As part of the research for my master's project, I came across a website that wasn't secured with a cert and it's hosted by an .edu. I'd like to email the webmaster to advise them to get a cert and then also link them to a webpage that provides information about free certs, hopefully an LE webpage. Keeping in mind that not all website creators are created equal, do you think that the LE homepage is still the best page to direct someone to visit if they want to learn more about how to get a free cert from LE? Or do you feel that a different approach would be preferable?
The LE website is a great resource for those who know what a SSL Certificate is, want an SSL Certificate, and are interested in free/automated systems. To my knowledge, it's doesn't address "Why you need a SSL Certificate", which is probably what they need to see.
Either the LE website itself or the
/docs/ page I think would be best.
I've seen a few .edu websites that had images that were http and therefore showed the padlock crossed out. I don't believe I've ever seen one without a padlock at all though.
Which case was it on the site you saw,
https with a crossed out padlock (most likely http images) or was the site itself
i still see lots of sites with non-ssl
now that I understand the situation I can host client sites and add a certificate at no incremental cost
I put together a blog post as well from my experiences which may be helpful for some people who need a manual instead of a form
@tlrenkensebastian, a couple of security bloggers who've written a ton of short pieces (as well as some more detailed and technical pieces) advocating for HTTPS on every site over the past 5 years or so are Scott Helme and Troy Hunt
Since they've both been so successful with this advocacy you might not see their best HTTPS advocacy pieces on the front pages of their web sites anymore, but if you search for "https" on either site, I think you'll find some good stuff. Quite a lot of their work in the past was pitched to skeptical webmasters or just people who were unfamiliar with what HTTPS is or why it's important, as well as people who were afraid it would be difficult or expensive for them to switch their web sites over to HTTPS.
Random examples (again, not necessarily the absolute best in this genre from either author—probably each of them has written 10-15 different pieces along these lines):
It's a subdomain of a website, and I was mistaken in that it's for a .ca website which is connected to a public university:
@schoen, those resources sound great and I'll definitely mention them in my email to the webmaster.
IMHO, their arguments are now the least persuasive for people who have not adopted already. The solid arguments now are coming from SEO experts, as all the search engines started to prioritize HTTPS many years ago, and are now penalizing HTTP.
Hmm, based on other responses above and if I'm trying to elicit the most favorable response from the person maintaining this specific subdomain, do you think it would be best for me to say something like, "Hey, I noticed that my browser is saying your site isn't secured by a TLS certificate. You might want to check for mixed content" and then link to the checker?
They definitely have mixed content - http images. Even their college logo is http.
Sounds reasonable to me.
You might want to include a brief definition for mixed content too just in case you reach someone who does not know what it is. Something like: "images, links, scripts, etc. with http:// in their addresses". Without the definition, I've found here that most people will usually ask (even though one click on the checker will provide a complete explanation). Some won't even go that far. Since you're coming to the recipient in this case, I feel that minimizing the effort he/she needs to exert is more likely to lead to an active outcome. Don't hold your breath though. I contacted a major (and controversial) news organization (One America News Network) a few weeks ago about exactly this issue who has yet to take any action (or even send a response).
Woo hoo! Related to this, I noticed an insecure proxy link to a database my university library has access to and submitted a ticket to the uni Help Desk. This was their reply:
Woo hoo! I am helping in some way!
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.