SSL's for custom domains

FergusonFerguson Registered Users Posts: 1,339 Major grins
edited December 1, 2016 in SmugMug Feature Requests
This has been mentioned but I wanted to raise the issue again.

Nikonians -- a relatively large forum for Nikon users -- recently switched to HTTPS. Previously, photos could be embedded there by just putting a link to the photo, e.g.

http://mycustomdomainonsmugmug.com/long/string/to/photo.jpg

The photo appeared magically in place of the link, as they turned it into an IMG tag.

Now -- they will not do so unless the domain supports HTTPS instead. The HTTP link appears, simply as an HTTP link. In other words, forum posts that used to have lots of photos now have none. That makes sense, since otherwise you would get mixed content warnings from the browser.

Now one can post smugmug photos without the custom domain of course (using the smugmug version), and it works well. But using the custom domain on 3rd party sites is one way of building SEO, and so your customer domain users might be reluctant to give that up.

I would expect other photo oriented forums will take similar measures in the future, exacerbating the need.

I understand the issues of managing 3rd party domains and associated SSL certificates. Some are technical, but most are probably customer oriented (after all, the average photographer can't spell SSL, and doing DNS verification of ownership as an example, is going to result in a lot of support issues).

But HTTPS is becoming almost a necessity, and I suspect your custom domain owners are going to get more and more concerned on the subject, and "it's hard" will get old soon.

But if hosting billions of photos was easy, everyone would do it, right? So what's one more tough problem?
«13

Comments

  • FergusonFerguson Registered Users Posts: 1,339 Major grins
    edited May 25, 2016
    As a postscript seeping with irony, within hours of posting the above, Nikonians announced they put in a proxy service to proxy the http into https for images from non-secure sites.

    But... still... anyway... it is something I think Smugmug should be doing. Customer SEO will eventually suffer, I think, from non-secure sites, won't it?
  • leftquarkleftquark Registered Users, Retired Mod Posts: 3,784 Many Grins
    edited May 26, 2016
    Excellent question Ferguson. I think there's really 2 requests here:
    1) SSL for Custom Domains so you can embed images (often using oEmbed, which is what I assume they were using)
    2) SEO for Custom Domains

    On the #1 front, SSL for custom domains has been a tough task, since getting certs for every single custom domain is, as you mention, hard, and can be expensive. We've moved all of smugmug.com (and any customer site at *.smugmug.com) to SSL and have started to pave the way for custom domains as well. The drive for this comes from a security / right thing to do perspective. SEO doesn't play into this. Just this week we updated our oEmbed to use SSL; as you mentioned, any URL's with the photos.smugmug.com should embed into Nikonians, WordPress, and other sites that support oEmbed just fine.

    SEO for Custom Domains is an interesting topic and something we want to do a better job of educating our customers on. If SEO is your main focus, then you (I'm using it generically here, not Ferguson specific) should consider dropping your custom domain and instead using your nickname.smugmug.com. Moz.com has a lot of great articles that can go much deeper into this topic than I can but to break it down:
    - Your domain authority is one of the largest factors in your SEO ranking. SmugMug has a high domain authority. Most custom domains do not (see below). Using nickname.smugmug.com will ensure your photos have a high domain authority.
    - Behaviorally, people ignore URL's and pay more attention to the branding on your site (logos, titles, etc). The way you brand yourself with your design and layout has more impact than the domain. We're going to do our best to help you out here, and you'll see efforts on this in the future from us.
    - Look at how huge brands utilize Facebook, Twitter, Instagram, SnapChat, etc; the domain isn't the important part, but the reach and impact is what drives traffic.
    - Your pages Title is what shows up on search engines and we've optimized the metadata on your SmugMug site so that we your site looks as good as possible in a list of search results. The URL displayed on Google/Bing these days is getting smaller and smaller in favor or title and description and category.
    - Custom domains do have their own level of branding, professionalism, and reputation that comes with them, but they sacrifice huge gains in visibility and corresponding revenue. It's a balance you'll have to play.

    Lets look at a few sites and dig into their SEO for a minute:
    1) Trey Ratcliff, one of the most popular photographers on the planet. He uses his smugmug nickname with his branding all over his SM site: https://stuckincustoms.smugmug.com/
    2) Chris Burkard, another of the most popular photographers on the planet. Much larger Facebook/Instagram following than trey. He uses his custom domain http://www.chrisburkard.com/
    3) My Portfolio Site, a relatively unknown photographer. I use a custom domain http://www.aaronmphotography.com
    4) My Personal site, where I put absolutely NO effort into SEO or sharing links. I use the smugmug nickname http://leftquark.smugmug.com

    Trey Ratcliff, https://stuckincustoms.smugmug.com/:
    - Domain Authority: 84
    - Page Authority: 67
    Total: 151 (out of 200)

    Chris Burkard, http://www.chrisburkard.com/
    - Domain Authority: 55
    - Page Authority: 63
    Total: 118 (out of 200)

    My Portfolio Site, http://www.aaronmphotography.com
    - Domain Authority: 24
    - Page Authority: 35
    Total: 59 (out of 200)

    My Personal Site, https://leftquark.smugmug.com
    - Domain Authority: 84
    - Page Authority: 67
    Total: 151 (out of 200)

    Couple takeaways from this:
    - Despite Chris Burkard having a much larger following and branding / promoting his domain all over the internet, his SEO rank is still smaller than Trey's, simply because he uses a custom domain.
    - My Personal Site, which I spend no time sharing links or working on SEO, has 3 times my portfolio site
    - My Personal Site has the same SEO rank as one of the most well known photographers on the planet.

    Custom Domains have their benefit, and I've made the choice of sacrificing findability for having my own URL. I just wanted to use this time to discuss some of the benefits and negatives of making that choice. Ultimately it's up to you -- we'll do our best to provide the tools and technologies to support either option, and we'll do a better job of educating you all in the future.
    dGrin Afficionado
    Former SmugMug Product Team
    aaron AT aaronmphotography DOT com
    Website: http://www.aaronmphotography.com
    My SmugMug CSS Customizations website: http://www.aaronmphotography.com/Customizations
  • FergusonFerguson Registered Users Posts: 1,339 Major grins
    edited May 27, 2016
    leftquark wrote: »
    Excellent question Ferguson. I think there's really 2 requests here:
    1) SSL for Custom Domains so you can embed images (often using oEmbed, which is what I assume they were using)

    Actually, I have checked only a few sites, but every one I have checked just replaces the http with an img tag.

    Nikonians is different now, as they have built an actual proxy/cache server, so at present my customer domain image link on smugmug is turned into a reference to their own image server, but that is an unusual case to work around the https aspect.

    What I have been doing for years on a relatively large number of forums (not all photography, but when posting photos there) is just doing a link like this:
    http://www.captivephotons.com/photos/i-hVRGpT5/0/XL/i-hVRGpT5-XL.jpg
    
    And with one exception I can think of, they turn it into this:
    <img src="http://www.captivephotons.com/photos/i-hVRGpT5/0/XL/i-hVRGpT5-XL.jpg" class="bbCodeImage LbImage" alt="[&#8203;IMG]" data-url="http://www.captivephotons.com/photos/i-hVRGpT5/0/XL/i-hVRGpT5-XL.jpg" style="">
    

    The above sample is taken from an actual page on Nikoncafe.com. The exception is dpreview.com, who also seems to load and cache their images.

    My presumption (emphasis) was that this improved SEO.

    Now to be fair I have not checked all locations I use, and I do absolutely nothing on social media, so I have no clue what the facebooks of the world use as links, I'm talking about regular old-school forum posts.

    Sites that link to the galleries (both colleges I shoot for do this) will link to the gallery itself, as a link, so those work fine as they are just another URL - http is fine. And those colleges generally will not embed photos, they will take a digital copy and put it on their own site as these feed press releases, etc. So those are moot. But linking to the galleries seemed to help, as when they started doing that, I came up higher in the search results.

    But I have no idea if this really helps, and your writeup above is interesting.

    I did an experiment. I tried my PA/DA score for my own site (a pathetic 33/22), then looked at my same site using the nickname format, and it is exactly the 84/67 below, and I almost never use that address.

    Then I tried a student photographer I knew who uses smugmug with the nickname format - 84/67 also.

    It really seems like the nickname landing page just doesn't care?

    I did "test.smugmug.com" and got a 404 page and it also has a 84/67.

    In fact, every page I try, individual galleries deep in my site all show 84/67 with the nickname, though with the custom domain it shows basically 0 or 1 for the PA.

    So there is certainly something to be said for these scores in the nickname format, but I certainly do not understand it. Or why every photographer (that I tried) and every page seems to get the same DA/PA with the nickname format.


    leftquark wrote: »
    On the #1 front, SSL for custom domains has been a tough task, since getting certs for every single custom domain is, as you mention, hard, and can be expensive. We've moved all of smugmug.com (and any customer site at *.smugmug.com) to SSL and have started to pave the way for custom domains as well.

    I just assumed that your customers would have to be part of getting the certs. I certainly how Smugmug has no way to get a cert for my domain. If you do, then by definition ssl certs are worthless, aren't they?
  • FergusonFerguson Registered Users Posts: 1,339 Major grins
    edited May 27, 2016
    I did a bit more checking, and I am not completely clear how all these things relate. I did a search for "fort myers miracle photography" (the "miracle" is the local minor league baseball Twins affiliate I shoot for a bit).

    Now the good news is I was ranked first (but the per link data showed DA=22, PA=1).

    The interesting news is the second one was someone on pbase who had some photos, and they showed PA=41, DA=82 or 123, MUCH higher, but sorted lower.

    One was fascinating -- Tim Murphy Photography was 6 on the list, and showed 6,716,950 links. I can't imagine how that is even possible. Mine shows zero (odd, while they do not as an organization link to me, I'm sure there are links out there).

    I guess one day I'm going to have to study SEO. Though something tells me it is not good for my sanity.
  • AirThomAirThom Registered Users Posts: 153 Major grins
    edited May 31, 2016
    LetsEncrypt.org is trying to change the SSL cert game. :) Free, automated, and open. I recently have converted all my wordpress sites to use SSL using LetsEncrypt... cleaning up posts that provide "insecure" content is the part of the project I'm on now. So came upon this thread searching for SSL Custom Domains.
  • leftquarkleftquark Registered Users, Retired Mod Posts: 3,784 Many Grins
    edited June 1, 2016
    Ferguson wrote: »
    I guess one day I'm going to have to study SEO. Though something tells me it is not good for my sanity.

    I concur. The way search engines work is intentionally left a mystery to us -- I think partially to drive us insane :(
    dGrin Afficionado
    Former SmugMug Product Team
    aaron AT aaronmphotography DOT com
    Website: http://www.aaronmphotography.com
    My SmugMug CSS Customizations website: http://www.aaronmphotography.com/Customizations
  • FergusonFerguson Registered Users Posts: 1,339 Major grins
    edited June 1, 2016
    AirThom wrote: »
    LetsEncrypt.org is trying to change the SSL cert game. :) Free, automated, and open.

    Hmm... I had not realized that they permitted this based on provisioning of a specific HTTP response from the main domain (e.g. http://example.com). That's a new twist, I should have been paying attention.

    This presents an interesting possibility that if one gave over the base domain to smugmug, they could provision it to be acceptable to lets-encrypt, something I would not have expected. I have mine forwarded instead, not sure if that provides the hook needed (basically www.captivephotons.com is controlled by smugmug, not captivephotons.com itself, as if I had an "A" record pointing there).

    I really wish that Smugmug could do this for everyone.

    But, from a security standpoint, I really hope it remains impossible without the end user who REALLY owns the domain, taking explicit action.

