The Move to HTTPS

By Cory LaViska on April 23, 2019

The web is moving to HTTPS at a fast pace, and the latest version of Surreal CMS is HTTPS-only. Here's why you should make sure your websites are protected too.

Lover’s LockWe've all heard of HTTP, or Hypertext Transfer Protocol. It's the thing that makes communication over the Internet possible. The problem with HTTP is that, on its own, it's not very secure.

As messages are sent from sender to receiver, they pass through various nodes that make up the Internet. Since HTTP messages aren't encrypted, any of these nodes have the potential to read or modify the message's content. We have to trust they're doing the right thing.

But what happens when somebody doesn't do the right thing?

What if you log in to your bank's website and a malicious node records your username and password? What sort of damage could they do with that? What if you ordered some flowers for Mother's Day and someone snatched your credit card info as soon as you clicked submit? What if your ISP started injecting advertisements into some of the webpages you were viewing?

These are called man-in-the-middle attacks, and the repercussions can be scary. Fortunately, this can all be prevented with HTTPS.

What is HTTPS?

HTTPS is an extension of HTTP that makes it more secure by encrypting messages so they can't be read or modified as they move from one place to another. In recent years, there's been a push to move all websites towards HTTPS — and that's a good thing.

The key to encrypting and decrypting messages is an SSL certificate. In the past, SSL certificates were pricey and somewhat complicated to install, so unless you were making money off your website, you probably didn't bother to get one.

Nowadays, you can get SSL certificates for free through Let's Encrypt. Many web hosts even offer them for free to be competitive, and installation is often as simple as a few clicks.

In 2019, there's no excuse for your website to not be secure.

There are other benefits to HTTPS as well. If search engine rankings matter to you, you'll definitely want to secure your website now that Google uses HTTPS as a ranking signal.

Modern browsers show warnings when a website isn't secure. Chrome, Firefox, and Safari display "Not Secure" in the address bar. Firefox takes things a step further and shows a popover when you fill out a form on an unsecure website. How can you prevent this? Switch to HTTPS.

Finally, users just feel safer when they see that little lock in the address bar. Their trust level immediately goes up when they know their connection is secure.

How does this affect Surreal CMS?

Previous versions of Surreal CMS supported both HTTP and HTTPS. In version 5, we began pushing all pages over to HTTPS with one major exception: when the editor loaded an HTTP website, the editor would also use HTTP.

We did this because browsers block mixed content, meaning scripts, styles, and other resources simply wouldn't load in the editor. It was a quick fix to get clients editing again, but it left one of our most important pages unsecure.

From now on, the entire app will be served over HTTPS.

We realize this is an inconvenience for HTTP websites, but we're no longer willing to risk even a single webpage being served without HTTPS. Given all the reasons listed above, you shouldn't either.

If you're not seeing scripts and styles in the editor, chances are it's because your website isn't secure and the browser is blocking mixed content. The best solution is to install an SSL certificate and forward HTTP to HTTPS.

If you're not sure how to do this, check with your web host for instructions. In many cases, HTTPS can be enabled for free in your control panel with just a few clicks. If your web host is still charging for SSL certificates, try searching for install lets encrypt <web host> for a free alternative.

Thanks for understanding, and for making the web more secure!