Copy link to clipboard
Copied
Not sure if anyone else is from the UK but we have new EU data protection laws coming into force on the 28th May.
One of my clients is getting spooked as his site is not 'secure'.
He has forms on it that collect personal data ie names, addresses, email etc and under these new laws that information should be encrypted or secure.
Am I corrcet in thinking if the files were moved onto a secure connection - https: that all the data is protected?
If so I cant work out what I'm meant to be looking for:
If I move a file onto a secure connection I still get a orange triangle plus the grey paddlock instead of the green paddlock:
'A grey lock with an orange triangle indicates that Firefox is not blocking insecure passive content. Attackers may be able to manipulate parts of the page, for example, by displaying misleading or inappropriate content, but they shouldn’t be able to steal your personal data from the site.'
I can't see anything in the pages code that would be unsecure all links to external sites use the https: secure protocol apart from one which is http - even if I remove that link I still get the orange triangle plus the grey paddlock.
Any clues, welcome.
Os
Copy link to clipboard
Copied
I have started to move my customers' sites behind a Secure Socket Layer (SSL or TLS). My Host has recently installed https://letsencrypt.org/ on my server so that I do not have to pay for the certificates.
If you want to know more Google the subject
Copy link to clipboard
Copied
BenPleysier wrote
I have started to move my customers' sites behind a Secure Socket Layer (SSL or TLS). My Host has recently installed https://letsencrypt.org/ on my server so that I do not have to pay for the certificates.
If you want to know more Google the subject
Hummm.......this is annoying and confusing
I think this client has a certificate because if I stick https:// before any of the page urls the pages still appear but stuff like insecure links to jquery etc stop working, which is not an issue because I can update those links.
How does a server know how to find a secure page as default? At the moment all urls are http:// so if you type a domain name in like abc.co.uk it just finds the index.php page - http://www.abc.co.uk/index.php . Does the hosting provider have to set something up so when abc.co.uk is typed in it finds the secure url - https://ww.abc.co.uk/index.php
The question I guess is once I have changed all the links to https:// do the files replace the exsiting ones in the public_html folder or do the files have to then be uploaded to a specific folder on the server, not sure how the heck this works?
Copy link to clipboard
Copied
All you need to do is add the following to the .htaccess file.
# Rewrite secure requests properly to prevent SSL cert warnings, e.g. prevent
# https://www.example.com when your cert only allows https://secure.example.com
# Uncomment the following lines to use this feature.
<IfModule mod_rewrite.c>
RewriteCond %{SERVER_PORT} !^443
RewriteRule ^ https://example-domain-please-change-me.com%{REQUEST_URI} [R=301,L]
</IfModule>
Edit: Sorry the following code should be added
<IfModule mod_rewrite.c>
RewriteCond %{HTTPS} !=on
RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
RewriteRule ^ http://%1%{REQUEST_URI} [R=301,L]
</IfModule>
Make sure that the rewrite engine is turned on as in
# ----------------------------------------------------------------------
# Start rewrite engine
# ----------------------------------------------------------------------
# Turning on the rewrite engine is necessary for the following rules and features.
# FollowSymLinks must be enabled for this to work.
<IfModule mod_rewrite.c>
Options +FollowSymlinks
RewriteEngine On
</IfModule>
Copy link to clipboard
Copied
Type the following into the address bar of the browser and see what happens
Copy link to clipboard
Copied
BenPleysier wrote
All you need to do is add the following to the .htaccess file.
# Rewrite secure requests properly to prevent SSL cert warnings, e.g. prevent
# https://www.example.com when your cert only allows https://secure.example.com
# Uncomment the following lines to use this feature.
<IfModule mod_rewrite.c>
RewriteCond %{SERVER_PORT} !^443
RewriteRule ^ https://example-domain-please-change-me.com%{REQUEST_URI} [R=301,L]
</IfModule>
Edit: Sorry the following code should be added
<IfModule mod_rewrite.c>
RewriteCond %{HTTPS} !=on
RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
RewriteRule ^ http://%1%{REQUEST_URI} [R=301,L]
</IfModule>
Make sure that the rewrite engine is turned on as in
# ----------------------------------------------------------------------
# Start rewrite engine
# ----------------------------------------------------------------------
# Turning on the rewrite engine is necessary for the following rules and features.
# FollowSymLinks must be enabled for this to work.
<IfModule mod_rewrite.c>
Options +FollowSymlinks
RewriteEngine On
</IfModule>
OK Ben thanks, I'll snap that snippet up and when I get around to doing this, see if it works.
