Preparing to switch to "https" (advice for a total novice)


#1

Hi, everybody, this is my first post in this forum. I am not a coder, but I do have a limited knowledge of html and css. I want to remake two of my existing websites in such a way, that they would be my default sites, without redirecting from http to https. Within my (shared) host’s cPanel there is the “Let’s Encrypt SSL”.

I am a total novice in the matter of switching from “http” to “https”, therefore I need some general advice on best practice/workflow in the whole process of switching, particularly about changes to be made in my project, but also about changes to be made on the host’s server. One thing I know already is that all internal links in my project need to be changed from http to https. But this is where my knowledge ends.

How do I go about it? Much appreciation, in advance…

BTW, I can use either cPanel or FTP-client to upload/edit/delete files and folders relevant to my website on the server.


#2

Hi @Rovertek,

There’s a lot we could say about the host configuration, but if it’s shared hosting with cPanel, it seems like the host is probably going to take care of most of the details for you (and not give you a lot of power to make your own choices about how the HTTPS support will work!).

Are there particular things that you’re worried about that you think the host will give you control over?

If you do make the switch and then get any problems with browser security warnings, you can find out about the problems with

https://www.whynopadlock.com/


#3

First of all – thanks for a quick response.

Are there particular things that you’re worried about that you think the host will give you control over?

Well, I got not enough knowledge and zero experience, so I am not worried about anything yet. I was hoping for some general information, like: is it possible to choose between SSL and TLS certificate during the process of installing a certificate by way of “Let’s Encrypt SSL” in cPanel (I’ve read elsewhere on Internet that SSL is not really secure). I would also appreciate any info on what needs to be modified in my website-project, if anything.


#4

The SSL vs. TLS issue is an unfortunate case of people continuing to use an outdated term inaccurately. It’s true that SSL is not secure and TLS is its successor, but many people never use the term “TLS” at all and inaccurately use “SSL” to refer to both. (They may also inaccurately use “SSL” to refer to the certificate itself.) So, if you see modern software or documentation referring to “SSL”, there’s a high likelihood that it really just means “TLS”!

Usually HTTPS is a direct replacement for HTTP for most purposes, so there’s not usually a need to make changes to your web site as a result of the change (except for changing links to refer to HTTPS, as you mentioned).

There are definitely a large number of security-related technologies that can be used in conjunction with HTTPS that don’t exist for HTTP (for example, HSTS, HPKP, and secure cookies), but these mostly relate to trying to get extra security by warning browsers that the site prefers to use HTTPS. You don’t need to use any of these technologies in order to turn on HTTPS in the first place.


#5

@schoen – Danke schoen,

This is shedding a lot of light on the topic, in general terms. I hope—when it comes to details—my host will be able to completely support my transition from http to https.

…it seems like the host is probably going to take care of most of the details for you (and not give you a lot of power to make your own choices about how the HTTPS support will work!).

What choices you’ve had in mind, when you wrote that? What are the limitations that you are predicting? What is a method of installing a certificate that won’t limit my choices?

And one more (important) question:

Is there a way of avoiding all that redirection business? Can’t I have just one default https site that will load consistently, no matter how the address will be spelled by users, and not use redirection in .htaccess file?


#6

If you control your own web server (like in dedicated hosting) and edit the configuration files yourself, then you have at least the options that you see used in

https://mozilla.github.io/server-side-tls/ssl-config-generator/

These are mostly technical options related to which versions of TLS may be used and which ciphers the client may negotiate with the server, so cryptographic parameters and defaults that are used in the course of the TLS connection.

You could also use the technologies that I mentioned like


If a user types “example.com” into a web browser, the web browser’s behavior will be to go to “http://example.com/”, not “https://example.com/”. Similarly, if the user types “example.com/stuff”, the browser will go to “http://example.com/stuff”, not “https://example.com/stuff”. And if the user follows an old HTTP link, the browser will try to load the HTTP resource pointed to by that link. So, the web server does need to be configured to send a redirect in each case.

With HSTS, individual browsers can be told that they always should automatically go to HTTPS for every resource on a particular site. But that still can’t cover 100% of browsers.


#7

@schoen – I think that covers all gaps in my initial “https” knowledge and it prepares me sufficiently for making my move toward a secured website.

I do not expect totally smooth transition, so I will probably return to the forum for more advice. Thank you very much for now!

P.S. I really enjoyed your clear style and to-the-point approach…


#8

Hello, @schoen,

As I predicted, implementing security is not easy and/or straightforward for a simple ‘pedestrian’ like me. I hope you could give me some more advice.

I just got the free SSL certificate from ‘Let’s Encrypt’ by way of my hosting company. I conducted some tests and I was given a wide range of ratings: from “F” to “A+”.

All this is completely new for me, but I would like to plug some holes in my security. For example, I understand that I should add HTTP Strict Transport Security header. Something like this:

Strict-Transport-Security: max-age=32000000; includeSubDomains; preload

But where? Should it be on the host server or within my website? Should it be a separate text file, a snippet within ‘.htaccess’ file, or a snippet in the header of my ‘index.php’ file? Somewhere else?

