@Shinrya said:
I just checked again and yes they are now showing through HTTPS. Confirmed in Safari, Firefox and Chrome. Both Firefox and Chrome do give me a 'connection is not secure' warning though if i click on the padlock in the address bar.
Thanks for the example. It looks like AdSense is all set but the Comments Content Block pulled in someones facebook profile image over http instead of https, which results in the "Connection is not secure" warning. We'll add this to the list of things to fix.
@Terran said:
My site is still http. Is there something I need to do at my end to activate this? I am losing sales because of this.
As @Ferguson mentioned, we've started by generating SSL certificates for you and your site is now available at https://www.yourdomain.com. We haven't started redirecting traffic from http to https, but you're more than welcome to share the https URL with your visitors. We're making sure everything is all set before starting the redirect (which we hope to start doing "soon").
The shopping cart has been secured for many years now, so your customers should not see any warnings that would drive them away when trying to buy prints and gifts.
@Terran said:
Hi and thanks for getting back to me. I typed in https://terranambrosone.com and it didn't work, but I added the www. and it did.
Yes, mine is the same way. There's along discussion around here about various ways to fix it; I've been too lazy to pursue, but it's a different solution for http vs https apparently.
Since there are LOTS of web sites where you need the www, I decided not to worry much about it yet, and let them get the redirect in, and the dust settle, then try to fix mine. If you are curious about some details read through this:
@Terran said:
Hi and thanks for getting back to me. I typed in https://terranambrosone.com and it didn't work, but I added the www. and it did.
Yes, mine is the same way. There's along discussion around here about various ways to fix it; I've been too lazy to pursue, but it's a different solution for http vs https apparently.
Since there are LOTS of web sites where you need the www, I decided not to worry much about it yet, and let them get the redirect in, and the dust settle, then try to fix mine. If you are curious about some details read through this:
Thanks so much, @Ferguson ! I'll read through the links when I get a chance. Just happy I can update my various social media/blogs with the new https. Hoping visitors will stay to browse and maybe buy now.
@Terran said:
My site is still http. Is there something I need to do at my end to activate this? I am losing sales because of this.
As @Ferguson mentioned, we've started by generating SSL certificates for you and your site is now available at https://www.yourdomain.com. We haven't started redirecting traffic from http to https, but you're more than welcome to share the https URL with your visitors. We're making sure everything is all set before starting the redirect (which we hope to start doing "soon").
The shopping cart has been secured for many years now, so your customers should not see any warnings that would drive them away when trying to buy prints and gifts.
Thanks for the update, and I hope the redirects go smoothly. Was getting worried, but thankful adding the www allowed me to access the secure url.
As of today we've begun enabling full SSL (https) redirects from http to https across entire sites. Any non-https URL will get redirected to https. The roll-out should complete by Friday - let us know if you're not seeing automatic redirection after then.
Automating HTTPs support and making it easy is cool. Linking the certificate to twenty-something other unrelated domains (SAN entries) is not so cool. The certificate presented for one customer's site shouldn't identify any other customers.
Acquiring an HTTPS certificate on behalf of domains owned by your customers without their (my) specific opt-in is also iffy. When I signed-up several years ago and configured a DNS record pointing to smugmug - I doubt I consented to you obtaining SSL certificates on my behalf for my domain. Obtaining certificates on my behalf for my domain should require explicit consent. Yes; I would grant it. Yes it should be explicit and no the cert shouldn't name other customers.
@jdoering said:
Automating HTTPs support and making it easy is cool. Linking the certificate to twenty-something other unrelated domains (SAN entries) is not so cool. The certificate presented for one customer's site shouldn't identify any other customers.
Very small price to pay IMO for free SSL on a custom domain.
Acquiring an HTTPS certificate on behalf of domains owned by your customers without their (my) specific opt-in is also iffy. When I signed-up several years ago and configured a DNS record pointing to smugmug - I doubt I consented to you obtaining SSL certificates on my behalf for my domain. Obtaining certificates on my behalf for my domain should require explicit consent. Yes; I would grant it. Yes it should be explicit and no the cert shouldn't name other customers.