Copy link to clipboard
Copied
As for redirecting to https you just use .htaccess to set the redirect. I believe every hosting company has this explained in the support section. And in order to see the "green paddlock" you need to make sure every link inside the page like images or scripts are called using https.
Copy link to clipboard
Copied
https://forums.adobe.com/people/Teodor+K wrote
As for redirecting to https you just use .htaccess to set the redirect. I believe every hosting company has this explained in the support section. And in order to see the "green paddlock" you need to make sure every link inside the page like images or scripts are called using https.
Ok, thanks for that. I've not seen that mentioned but I may have just Googled with he wrong phrase, that seems simple enough to do.
I think the page I tested did have all the links pointing to https:// but I'll do another check.
What should the padlock result be if an external url link within the website is not a secure link, somethig I cant change? Would that be ignored or would that cause the orange/grey paddlock combination?
Os
Copy link to clipboard
Copied
What should the padlock result be if an external url link within the website is not a secure link, somethig I cant change? Would that be ignored or would that cause the orange/grey paddlock combination?
It will turn grey with that orange trianlge until you make sure all of the links in the page are using https.
Copy link to clipboard
Copied
https://forums.adobe.com/people/Teodor+K wrote
What should the padlock result be if an external url link within the website is not a secure link, somethig I cant change? Would that be ignored or would that cause the orange/grey paddlock combination?
It will turn grey with that orange trianlge until you make sure all of the links in the page are using https.
So really to make a website 100% secure in the eyes of the visitors you have to rely on links to external websites to also be secure. That doesnt make much sense if the secrurity aspect is not in your own hands.
I know the info says with an orange traingle and grey paddlock any personal data provided through the website should be secure but its not amazingly clear for incomong visitors what is an what is not secure.
So for insatnce in the case of an external link http:/joe_bloggs_shoes.com the website in which that link resided would not be deemed to be secure but if it was changed to https://joe_bloggs_shoes.com that link would take the user to a nice page warning them that joe_bloggs_shoes.com is not a secure site..........
Copy link to clipboard
Copied
That's an interesting article on the topic: What Is Mixed Content? | Web Fundamentals | Google Developers
While in most of the cases this is not a real security risk, browsers will still mark it as such - no idea why
I don't think direct links to other pages are considered as risks or are even checked, the idea here is the includes (images, scripts, css files, fonts) you are using on your site must be using https.
Copy link to clipboard
Copied
https://forums.adobe.com/people/Teodor+K wrote
That's an interesting article on the topic: What Is Mixed Content? | Web Fundamentals | Google Developers
While in most of the cases this is not a real security risk, browsers will still mark it as such - no idea why
I don't think direct links to other pages are considered as risks or are even checked, the idea here is the includes (images, scripts, css files, fonts) you are using on your site must be using https.
Fair enough I'll just leave the external links to websites I cannot change as http://
Copy link to clipboard
Copied
Were you moderated?
Copy link to clipboard
Copied
Copy link to clipboard
Copied
https://forums.adobe.com/people/Teodor+K wrote
No - no moderation? Do i deserve to be moderated?
No, but why shouldn't everyone join in the fun of being moderated .
Copy link to clipboard
Copied
Encrypting data sent from the forms to the database is just a small part of GDPR. Also you need to make sure that not only you are using SSL for your site (to ensure personal data encrypted during the transit) but also you have to encrypt the pesonal data in the database table so if the database was breached the data would still be exposed.
