HTTPS becoming the standard for all websites – Are you ready?

Posted on August 12, 2015 by · Posted in Uncategorized

HTTPS is the new HTTP

For years, we have come to expect to see our browser indicate we have moved to a secured HTTPS page so we could feel confident with our more secure credit card payments and other sensitive forms and displays.   Now industry and government is quickly moving to securing all website sand pages, applications with HTTPS.  Google also gives your website a higher ranking boost if they see the HTTPS pages.

The new Federal government HTTPS only standard is set to force all Federal government sites to full HTTPS by December 31, 2016.  This was released on June 8th, 2015 with the following text:
Today, the White House Office of Management and Budget (OMB) issued the HTTPS-Only Standard directive, requiring that all publicly accessible Federal websites and web services only provide service through a secure HTTPS connection.

Unencrypted HTTP connections create a vulnerability and expose potentially sensitive information about users of unencrypted Federal websites and services. This data can include browser identity, website content, search terms, and other user-submitted information.  To address these concerns, many commercial organizations have already adopted HTTPS-only policies to protect visitors to their websites and services. Today’s action will deliver that same protection to users of Federal websites and services.

Per the issuance of this Memorandum, all publicly accessible Federal websites must meet the HTTPS-Only Standard by December 31st of 2016.

Industry and organizations are also securing their websites and applications and Google and other Internet industry giants have already moved some of their applications like Gmail to only secure https offerings.

Securing servers and issues when your web pages access other HTTP content

Securing your website can be a task more complicated that you might expect.  We went ahead and secured our domain (inet-sciences.com) and our website (www.inet-sciences.com) with certificates with our web site provider wpEngine.

Unfortunately our website has some references (not links) to some content that comes from HTTP sources so our site will appears un-secure until all references (like JPG images or some fonts from Google API) are changed to https.  This issue is called mixed content when your site references images, font, scripts, iframes, etc that are not secure.  This will be the most difficult challenge for many sites to be secured.

To discover these unsecured references to http sites within our webpage, we found a tool called WhyNoPadlock.com 

Here are the results from our initial check with WhyNoPadlock with our website.  Website content builder applications may create some big obstacles to preventing your sites from becoming fully secure.

Domain Name: www.inet-sciences.com
URL Tested: https://www.inet-sciences.com
Number of items downloaded on page: 116
Valid Certificate found.
Certificate valid through: Jul 29 20:03:18 2016 GMT
Certificate Issuer: GeoTrust Inc.
SSL Protocols Supported: TLSv1 TLSv1.1 TLSv1.2
Total number of items: 116
Number of insecure items: 6Insecure URL: https://www.inet-sciences.com/wp-content/uploads/2012/09/favicon.ico
Found in: https://www.inet-sciences.com/

Insecure URL: https://www.inet-sciences.com/wp-content/uploads/2012/09/white_carbon1.png
Found in: https://www.inet-sciences.com/

Insecure URL: https://www.inet-sciences.com/wp-content/uploads/2012/09/white_carbon1.png
Found in: https://www.inet-sciences.com/

Insecure URL: https://www.inet-sciences.com/wp-content/uploads/2012/09/isslogo2012x150.jpg
Found in: https://www.inet-sciences.com/

Insecure URL: https://www.inet-sciences.com/wp-content/uploads/2012/09/isslogo2012x150.jpg
Found in: https://www.inet-sciences.com/

Insecure URL: http://fonts.googleapis.com/css?family=Open+Sans:400,300,700,600,800
Found in: https://www.inet-sciences.com/wp-content/themes/elogix/style.css

 

Secure calls made to other websites:www.youtube.com is valid and secure.

fonts.gstatic.com is valid and secure.

s.ytimg.com is valid and secure.

We are still working through the details to make our site secure and will report back how we solved our partially secured website problems since we all will be facing similar problems soon.

But your can still access Internet Software Sciences at: