SSL's for custom domains

13»

Comments

  • leftquarkleftquark Registered Users, Retired Mod Posts: 3,784 Many Grins

    @Shinrya said:
    I just checked again and yes they are now showing through HTTPS. Confirmed in Safari, Firefox and Chrome. Both Firefox and Chrome do give me a 'connection is not secure' warning though if i click on the padlock in the address bar.

    Here's a recent blog page with 3 adsense banners installed. First one should appear directly at the top of the page above the breadcrumb
    https://www.peterstewartphotography.com/Blog/Singapore-Camera-Shopping-Guide

    Thanks for the example. It looks like AdSense is all set but the Comments Content Block pulled in someones facebook profile image over http instead of https, which results in the "Connection is not secure" warning. We'll add this to the list of things to fix.

    dGrin Afficionado
    Former SmugMug Product Team
    aaron AT aaronmphotography DOT com
    Website: http://www.aaronmphotography.com
    My SmugMug CSS Customizations website: http://www.aaronmphotography.com/Customizations
  • ShinryaShinrya Registered Users Posts: 197 Major grins

    Thanks Aaron. I picked up on that also.

  • FergusonFerguson Registered Users Posts: 1,339 Major grins

    Shinrya, it's the facebook links that is causing it now, which I think were mentioned elsewhere as a known issue to fix.

  • TerranTerran Registered Users Posts: 22 Big grins

    My site is still http. Is there something I need to do at my end to activate this? I am losing sales because of this.

  • FergusonFerguson Registered Users Posts: 1,339 Major grins

    @Terran said:
    My site is still http. Is there something I need to do at my end to activate this? I am losing sales because of this.

    Are you sure your site isn't both, and you are just not trying it with https?

    They have both running in parallel; https should work, just add the "s" and see.

  • leftquarkleftquark Registered Users, Retired Mod Posts: 3,784 Many Grins
    edited February 8, 2018

    @Terran said:
    My site is still http. Is there something I need to do at my end to activate this? I am losing sales because of this.

    As @Ferguson mentioned, we've started by generating SSL certificates for you and your site is now available at https://www.yourdomain.com. We haven't started redirecting traffic from http to https, but you're more than welcome to share the https URL with your visitors. We're making sure everything is all set before starting the redirect (which we hope to start doing "soon").

    The shopping cart has been secured for many years now, so your customers should not see any warnings that would drive them away when trying to buy prints and gifts.

    dGrin Afficionado
    Former SmugMug Product Team
    aaron AT aaronmphotography DOT com
    Website: http://www.aaronmphotography.com
    My SmugMug CSS Customizations website: http://www.aaronmphotography.com/Customizations
  • TerranTerran Registered Users Posts: 22 Big grins

    @Ferguson said:

    @Terran said:
    My site is still http. Is there something I need to do at my end to activate this? I am losing sales because of this.

    Are you sure your site isn't both, and you are just not trying it with https?

    They have both running in parallel; https should work, just add the "s" and see.

    Hi and thanks for getting back to me. I typed in https://terranambrosone.com and it didn't work, but I added the www. and it did.

  • FergusonFerguson Registered Users Posts: 1,339 Major grins

    @Terran said:
    Hi and thanks for getting back to me. I typed in https://terranambrosone.com and it didn't work, but I added the www. and it did.

    Yes, mine is the same way. There's along discussion around here about various ways to fix it; I've been too lazy to pursue, but it's a different solution for http vs https apparently.

    Since there are LOTS of web sites where you need the www, I decided not to worry much about it yet, and let them get the redirect in, and the dust settle, then try to fix mine. If you are curious about some details read through this:

    https://dgrin.com/discussion/263153/potential-bugs-with-new-ssl-certs-https/p1

    Or... just wait a bit and see what happens.

  • TerranTerran Registered Users Posts: 22 Big grins

    @Ferguson said:

    @Terran said:
    Hi and thanks for getting back to me. I typed in https://terranambrosone.com and it didn't work, but I added the www. and it did.

    Yes, mine is the same way. There's along discussion around here about various ways to fix it; I've been too lazy to pursue, but it's a different solution for http vs https apparently.

    Since there are LOTS of web sites where you need the www, I decided not to worry much about it yet, and let them get the redirect in, and the dust settle, then try to fix mine. If you are curious about some details read through this:

    https://dgrin.com/discussion/263153/potential-bugs-with-new-ssl-certs-https/p1

    Or... just wait a bit and see what happens.

    Thanks so much, @Ferguson ! I'll read through the links when I get a chance. Just happy I can update my various social media/blogs with the new https. Hoping visitors will stay to browse and maybe buy now. :)

  • TerranTerran Registered Users Posts: 22 Big grins

    @leftquark said:

    @Terran said:
    My site is still http. Is there something I need to do at my end to activate this? I am losing sales because of this.

    As @Ferguson mentioned, we've started by generating SSL certificates for you and your site is now available at https://www.yourdomain.com. We haven't started redirecting traffic from http to https, but you're more than welcome to share the https URL with your visitors. We're making sure everything is all set before starting the redirect (which we hope to start doing "soon").

    The shopping cart has been secured for many years now, so your customers should not see any warnings that would drive them away when trying to buy prints and gifts.

    Thanks for the update, and I hope the redirects go smoothly. Was getting worried, but thankful adding the www allowed me to access the secure url. :)

  • leftquarkleftquark Registered Users, Retired Mod Posts: 3,784 Many Grins

    As of today we've begun enabling full SSL (https) redirects from http to https across entire sites. Any non-https URL will get redirected to https. The roll-out should complete by Friday - let us know if you're not seeing automatic redirection after then.