By using their service, you're agreeing to their terms & conditions. I'm assuming there are pricing and/or technology issues why a certificate is shared with other customers. CloudFlare do the same unless you pay $5/month.
@Garga said:
By using their service, you're agreeing to their terms & conditions. I'm assuming there are pricing and/or technology issues why a certificate is shared with other customers. CloudFlare do the same unless you pay $5/month.
Two someone contradictory remarks:
Since this has come up, I have yet to hear anyone complain that a customer/client/observer has noticed, and cared. Everyone who has complained has been noticing for their own site. Has anyone ever gotten an un-prompted complaint from outside?
I do think Smugmug is a for-fee service. I think they should have offered an opportunity for people to get individual SSL certs, and if that costs more, tell them how much.
And again, I realize if the first case is really true, and no one cares, the second is a service perhaps without any point (though many things without a point sell, remember the Pet Rock).
@Garga said:
https is now so important for every website, plain and simple.
So I don't blame SmugMug at all for making a call and doing this for everyone without an opt-out or another option that'll just confuse the issue.
My suggestion above was not meant to imply people be allowed to opt out of https, but rather that maybe (or maybe not -- I really don't know) it would have been a better business decision to give people the option of paying more for a personalized cert vs en-mass cert that was used.
@Garga said:
https is now so important for every website, plain and simple.
So I don't blame SmugMug at all for making a call and doing this for everyone without an opt-out or another option that'll just confuse the issue.
My suggestion above was not meant to imply people be allowed to opt out of https, but rather that maybe (or maybe not -- I really don't know) it would have been a better business decision to give people the option of paying more for a personalized cert vs en-mass cert that was used.
RIght. That's why I said "or another option that'll just confuse the issue"
I reckon there's a small minority of customers who knows what this all means, then a smaller minority that would actually pay for a dedicated certificate. I could imagine the influx of support requests of "what does this mean!? Do I need it!?" Probably just confuses the issue for most.
@Garga said:
https is now so important for every website, plain and simple.
So I don't blame SmugMug at all for making a call and doing this for everyone without an opt-out or another option that'll just confuse the issue.
My suggestion above was not meant to imply people be allowed to opt out of https, but rather that maybe (or maybe not -- I really don't know) it would have been a better business decision to give people the option of paying more for a personalized cert vs en-mass cert that was used.
RIght. That's why I said "or another option that'll just confuse the issue"
I reckon there's a small minority of customers who knows what this all means, then a smaller minority that would actually pay for a dedicated certificate. I could imagine the influx of support requests of "what does this mean!? Do I need it!?" Probably just confuses the issue for most.
Yes. It's easy from the outside to under-estimate the support load of doing something slightly complex. I'm always amazed, given that "photographers" are actually now holding less a camera, and more a handheld computer attached to a lens, that so many of them feel leaning about computers should not be part of the job.
Comments
Thanks for the example. It looks like AdSense is all set but the
Comments Content Blockpulled in someones facebook profile image over http instead of https, which results in the "Connection is not secure" warning. We'll add this to the list of things to fix.Former SmugMug Product Team
aaron AT aaronmphotography DOT com
Website: http://www.aaronmphotography.com
My SmugMug CSS Customizations website: http://www.aaronmphotography.com/Customizations
Thanks Aaron. I picked up on that also.
Follow me on:
Instagram | Facebook | Flickr
Shinrya, it's the facebook links that is causing it now, which I think were mentioned elsewhere as a known issue to fix.
My site is still http. Is there something I need to do at my end to activate this? I am losing sales because of this.
Are you sure your site isn't both, and you are just not trying it with https?
They have both running in parallel; https should work, just add the "s" and see.
As @Ferguson mentioned, we've started by generating SSL certificates for you and your site is now available at https://www.yourdomain.com. We haven't started redirecting traffic from http to https, but you're more than welcome to share the https URL with your visitors. We're making sure everything is all set before starting the redirect (which we hope to start doing "soon").