I would be very grateful if you would give me some pointers…

Best regards,
Rob


#9

Hi @Rovertek,

For Apache, the HSTS header directive goes inside your <VirtualHost> stanza in your Apache configuration file and looks something like

Header always set Strict-Transport-Security "max-age=32000000; includeSubdomains; preload" env=HTTPS

You should be very careful that you understand the implication of this: it is attempting to make HTTPS mandatory for your site. This is great, but it’s a commitment that you’re making, because if your site stops supporting HTTPS in the future for any reasons, browsers will simply refuse to connect to it (during the entire “max-age” period). They will not accept an HTTP version at all.


#10

So, I’m guessing this is something that only my hosting company can implement? (I don’t see VirtualHost within the / hierarchy of my web server space.)

I understand that my ‘Let’s Encrypt’ SSL certificate will be renewed automatically. Is there any chance that this certificate may not be renewed for some reason and then my website will be blacked-out for viewers? And if that happens, can I somehow revoke the HSTS header directive?


#11

Sorry, I forgot that you don’t control your web server configuration. The VirtualHost directive is in a server configuration in /etc/apache2, which your provider isn’t allowing you to edit.

It might be possible to put this directive into an .htaccess file as well, but I don’t know whether that will work (and it might simply depend on whether the hosting provider allows it).

Whether renewal happens automatically depends on how the certificate was obtained, but I guess for cPanel integration it should be. One reason that HSTS is a risk is that if the renewal doesn’t happen, the site will indeed be blacked out and there is then no way to remove the HSTS setting. (You can only remove an HSTS setting for individual users one at a time and only while HTTPS is actually working properly for them.)


#12

Thanks a lot, @schoen. This is, indeed, quite tricky, but I will enquire with my host and maybe they will be willing to do that for me. Very helpful information…


#13

Right, it will work if the hosting provider allows it.


#14

Thanks, @jmorahan, as well…


#15

Hi, @schoen, @jmorahan,

I’ve got in touch with my hosting provider and here is what he said:

You could try adding .htaccess rules like below however, many of these aren’t going to be able to be modified because you’re on a shared server. Changing some of these would affect the usability of not only your site, but others’ sites as well.

<IfModule mod_headers.c>
    Header set Strict-Transport-Security max-age=16070400;
 </IfModule> 

His language is not very clear to me, but you will probably understand what he is saying? Do you agree with his opinion? Do you agree with his code?


#16

It’s certainly true that hosting providers can prevent you from using certain rules in .htaccess, and preventing adverse affects on other sites they host is a perfectly good reason for them to do so. He doesn’t seem to shed much light on whether this particular rule will be allowed, though. I guess you’ll just have to try it and see.

It seems fine. The addition of the IfModule lines is definitely a good idea - it means that if mod_headers is ever disabled, the only effect will be that your Strict-Transport-Security header will be removed, rather than your whole site broken. The Header line omits some advanced features of HSTS that are required if you want to be eligible for the HSTS preload list, but then you probably don’t want to be on the preload list right away anyway (if at all - at least wait until you’ve had a couple of successful renewals first :slight_smile: )

I would however suggest adding always and env=HTTPS as in @schoen’s example:

<IfModule mod_headers.c>
  Header always set Strict-Transport-Security "max-age=16070400" env=HTTPS 
</IfModule>

Not absolutely necessary, but both are good practices.


#17

@jmorahan,
Great, John. This almost solves something that is an absolute mystery to me. One more little bit of doubt on my part: you used quotation marks around max-age, but you omitted the semicolon at the end of middle line of code.

Header always set Strict-Transport-Security "max-age=16070400" env=HTTPS

Is this an intentional correction, or a mistake?


#18

Neither, really. The semicolon functions as a separator within the header content. The Strict-Transport-Security header can contain multiple directives, such as max-age and includeSubDomains, and if it does they should be separated by semicolons. The quotation marks denote the start and end of the header content, but they’re optional if there are no spaces (more or less).

The env=HTTPS isn’t part of the header; it’s an instruction to Apache to only send the header when the request was received over HTTPS. This is for strict compliance with the HSTS standard - you’re not supposed to send a Strict-Transport-Security header over HTTP (though browsers don’t really mind if you do).


#19

Thanks again, John. This is it (for now :slight_smile:).

I wish everybody was so helpful and clear in their explanations as you and Seth – on any forum!


#20

Hi, @schoen and @jmorahan,

I have modified my .htaccess file according to your suggestions and with my host’s permission. Then, I tested my site on “observatory.mozilla.org”. My results improved from previous “F” (14/100) to “D” (35/100). :joy:

They recommend some more improvements, of which the most important ones are: the use of X-Frame-Options header and Content Security Policy’s frame-ancestors.

So, this will be my next move. I would surely appreciate it if you, guys, could help me with this.

Let’s assume that my domain is “https://securedomain.com”. Therefore, for starters:

# Would only allow assets to be loaded from my domain over https, on any port.
Content-Security-Policy: default-src https://securedomain.com:*

Is this code correct and complete? Should it be changed or expanded? Does it cover my subdomains? Can it be implemented in my site’s .htaccess file (as opposed to server-wide)?