    I wonder if a few years (or months) from now, there's going to be some horrible exploit based on Let's Encrypt requiring a web level "proof" only, as opposed to the more conventional DNS level response.
  • FergusonFerguson Registered Users Posts: 1,339 Major grins
    edited June 1, 2016
    leftquark wrote: »
    I concur. The way search engines work is intentionally left a mystery to us -- I think partially to drive us insane :(

    Well, milliseconds after big companies (including Smugmug) figure out exactly how it works, they start adjusting to game the system, so it's not really hard to figure out why it is secret. headscratch.gif
  • leftquarkleftquark Registered Users, Retired Mod Posts: 3,784 Many Grins
    edited June 1, 2016
    Ferguson wrote: »
    But, from a security standpoint, I really hope it remains impossible without the end user who REALLY owns the domain, taking explicit action.

    If you were us, and you wanted everything on SmugMug to be SSL everywhere, would you leave it up to customers to take action, or would you try to do it for everyone, so that everyone is on SSL and the entire service could be more secure?
    dGrin Afficionado
    Former SmugMug Product Team
    aaron AT aaronmphotography DOT com
    Website: http://www.aaronmphotography.com
    My SmugMug CSS Customizations website: http://www.aaronmphotography.com/Customizations
  • FergusonFerguson Registered Users Posts: 1,339 Major grins
    edited June 1, 2016
    leftquark wrote: »
    If you were us, and you wanted everything on SmugMug to be SSL everywhere, would you leave it up to customers to take action, or would you try to do it for everyone, so that everyone is on SSL and the entire service could be more secure?

    I think you misunderstand.

    If I were you, and it was possible to do it automatically, I would like to do it automatically. Heck, if I was me, and you were you (and that's pretty likely), I would like you to do it automatically, but with caveat to follow for both.

    However, as a general internet user who relies on SSL certificates, I would prefer it not to be possible to do so without the actual domain owner's explicit permission. I believe that anything that gets away from that (and emphasis on "explicit") is dangerous.

    I have no problem holding both of those mutually contradictory desires at one time. eek7.gif

    A couple of caveats that might clarify:

    First, I think if Smugmug can do it (while still hoping you cannot), I still think you need to ask permission of the customer. Or at least well-in-advance notice, so their staying around might be permission. You would be acting on their behalf as owner.

    Second, if Smugmug is reselling domains for the sole purpose of using Smugmug (I have never looked into your GoDaddy relationship), that "sole purpose" takes the sting out of exerting ownership of the domain entirely.

    ---

    Fundamentally I am not objecting to Smugmug wanting to do this at all. I'm 100% behind that.

    What I'm expressing a concern over is if any certificate authority has so weakened the rules such that a 3rd party can get a SSL cert for a domain owner without their knowledge or (explicit) consent. A redirection or "A" record really should not be adequate, if indeed it is adequate now.

    In particular, SOOOOOO many people have web sites hosted by 3rd parties and have no clue how anything on the internet works. And by that I include a huge percentage of companies, including some quite large. Including eCommerce sites. I would hate to think that just being in control over a web site for the domain becomes the de facto proof of ownership of the domain. I just expect if that is true, bad things will happen one day.

    And please do not think this means I think DNS is a completely secure protocol or application; but adding a different additional insecure environment (web) certainly does not improve security.
  • FergusonFerguson Registered Users Posts: 1,339 Major grins
    edited June 22, 2016
    I've spent a few days experimenting with Let's Encrypt and how it was done for hosting, and ran through a few scenarios and a few automated clients.

    They really have made it easy to implement by a hosting provider. In that sense, I see nothing hard for Smugmug to deal with, frankly. The biggest downside might be people who have already put mixed content on pages themselves, which when switched to https, may show up (though i was a bit distressed to find out that Chrome and I think some others STOPPED WARNING about this; it doesn't show the lock symbol, but it stopped giving a more explicit warning).

