Chrome 'Not secure' marker for 2017. Have you moved to HTTPS or will you be doing so anytime soon?

CTXMedia · Dec 29, 2016

Pierce said:
I seen it when I posted it to you. I don't know if its any more valid than a normal CF cert.

That's what got me looking into it further; with the Comodo PositiveSSL certificate on the server the site appears secure and has the correct common name - the web address of the site - however, because I use Cloudflare in between the visitor and server, I have to enable SSL in the settings and CF defaults to using a generic free SSL certificate that has a common name such as ssl376375.cloudflaressl.com. The extra $5 per month gets you a CF certificate with your site's web address as the CN.

Technically, it's secure without spending the extra, but it gives assurance to visitors if the site's name is on the certificate rather than Cloudflare's.

Amin Sabet · Dec 29, 2016

I too made the move to https. @MattW made it painless. I used RapidSSL certs, which are affordable and have given me no problems. The performance boosts from http/2 were noticeable.

The only snag I hit was that my sites are very image heavy, and the image proxy wasn't working out that great from a performance standpoint. It wasn't until I went with @AndyB 's Convert All addon that I got it all working well without the mixed content warnings.

For those whose sites are using Cloudflare and full/strict SSL, did you turn on HSTS?

rdn · Dec 29, 2016

CyclingTribe said:
anyone know what I should apply in Cloudflare's Crypto settings to show the site domain in the certificate details [currently shows cloudflare's domain]?

FULL is enough.

Amin Sabet · Dec 29, 2016

@RoldanLT did you turn on HSTS?

rdn · Dec 29, 2016

Amin Sabet said:
@RoldanLT did you turn on HSTS?

Yes I do.
No reason on turning back to HTTP

Anthony Parsons · Dec 30, 2016

If you use cloudflare, there is no need to buy a certificate, use cloud flare generator for a 15year TLS cert for free. Or pay the additional for a custom one via cloudflare using your domain.

CTXMedia · Dec 30, 2016

Anthony Parsons said:
If you use cloudflare, there is no need to buy a certificate, use cloud flare generator for a 15year TLS cert for free. Or pay the additional for a custom one via cloudflare using your domain.

Yeah, thanks, I realised that after I'd bought the Comodo PositiveSSL ones; at least they weren't too expensive and I suppose I'm covered if I ever want to split from Cloudflare.

Deriel · Jan 5, 2017

There's no need to buy a certificate anymore: Let's Encrypt (their sponsors)

Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. It is a service provided by the [URL='https://letsencrypt.org/isrg/']Internet Security Research Group (ISRG)

Click to expand...

.

We give people the digital certificates they need in order to enable HTTPS (SSL/TLS) for websites, for free, in the most user-friendly way we can. We do this because we want to create a more secure and privacy-respecting Web.

The key principles behind Let’s Encrypt are:

Free: Anyone who owns a domain name can use Let’s Encrypt to obtain a trusted certificate at zero cost.

Automatic: Software running on a web server can interact with Let’s Encrypt to painlessly obtain a certificate, securely configure it for use, and automatically take care of renewal.

Secure: Let’s Encrypt will serve as a platform for advancing TLS security best practices, both on the CA side and by helping site operators properly secure their servers.

Transparent: All certificates issued or revoked will be publicly recorded and available for anyone to inspect.

Open: The automatic issuance and renewal protocol will be published as an open standard that others can adopt.

Cooperative: Much like the underlying Internet protocols themselves, Let’s Encrypt is a joint effort to benefit the community, beyond the control of any one organization.

[/URL]

We're using about a dozen certificates from them

CTXMedia · Jan 15, 2017

https://www.cyclechat.net/

Still got some work to do and I suspect there will be some mileage signature tickers that I can't update that will break pages, but otherwise it seems to have gone pretty smoothly. Google had recrawled the homepage in less than 10 mins and adjusted the search listing to https (along with quite a lot of other pages), so we'll see how traffic and Adsense revenue are affected over the coming months.

Paul B · Jan 15, 2017

I put together a high level guide for switching to HTTPS, which may be of some benefit to those reading this thread: https://xenforo.com/community/resources/how-to-implement-ssl-to-secure-http-traffic-https.5425/

Wildcat Media · Jan 20, 2017

Deriel said:
There's no need to buy a certificate anymore: Let's Encrypt (their sponsors)

We're using about a dozen certificates from them

I am going that route myself--that is one of my early 2017 goals, to get them all up and running, and renewing as they should. I'm normally wary of free anything but with those major players behind it, it's plenty good enough for me.

Anthony Parsons · Jan 20, 2017

Free is pretty much the standard now. cPanel went that route long ago... Plesk uses lets encrypt for theirs, and you can install it for command line.

CarpCharacin · Jan 20, 2017

I use Let's Encrypt.

Chrome 'Not secure' marker for 2017. Have you moved to HTTPS or will you be doing so anytime soon?

CTXMedia

Well-known member

Amin Sabet

Well-known member

rdn

Well-known member

Amin Sabet

Well-known member

rdn

Well-known member

Anthony Parsons

Well-known member

CTXMedia

Well-known member

Deriel

Well-known member

CTXMedia

Well-known member

Paul B

XenForo moderator

Wildcat Media

Well-known member

Anthony Parsons

Well-known member

CarpCharacin

Well-known member

We value your privacy