    You can see my site, for example, http://www.aaronmphotography.com will automatically redirect to https://www.aaronmphotography.com

    dGrin Afficionado
    Former SmugMug Product Team
    aaron AT aaronmphotography DOT com
    Website: http://www.aaronmphotography.com
    My SmugMug CSS Customizations website: http://www.aaronmphotography.com/Customizations
  • jdoeringjdoering Registered Users Posts: 3 Beginner grinner
    Automating HTTPs support and making it easy is cool. Linking the certificate to twenty-something other unrelated domains (SAN entries) is not so cool. The certificate presented for one customer's site shouldn't identify any other customers.

    Acquiring an HTTPS certificate on behalf of domains owned by your customers without their (my) specific opt-in is also iffy. When I signed-up several years ago and configured a DNS record pointing to smugmug - I doubt I consented to you obtaining SSL certificates on my behalf for my domain. Obtaining certificates on my behalf for my domain should require explicit consent. Yes; I would grant it. Yes it should be explicit and no the cert shouldn't name other customers.
  • GargaGarga Registered Users Posts: 67 Big grins

    @jdoering said:
    Automating HTTPs support and making it easy is cool. Linking the certificate to twenty-something other unrelated domains (SAN entries) is not so cool. The certificate presented for one customer's site shouldn't identify any other customers.

    Very small price to pay IMO for free SSL on a custom domain.

    Acquiring an HTTPS certificate on behalf of domains owned by your customers without their (my) specific opt-in is also iffy. When I signed-up several years ago and configured a DNS record pointing to smugmug - I doubt I consented to you obtaining SSL certificates on my behalf for my domain. Obtaining certificates on my behalf for my domain should require explicit consent. Yes; I would grant it. Yes it should be explicit and no the cert shouldn't name other customers.

    By using their service, you're agreeing to their terms & conditions. I'm assuming there are pricing and/or technology issues why a certificate is shared with other customers. CloudFlare do the same unless you pay $5/month.

  • FergusonFerguson Registered Users Posts: 1,339 Major grins

    @Garga said:
    By using their service, you're agreeing to their terms & conditions. I'm assuming there are pricing and/or technology issues why a certificate is shared with other customers. CloudFlare do the same unless you pay $5/month.

    Two someone contradictory remarks:

    Since this has come up, I have yet to hear anyone complain that a customer/client/observer has noticed, and cared. Everyone who has complained has been noticing for their own site. Has anyone ever gotten an un-prompted complaint from outside?

    I do think Smugmug is a for-fee service. I think they should have offered an opportunity for people to get individual SSL certs, and if that costs more, tell them how much.

    And again, I realize if the first case is really true, and no one cares, the second is a service perhaps without any point (though many things without a point sell, remember the Pet Rock).

  • GargaGarga Registered Users Posts: 67 Big grins

    https is now so important for every website, plain and simple.

    So I don't blame SmugMug at all for making a call and doing this for everyone without an opt-out or another option that'll just confuse the issue.

  • FergusonFerguson Registered Users Posts: 1,339 Major grins

    @Garga said:
    https is now so important for every website, plain and simple.

    So I don't blame SmugMug at all for making a call and doing this for everyone without an opt-out or another option that'll just confuse the issue.

    My suggestion above was not meant to imply people be allowed to opt out of https, but rather that maybe (or maybe not -- I really don't know) it would have been a better business decision to give people the option of paying more for a personalized cert vs en-mass cert that was used.

  • GargaGarga Registered Users Posts: 67 Big grins

    @Ferguson said:

    @Garga said:
    https is now so important for every website, plain and simple.

    So I don't blame SmugMug at all for making a call and doing this for everyone without an opt-out or another option that'll just confuse the issue.

    My suggestion above was not meant to imply people be allowed to opt out of https, but rather that maybe (or maybe not -- I really don't know) it would have been a better business decision to give people the option of paying more for a personalized cert vs en-mass cert that was used.

    RIght. That's why I said "or another option that'll just confuse the issue" :smile:

    I reckon there's a small minority of customers who knows what this all means, then a smaller minority that would actually pay for a dedicated certificate. I could imagine the influx of support requests of "what does this mean!? Do I need it!?" Probably just confuses the issue for most.

  • FergusonFerguson Registered Users Posts: 1,339 Major grins

    @Garga said:

    @Ferguson said:

    @Garga said:
    https is now so important for every website, plain and simple.

    So I don't blame SmugMug at all for making a call and doing this for everyone without an opt-out or another option that'll just confuse the issue.

    My suggestion above was not meant to imply people be allowed to opt out of https, but rather that maybe (or maybe not -- I really don't know) it would have been a better business decision to give people the option of paying more for a personalized cert vs en-mass cert that was used.

    RIght. That's why I said "or another option that'll just confuse the issue" :smile:

    I reckon there's a small minority of customers who knows what this all means, then a smaller minority that would actually pay for a dedicated certificate. I could imagine the influx of support requests of "what does this mean!? Do I need it!?" Probably just confuses the issue for most.

    Yes. It's easy from the outside to under-estimate the support load of doing something slightly complex. I'm always amazed, given that "photographers" are actually now holding less a camera, and more a handheld computer attached to a lens, that so many of them feel leaning about computers should not be part of the job. :blush:

Sign In or Register to comment.