I’ve blogged before about the importance of making sure you’re serving your content over HTTPS. Not only is Chrome now marketing sites not served over HTTPS as “non secure” in the browser, they are giving increased weight to HTTPS sites in search results. It’s never been easier to serve your sites securely, but the actual secure certificate is only part of the equation here. We need to talk about protocols like SSL and TLS as well.

Server software like Apache and Nginx would previously serve secure content over the SSL (secure sockets layer) protocol. This is the case for the web as well as email. SSL was succeeded by TLS (transport layer security). The problem is that the various SSL protocols have been found to be insecure. A few years ago SSL 3.0 was found to be attackable thanks to the POODLE attack. At this point, it’s best to have moved your servers off SSL and been using the TLS protocols.

Run Some Tests!

If that’s greek to you (and most of it is to me as well), don’t worry. If you have server or IT admins that take care of your servers, chances are they’re on it and have been on TLS for several years now.

Highedwebtech.com SSL Test results

You can use Qualys’ SSL Server Test site to what protocols your server is using and make sure you’re up to do date with everything. You can see my report here. I use Let’s Encrypt for my certificate. Take a second and check out that A+. Feels good.

The SSL Server Test will also tell you what TLS and SSL protocols you’re running. You shouldn’t be running any SSL ones, because you will see the test dock you very heavily. Here’s an example:


You should be serving your website content over TLS 1.2 at this point. Why? Here’s more detail from GlobalSign:

As a best practice, you should configure your servers to support the latest protocol versions to ensure you are using only the strongest algorithms and ciphers, but equally as important is to disable the older versions. Continuing to support old versions of the protocols can leave you vulnerable to downgrade attacks, where hackers force connections to your server to use older versions of the protocols that have known exploits.  This can leave your encrypted connections (whether between a site visitor and your web server, machine to machine, etc.) open to man-in-the-middle and other types of attacks.

Earlier this summer, TLS 1.3 was ratified and released. If you are able to upgrade to it, you should. If you don’t want to run a full SSL test, you can run just a check of what TLS protocols you are serving. Here’s a TLS Test from CDN77. Here’s my results below. This site is coming to you over TLS 1.3. Again, feels good!

TLS Test Results

The Chrome browser has started showing that a site being over SSL and HTTPS more visible to users in its recent versions. Instead of showing just a green padlock, Google has added the word secure to that area.

The bar now looks like this:

SSL site in Chrome

For non-secure, regular sites, there will continue to be an icon that shows the user they can get more info about that site.

Non-SSL site in Chrome

If users click on that site, they see this text:

What users see on non-SSL site

This small change is just the beginning. At the end of January, Google and Chrome will start listing sites served over non-secure HTTP will be marked specifically as non-secure. WordFence shows in this image how Chrome will show all sites that aren’t served securely:

Non-secure site in Chrome

WordFence released a good blog post on these changes here.

This is a good thing, as serving of SSL and HTTPS not only is better protection for your data, you can, if you want, get some serving speed increases via HTTP/2.

On the downside, it may drive your campus or freelance clients to ask why their sites aren’t showing up as secure.

It will also drive users to think that something is wrong with their site or their information has been compromised. We will need to communicate to those users as well.

It will be a good opportunity for us as web developers to have a conversation about basic security and why technologies like SSL are important.

Luckily, installing SSL certificates is much easier now thanks to groups like Let’s Encrypt. They’ve taken the headache out of issuing and maintaining SSL certificates. The majority of the sites I host and support serve certificates from Let’s Encrypt, including this site.

With the pain removed, for the most part, there are fewer and fewer excuses not to serve your site over HTTPS/SSL.

The challenge here remains that not enough shared web  hosting providers are offering easy and affordable SSL. Kudos to Dreamhost for being one of the largest hosts to offer free, no-configure SSL to their hosting clients. Let’s hope more and more companies join in.

I’m writing a longer post about this, but on the side, I have a web development and support company. We do hosting for many sites, and have we are making (at least) free SSL the default for all the sites we begin hosting in 2017. We’re also retrofitting all the sites we’ve previously launched. It’s just a click of the mouse for us, so there’s no excuse not to. Add in automatic renewal of the certificates, and it’s dead easy for developers and host companies to support.

If you’re a higher ed blogger, agency, freelancer, small business or non-profit, and want inexpensive web hosting with security like free Let’s Encrypt certificates included, contact me. I can help.

Tons of hot takes on this wintry Tuesday.

I installed my first SSL certificate via the new Let’s Encrypt project. It was easier than other SSL certs I’ve requested and installed. This one was all done via the command line. Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. With a few tweaks in Apache, I’m getting A+ scores on Qualys’ SSL Labs test.

SSL Labs Test Result

In May of 2005, I sat in a movie theater in Erie, Pennsylvania, getting ready to watch Star Wars: Revenge of the Sith. The movie was, well, the movie, and I couldn’t help but sit there and be bummed that I’d never have the chance to bring my boys to see a Star Wars movie. They’d never experience the excitement of watching a Star Wars story unspool before them on the silver screen. DVDs, Blu-Rays, and streaming aren’t the same. You have to see Star Wars in a theater. You just do. Just before Christmas, I sat in a theater with my two boys and watched The Force Awakens.

The Force AwakensIn that moment between the Lucasfilm logo and the logo appearing on the screen, that heart-stopping moment before the horns blast out, I grabbed their hands. That moment. I want to freeze it, time-lock it, live in it forever. I don’t want them to grow up. It’s happening too fast. The Lucasfilm logo appeared. The music started, and I looked at them. They were smiling, still holding my hand.

I’m not crazy about the new way Facebook is doing the sharing of content on brand pages. The new way where it shows multiple thumbnails for a shared post. I think it’s confusing and leads users to believe there are 3 different stories included in the post, not just one. Example:

Facebook sharing

Speaking of Facebook, their privacy controls have matured to the point that I don’t think people need to change their display names to some combination of a nickname or middle name as opposed to their last name. Instead of being “Laura Jane” on Facebook, you can be your full-name and lock yourself down so people who are not your friend see absolutely nothing about you. If you are worried about people finding you on social media, don’t be on social media.

Ever since I got back from HighEdWeb ’15 in October, I’ve been trying Slack with my integrated marketing team. I’m working on a larger post about it, but I’ve managed to convince my team to use it, which was probably the hardest part of the process. What I like are the integrations. We have Twitter, Wufoo, and Basecamp tied into Slack to give the team constant updates, just like the Weather Channel.

If you’re looking for a fun, low-cost entry into VR, I’d recommend checking out the View-Master Virtual Reality Starter Pack. It’s a 21st century version of the old plastic viewer that took those photo discs, but not you put your smartphone in it. The apps that come with it are kind-of lame, but it’s fully compatible with apps and sites built for Google Cardboard, including version of Google Earth. If you have an Android phone, there are some videos in the YouTube app optimized for Cardboard and it’s pretty neat to stand in the middle of an orchestra and looking around while they play. I can definitely see lots of uses for Higher Ed here and I’m starting to get what all the fuss around VR is about.