    But... I stand by my concern, though I now understand it better. They (whoever they are) made a decision, perhaps long ago, that controlling a domain-referenced web server is the equal of controlling the domain, which allows hosting companies to validate the certificate without user involvement and without control over the domain registrar and/or DNS nameservers for the domain.

    In fact, one could get a cert issued for a domain they own without even knowing it was issued. Think about that -- you might host your web site temporarily at provider X (say a development group for a new site), not know a cert was issued, move to site Y (say going into production) with a new cert. Provider X can still put up a web site with your name and a green lock symbol. At least for the period remaining on the cert. Add in some dodgy browser add-ons or other compromise to send people to the inappropriate site without proper DNS links (or any MITM attack variation)....

    Unlikely, and requires at some point they had legitimate access to the domain, I get it. I really do. It just goes against the grain of what seems good segregation of duties -- DNS controls cert validation (for domain level trust) and web servers use them. And that's straightforward; BGB attacks might let a brief takeover of DNS addresses do exactly the same; 10 seconds of outage due to a BGB shift of address space and they have a few certs from you and you have no clue.

    OK, I'm paranoid, I get it. And they went ahead without asking me (or I lost the memo asking permission)... headscratch.gif

    But now that I know how easy it is to do, is it done yet? :D
  • GargaGarga Registered Users Posts: 67 Big grins
    edited June 23, 2016
    Gave Cloudflare's flexible ssl a go, even though its only secure from Cloudflare to the visitor, visitors should still get the green lock...

    Didn't work :( Only showed some text in the header and footer, nothing else.

    Their blog post on this is pretty old. Maybe it only worked with legacy SmugMug.
  • FergusonFerguson Registered Users Posts: 1,339 Major grins
    edited June 24, 2016
    Garga wrote: »
    Gave Cloudflare's flexible ssl a go, even though its only secure from Cloudflare to the visitor, visitors should still get the green lock...

    Smugmug apparently still uses Cloudflare themselves, so you are really asking them to go user-> your cloudflare -> SM's cloudflare -> smugmug, though it begs the question which of their three SSL variations SM themselves uses, but regardless there's not only the extra pass through their CDN addressing there's also 2 SSL changes in the middle. Who knows what happens to that under the covers.
  • GargaGarga Registered Users Posts: 67 Big grins
    edited June 26, 2016
    Ferguson wrote: »
    Smugmug apparently still uses Cloudflare themselves, so you are really asking them to go user-> your cloudflare -> SM's cloudflare -> smugmug

    Yeah. Oh well, worth a try for some ssl.

    Actually, I ran a few speeds tests while using Cloudflare's DNS. Now that I've changed the custom domain back to the recommended settings, the performance is actually slower it seems.

    Might try and test this much more extensively to see if this is really the case.
  • FergusonFerguson Registered Users Posts: 1,339 Major grins
    edited August 11, 2016
    Linux bug leaves USA Today, other top sites vulnerable to serious hijacking attacks

    Well, yet another one, this one kind of serious as neither end of the connection need have any malware, and I wonder if Smugmug isn't vulnerable.

    This argues pretty strongly for encrypting all web traffic, as at least then it can only be a DOS attack, not hijacking.

    Any word on whether this has been given more attention?
  • leftquarkleftquark Registered Users, Retired Mod Posts: 3,784 Many Grins
    edited August 17, 2016
    Keeping your photos safe and secure is extremely important to us (as you know) and our ops team ensures that our photos are not vulnerable to attacks. We definitely want to get SSL for custom domains going but the timeline for this is sometimes out of our hands (like right now), though we'll continue to push to get this done as soon as possible.
    dGrin Afficionado
    Former SmugMug Product Team
    aaron AT aaronmphotography DOT com
    Website: http://www.aaronmphotography.com
    My SmugMug CSS Customizations website: http://www.aaronmphotography.com/Customizations
  • FergusonFerguson Registered Users Posts: 1,339 Major grins
    edited August 20, 2016
    leftquark wrote: »
    We definitely want to get SSL for custom domains going but the timeline for this is sometimes out of our hands (like right now)...