Copy link to clipboard
Copied
https://forums.adobe.com/people/Teodor+K wrote
Encrypting data sent from the forms to the database is just a small part of GDPR. Also you need to make sure that not only you are using SSL for your site (to ensure personal data encrypted during the transit) but also you have to encrypt the pesonal data in the database table so if the database was breached the data would still be exposed.
Thankfully no personal data is stored in a database
Copy link to clipboard
Copied
osgood_ wrote
Thankfully no personal data is stored in a database
It's not just personal info stored in a database, but all personal date that the person/company/organisation stores by any means, (even the old card index) that must be securerly protected.
This is one of the reasons that the js api does not allow access to a users personal contacts from a browser, and why a number of old iOS/Android apps have been removed, (they sent the data back to a server).
Copy link to clipboard
Copied
pziecina wrote
osgood_ wrote
Thankfully no personal data is stored in a database
It's not just personal info stored in a database, but all personal date that the person/company/organisation stores by any means, (even the old card index) that must be securerly protected.
This is one of the reasons that the js api does not allow access to a users personal contacts from a browser, and why a number of old iOS/Android apps have been removed, (they sent the data back to a server).
I reallly doubt that many will change to a secure server set up. Must be zillion of websites collecting email addresess and names through unprotected forms.
Copy link to clipboard
Copied
There was/is a clause in the legislation that excludes personal web sites providing they are not asking for excessive info, and the info is kept for a very limited time. If I remember correctly that was defined as something like just enough info to reply to someone, (name, email) and that the info was then deleted.
We can discuss all day about if a buisness can afford to comply with the legislation, but not complying is no different to driving a car without insurance.
Copy link to clipboard
Copied
What I have never been able to work out about data protection laws, is that anyone can register a domain name from any country. To me it would make more sense if they restricted domain registration to the country the registrant is living in, (obviously not retrospective, as that would cause chaos). That way it would be easy for the user to check which country the site is registered to, and what laws should apply.
eg - if you live in the U/K then the domain name would end in .uk
Currently one can register any domain name from almost any country.
Copy link to clipboard
Copied
pziecina wrote
What I have never been able to work out about data protection laws, is that anyone can register a domain name from any country. To me it would make more sense if they restricted domain registration to the country the registrant is living in, (obviously not retrospective, as that would cause chaos). That way it would be easy for the user to check which country to site is registered to, and what laws should apply.
eg - if you live in the U/K then the domain name would end in .uk
Currently one can register any domain name from almost any country.
Its all foreign to me at the moment.
Copy link to clipboard
Copied
I have tried to get into the habit of using protocol agnostic links for everything.
<script src="//domain.com/scripts/jquery.js"></script>
Like so. I do it because my personal dev environment doesn't have SSL/TLS, but production does, so I don't have to change the code before pushing to production, and I don't have to write hack-ish code conditionals. But it has the benefit of using whichever protocol the browser is accessing, so all links are either secure or not-secure, simultaneously.
HTH,
^ _ ^
Copy link to clipboard
Copied
whooooahhh..............I got a green padlock!
It can be a bit of a PITA though as a lot of the http links were in include files so I'm having to hunt around a lot to track them down. I guess I could do a sitewide find and replace but I dunno if it would find a link in commented out bits of php code, which needs to be updated.
Think the best workflow is to duplicate the folder just incase I need to fall back and change all the links in the duplicated folder then upload the effected files, which might be quite a few, then insert the https redirect in the htaccess file and keep fingers crossed.
Copy link to clipboard
Copied
pziecina wrote
What I have never been able to work out about data protection laws, is that anyone can register a domain name from any country. To me it would make more sense if they restricted domain registration to the country the registrant is living in, (obviously not retrospective, as that would cause chaos). That way it would be easy for the user to check which country the site is registered to, and what laws should apply.
eg - if you live in the U/K then the domain name would end in .uk
Currently one can register any domain name from almost any country.
I totally agree that there should be better safeguards regarding domain names.
Any domain name using '.com.au' must be a registered company complete with a valid Australian Business Number (ABN). The site must also publish their Privacy Policy and if they sell products, they must include three modes of contact, i.e. phone, postal address and email.