we can discuss and tailor a plan to fit within your means to meet the needs.  If you wish to put it on hold then that's no problem. A one hour charge ($95) will apply for the work already carried out and the upgrade can resume whenever you are ready.  Optionally, for a further 1 hour charge, we can prepare a screencast tutorial video detailing the actions needed so you can undertake the work in-house or have it carried out by a third party.

Ok. How do we get started? 

Click the button below, complete the form, and we'll get things underway.

SSL Update Starts Here

Have more questions?.

No problem. Email and I'll will email you or call to discuss. 

Copyright © 2017 - On.Works - All rights reserved