    If you are allowed to say....

    Does that mean there's something outside of priority keeping it from happening?

    Like is Let's Encrypt not viable for this? Or some such?

    Just curious really, it happens when it happens, but it does seem to be more and more important.
  • leftquarkleftquark Registered Users, Retired Mod Posts: 3,784 Many Grins
    edited August 22, 2016
    Ferguson wrote: »
    If you are allowed to say.... Does that mean there's something outside of priority keeping it from happening?

    Our CDN doesn't support it for the number of custom domains that we need to be able to support. We're doing everything we can to get support for it but how quickly that happens is out of our hands. I keep my fingers crossed at least!
    dGrin Afficionado
    Former SmugMug Product Team
    aaron AT aaronmphotography DOT com
    Website: http://www.aaronmphotography.com
    My SmugMug CSS Customizations website: http://www.aaronmphotography.com/Customizations
  • FergusonFerguson Registered Users Posts: 1,339 Major grins
    edited August 23, 2016
    Ah, I keep forgetting there's a[nother] 3rd party involved.

    Thanks.
  • tenebstenebs Registered Users Posts: 17 Big grins
    edited December 1, 2016
    SMUGMUG app is a bigger theft problem
    Worrying about SSL what about the Smugmug app.

    The SmugMug app will allow anyone to download a picture to their phone. Even if on the website you have sharing and right-click to save disabled, this can all be bypassed with the SmugMug phone app that anyone can install and use.

    Try it. Have a friend install the app and you will see that they can take anything they want.

    Worse still is that when they do this all of the IPTC/EXIF information is stripped from the downloaded photos.
    Margy Green
    margygreen.com
  • jbdjbd Registered Users Posts: 3 Big grins
    Thanks leftquark for the insights on SEO.
    I landed here after I sent a message to SmugMug Heroes asking how to enable SSL on my custom domain.

    They answered:

    > “Or if we can, how can I implement it?”
    > You’ll need to contact your domain host, to inquire about this. We have no control over custom domain servers.
    >
    > “Let me know if it’s possible to use a free Let’s Encrypt certificate on how own domains, or if and when you plan to do so.”
    > Again, you’ll need to discuss this with your domain host.

    So I contacted my web host & registrar, which provides Let's Encrypt for free that I am using for my other websites, but they said it wouldn't work with a SmugMug redirection.

    So who's right? Is it even possible, today, to have a custom domain as HTTPS?

    Let's Encrypt also set up a commercial/awareness website: httpvshttps.com showing HTTPS loads faster because it uses HTTP/2. Since some SmugMug pages can have loads of pictures loading simultaneously, it may make it faster.
  • FergusonFerguson Registered Users Posts: 1,339 Major grins

    I think the hero you talked to is wrong, maybe someone from SM can confirm officially, but putting in an SSL certificate requires the host system participate in the certificate validation process (put simply your SSL certificate must be installed on the Smugmug server in some fashion). Worse, it requires that the CDN be aware of an able to respond to the certificate (how this works normally is hazy for me, only that it must).

    As I understand it the latter is not possible at present even if Smugmug wanted to cooperate in the former (and it is not prepared to do the former either).

    The Hero's answer is of course correct in the sense that you need to obtain a certificate from someone, and domain access is required for the lowest level certificate to authenticate -- but it still requires the web servers be involved in the process, and that's Smugmug.

  • GargaGarga Registered Users Posts: 67 Big grins

    Squarespace have announced SSL for all custom domains.
    You can choose whether to have www prefix on a custom domain as well.