The shopping cart has been secured for many years now, so your customers should not see any warnings that would drive them away when trying to buy prints and gifts.
Former SmugMug Product Team
aaron AT aaronmphotography DOT com
Website: http://www.aaronmphotography.com
My SmugMug CSS Customizations website: http://www.aaronmphotography.com/Customizations
Hi and thanks for getting back to me. I typed in https://terranambrosone.com and it didn't work, but I added the www. and it did.
Yes, mine is the same way. There's along discussion around here about various ways to fix it; I've been too lazy to pursue, but it's a different solution for http vs https apparently.
Since there are LOTS of web sites where you need the www, I decided not to worry much about it yet, and let them get the redirect in, and the dust settle, then try to fix mine. If you are curious about some details read through this:
https://dgrin.com/discussion/263153/potential-bugs-with-new-ssl-certs-https/p1
Or... just wait a bit and see what happens.
Thanks so much, @Ferguson ! I'll read through the links when I get a chance. Just happy I can update my various social media/blogs with the new https. Hoping visitors will stay to browse and maybe buy now.
Thanks for the update, and I hope the redirects go smoothly. Was getting worried, but thankful adding the www allowed me to access the secure url.
As of today we've begun enabling full SSL (https) redirects from http to https across entire sites. Any non-https URL will get redirected to https. The roll-out should complete by Friday - let us know if you're not seeing automatic redirection after then.
You can see my site, for example, http://www.aaronmphotography.com will automatically redirect to https://www.aaronmphotography.com
Former SmugMug Product Team
aaron AT aaronmphotography DOT com
Website: http://www.aaronmphotography.com
My SmugMug CSS Customizations website: http://www.aaronmphotography.com/Customizations
Acquiring an HTTPS certificate on behalf of domains owned by your customers without their (my) specific opt-in is also iffy. When I signed-up several years ago and configured a DNS record pointing to smugmug - I doubt I consented to you obtaining SSL certificates on my behalf for my domain. Obtaining certificates on my behalf for my domain should require explicit consent. Yes; I would grant it. Yes it should be explicit and no the cert shouldn't name other customers.
Very small price to pay IMO for free SSL on a custom domain.
By using their service, you're agreeing to their terms & conditions. I'm assuming there are pricing and/or technology issues why a certificate is shared with other customers. CloudFlare do the same unless you pay $5/month.
Vote for: SmugMug Two factor authentication
Two someone contradictory remarks:
Since this has come up, I have yet to hear anyone complain that a customer/client/observer has noticed, and cared. Everyone who has complained has been noticing for their own site. Has anyone ever gotten an un-prompted complaint from outside?
I do think Smugmug is a for-fee service. I think they should have offered an opportunity for people to get individual SSL certs, and if that costs more, tell them how much.
And again, I realize if the first case is really true, and no one cares, the second is a service perhaps without any point (though many things without a point sell, remember the Pet Rock).
https is now so important for every website, plain and simple.
So I don't blame SmugMug at all for making a call and doing this for everyone without an opt-out or another option that'll just confuse the issue.
Vote for: SmugMug Two factor authentication
My suggestion above was not meant to imply people be allowed to opt out of https, but rather that maybe (or maybe not -- I really don't know) it would have been a better business decision to give people the option of paying more for a personalized cert vs en-mass cert that was used.
RIght. That's why I said "or another option that'll just confuse the issue"
I reckon there's a small minority of customers who knows what this all means, then a smaller minority that would actually pay for a dedicated certificate. I could imagine the influx of support requests of "what does this mean!? Do I need it!?" Probably just confuses the issue for most.
Vote for: SmugMug Two factor authentication
Yes. It's easy from the outside to under-estimate the support load of doing something slightly complex. I'm always amazed, given that "photographers" are actually now holding less a camera, and more a handheld computer attached to a lens, that so many of them feel leaning about computers should not be part of the job.