In 2015, the Federal Government created the The HTTPS-Only Standard,
“A Policy to Require Secure Connections across Federal Websites and Web Services”, and provides technical guidance and best practices to assist in its implementation. Browsers today may force users to access only secure sites or inform users when they access websites or applications that are not secured without continue authorizations. A bigger problem exists when within an web page or applications, one attached image or resource comes from a regular non secured http site. This issue is called Mixed Context and this issue can be the largest issue to deal with while trying to migrate your site and applications fully HTTPS secured.
This securing of websites goes well beyond Web+Center and the information below applies to your other sites, pages and applications as well. There are useful strategies and migration options to get your sites HTTPS compliant such as using relative links in your applications rather than http:// links.
We recommend you review the HTTPS-Only Standard website for complete details including some of the details show below.
HTTPS is the internet’s next phase
The internet’s standards bodies, web browsers, major tech companies, and the internet community of practice have all come to understand that HTTPS should be the baseline for all web traffic.
- The W3C’s Technical Architecture Group has found that the web should actively prefer secure connections and transition entirely to HTTPS.
- The IETF has said that pervasive monitoring is an attack, and the Internet Architecture Board (the IETF’s parent organization) recommends that new protocols use encryption by default.
- The Chrome and Firefox security teams are working on gradually marking plain HTTP as non-secure.
Configuring Web+Center to be HTTPS secure.
Basically to run Web+Center as a secured application there are (3) steps:
(1) Secure your Windows IIS web server with the necessary certificate processes. Traditionally you would have to pay for individual server certificates at around $60/year per URL or $200+ per year for certificates that handle full domain and subdomains certificates but now there are free certificate options available.
Simply do a search for “Free website certificates” and you will find vendors like Let’s Encrypt and SSLForFree and others that now offer free certificate options.
Getting the certificates and the securing your IIS webserver is a fairly complex task. Here is one set of instructions listed on the GoDaddy.com site on how to install a certificate on IIS 8.0.
(2) Once you secure your Windows web server, simply launch Web+Center with the https URL like:
https://YourHostName.com/tech90/
instead of
http://YourHostName.com/tech90/
(3) Change the http variable to \language\codecustomizations.inc file to define https instead of http. Simply edit the text file with the simple change when you find these lines. Commenting out the first http definition with a single quote character and un commenting the second http variable will set this variable value to “https”. This variable is only rarely used in the code when we need to create links in email notifications. This will be replaced by a web configurable option in future versions. Without this change, the links back to the Web+Center will simply be an http link rather than a https link so it will still work fine in most situations.
Dim httpPart ‘ Global to define http:// or https:// 9/27/2017
HTTPS_YES = Request.ServerVariables(“HTTPS”) ‘ Determine if this page is called from a http or https Request and set http variable
‘ Note: The variable http appears to be a reserved keyword in ASP so the variable httpPart was used instead
‘ debug
‘response.write “HTTPS_YES = ” & HTTPS_YES
‘response.flush
‘response.end
if HTTPS_YES = “off” Then
httpPart = “http://”
Else
httpPart = “https://”
End If
NOTE: There is no requirement to re-install Web+Center ot any newer version to run it under a secured web-server environment.
Things to avoid to make your Web+Center pages fully https secured
If you reference other resources within your case histories and attached files that link to http resources rather than https resources your browser may complain that NOT all of the resources on a webpage are secured! So when accessing or referencing external URLs, try to access that content on https sites.
Internet Software Sciences recently secured their application server used for on-line sandbox testing of Web+Center, and our internal/external facing suite of applications for customer support and account management. One additional feature that will work better with a secured server is our new Geo-location features in V9 that allow techs to record to GPS position with their phones/Tech+Mobile app. Google chrome browsers will block users from performing geo-location functions unless it is communicating with a secured server. Other browser based functions will be blocked in the future
Google is basically defining the future of the Internet and forcing applications to move to HTTPS. We invite you to read this article about Google Chromium security team and their reasons for this requirement.
Conclusions: If you secured your server and find issues with Web+Center running in a secured mode creating insecure references, please let us know.