    Hope SM has these options one day >:)

  • leftquarkleftquark Registered Users, Retired Mod Posts: 3,784 Many Grins

    We've moved as much of SmugMug to SSL as we can for the obvious benefits of having sites behind https and we'd love to get all the way there and include it in custom domains, however at this time we're waiting on one of our partners to get things squared away on their end first. Once that happens (and we're pushing as hard as we can), we'd love to add it for custom domains too.

    dGrin Afficionado
    Former SmugMug Product Team
    aaron AT aaronmphotography DOT com
    Website: http://www.aaronmphotography.com
    My SmugMug CSS Customizations website: http://www.aaronmphotography.com/Customizations
  • ashishpandeyashishpandey Registered Users Posts: 100 Big grins
    edited May 27, 2017

    Has this moved any further since the last update? There is a lot to gain here (SEO, HTTPS/2, new world compatibility) and the technology to do it all exists for quite some time now (letsencrypt, SNI etc.) I cannot imagine the hold up except for smugmug not prioritizing this at all

    see here for clear benefits for a page full of images using HTTP/2 over https - http://www.httpvshttps.com/. The benefits are fairly obvious and tempting

    Ashish
    http://photography.ashishpandey.com
    smugmug ID: ashishpandey (but I prefer my domain URL above :D)
  • FergusonFerguson Registered Users Posts: 1,339 Major grins

    @ashishpandey said:
    I cannot imagine the hold up except for smugmug not prioritizing this at all

    Just one above leftquark pointed out that the issue is in their partner (it's their CDN).

    A personal website is easy, e.g. I had SSL on mine in a few minutes with lets encrypt. But one meant for millions of users not two or three has different issues.

    Now to be fair, I would hope they are twisting their CDN's arm pretty darn hard -- maybe some broken off arms lying around their office to show for it -- but they cannot do it alone.

  • Cygnus StudiosCygnus Studios Registered Users Posts: 2,294 Major grins

    @leftquark said:
    SEO for Custom Domains is an interesting topic and something we want to do a better job of educating our customers on. If SEO is your main focus, then you (I'm using it generically here, not Ferguson specific) should consider dropping your custom domain and instead using your nickname.smugmug.com.

    I'm coming in late to this conversation, but I do find it interesting. So I decided to do a quick check to see what happens.

    My custom domain = not verified (as expected)
    My nickname = verified (as expected)

    But alas, using the nickname might not be my best option.

    Steve

    Website
  • FergusonFerguson Registered Users Posts: 1,339 Major grins

    Are you SURE that's your nickname? I get that error if I type in any random character string. Is that what's shown on the very top section of your account settings under "Site URL"?

  • Cygnus StudiosCygnus Studios Registered Users Posts: 2,294 Major grins

    @Ferguson said:
    Are you SURE that's your nickname? I get that error if I type in any random character string. Is that what's shown on the very top section of your account settings under "Site URL"?

    Good call, seems there is a dash - in my nickname.

    Nevermind leftquark, problem solved.

    Steve

    Website
  • leftquarkleftquark Registered Users, Retired Mod Posts: 3,784 Many Grins

    @ashishpandey said:
    Has this moved any further since the last update? There is a lot to gain here (SEO, HTTPS/2, new world compatibility) and the technology to do it all exists for quite some time now (letsencrypt, SNI etc.) I cannot imagine the hold up except for smugmug not prioritizing this at all

    see here for clear benefits for a page full of images using HTTP/2 over https - http://www.httpvshttps.com/. The benefits are fairly obvious and tempting

    We concur with the benefits and I can sure you this is one of our top priorities. As Ferguson mentioned, there's a lot more at play than just simply setting up custom domains using Let's Encrpyt for one domain. Getting this to work on a scale for all SmugMug customers, in a way that is free for all of you and doesn't require you to do any additional work makes it more complex than many imagine. That's not to say we're not working on it - we have several options we're working through and trying to narrow down on the best and quickest option for all of you. We want all of SmugMug on https, without having to opt into it ... one day you'll wake up and it will just work.

    dGrin Afficionado
    Former SmugMug Product Team
    aaron AT aaronmphotography DOT com
    Website: http://www.aaronmphotography.com
    My SmugMug CSS Customizations website: http://www.aaronmphotography.com/Customizations
Sign In or Register to comment.