CDS Discussion

Almost two years ago, there was a decision made between all the major Internet browsers - Google, Bing, Mozilla, Safari, etc. - to begin rolling out stricter requirements related to website security.

At present, you may have started receiving warning notices when you try to visit the CDS website and your browser may be blocking access. This isn't a random problem that will go away but is a real policy that will progressively get more stringently enforced as certain time/milestones are reached.

Here is more about it:

https://www.inc.com/john-lincoln/get-re ... where.html

This issue was mentioned previously, but I don't guess anything is being actively done to resolve it.

http://forums.slcds.info/viewtopic.php? ... 107#p47107

Sylvia Tamalyn wrote: ↑Sat Jun 16, 2018 7:01 pm

This issue was mentioned previously, but I don't guess anything is being actively done to resolve it.

http://forums.slcds.info/viewtopic.php? ... 107#p47107

I've mentioned it to Mizou.

I won't be handing out links to cdsdemocracy.org for one simple reason; ...when people click on the link and get an error message instead of the website, that makes us look worse than if we simply don't use it at all.

If we must have an SSL certificate, that will be an additional cost. Personally, I don't think we need to pay that. We aren't selling anything, which is the primary reason that you would want an SSL certificate to assure that things like credit card numbers aren't stolen. Anyway, that's just my opinion. Many websites that aren't selling don't have an SSL certificate padlock. In fact, these very forums don't have one.

The reason we need one is because browsers will be expecting them -as Bags' link explains, and will not load the page without them.

This creates a very bad impression on folks who we're trying to win over.

I would suggest taking a look at "letsencrypt" and seeing if it's possible to use that -it's a non-profit initiative which has the goal of increasing cryptographic use (for privacy concerns).

There might be some sort of solution there, possibly a free one.

https://letsencrypt.org/

If we need to have an SSL certificate for the website, then are we looking at one for the forums too? Anyway, Mizou would need to be the one to install it, so she would need to be involved in this discussion.

Rosie Gray wrote: ↑Sat Jun 16, 2018 10:42 pm

If we need to have an SSL certificate for the website, then are we looking at one for the forums too?

Anything that we want to be able to load in folks' web browsers, should have a certificate.

I don't web, so I'm having to google stuff -and won't get very far with it.

Let's encrypt is free (I think?), but needs to be renewed every thing months -and may have wonkiness when paired with cloudflare.

I saw a post on reddit's webdev forum mentioning this site: https://www.ssls.com/
It has a range of offers going from $6/year and up. I'm not sure what offers would apply to us, however.

That's one company; I'm sure there's gotta be others.

I've talked to Bags inworld about this. I'm going to put aside funds for this in the budget and if they get used, great. if not ...more money in the coffers.

Installing them is a hassle, and judging from my talk with Mizou, I think she doesn't feel there's a need.

When the complaints come in, I'll just refer them to her.

What that said, I'm pretty much out of the conversation.

I agree with you, Han. I think it is really off-putting to click on the link to the portal and get instead an ominous "SECURITY RISK" message. If we don't want to make the site welcoming to visitors, maybe it would be better to just take it down altogether.

As it is, it just looks bad, and even though I know all you guys, I admit that I was hesitant to bypass that warning when I had a look at the situation. Imagine the impression it gives to casual visitors who are checking it out for the first time!

Perhaps there is help from Bluehost that Mizou can get. I note that on the servers that I use through HostPapa that there is an auto-certificate generated for each of my sites. It doesn't supply the padlock, but it also doesn't give that warning that we are getting with the CDS site. On HostPapa it's something that is included in the basic cost of hosting, so perhaps there is something similar on Bluehost that needs to be initiated and won't cost extra (or require hours of head-banging to figure out some 3rd party freebie way).

This support info might be useful: https://my.bluehost.com/hosting/help/auto-ssl

Sylvia Tamalyn wrote: ↑Sun Jun 17, 2018 10:38 am

This support info might be useful: https://my.bluehost.com/hosting/help/auto-ssl

And they're who we're already using?

If so, according to this page SSL is included for free. Presumably all we'd need to do is set it up.

Right. In the link I posted, it states:

AutoSSL is automatically enabled when WordPress is installed or the Free SSL Certificate is turned on for an existing WordPress site in your Bluehost control panel.

and

That process also happens immediately for new accounts and for existing accounts when WordPress is installed, AutoSSL is toggled to 'on' in the Hosting SSL Certificates page, or Free SSL Certificate is toggled to 'on' in the Security section of the control panel.

So hopefully it is as straight-forward as that makes it appear to be!

That's exactly how it works on HostPapa too. But as I said before, it doesn't include the 'padlock'.