New Data Protection Laws UK

BenPleysier  wrote I have started to move my customers' sites behind a Secure Socket Layer (SSL or TLS). My Host has recently installed https://letsencrypt.org/ on my server so that I do not have to pay for the certificates. If you want to know more Google the subject

Hummm.......this is annoying and confusing

I think this client has a certificate because if I stick https:// before any of the page urls the pages still appear but stuff like insecure links to jquery etc stop working, which is not an issue because I can update those links.

How does a server know how to find a secure page as default? At the moment all urls are http:// so if you type a domain name in like abc.co.uk it just finds the index.php page - http://www.abc.co.uk/index.php . Does the hosting provider have to set something up so when abc.co.uk is typed in it finds the secure url - https://ww.abc.co.uk/index.php 

The question I guess is once I have changed all the links to https:// do the files replace the exsiting ones in the public_html folder or do the files have to then be uploaded to a specific folder on the server, not sure how the heck this works?

All you need to do is add the following to the .htaccess file.

# Rewrite secure requests properly to prevent SSL cert warnings, e.g. prevent

# https://www.example.com when your cert only allows https://secure.example.com

# Uncomment the following lines to use this feature.

<IfModule mod_rewrite.c>

  RewriteCond %{SERVER_PORT} !^443

   RewriteRule ^ https://example-domain-please-change-me.com%{REQUEST_URI} [R=301,L]

</IfModule>

Edit: Sorry the following code should be added

<IfModule mod_rewrite.c>

  RewriteCond %{HTTPS} !=on

  RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]

  RewriteRule ^ http://%1%{REQUEST_URI} [R=301,L]

</IfModule>

Make sure that the rewrite engine is turned on as in

# ----------------------------------------------------------------------

# Start rewrite engine

# ----------------------------------------------------------------------

# Turning on the rewrite engine is necessary for the following rules and features.

# FollowSymLinks must be enabled for this to work.

<IfModule mod_rewrite.c>

  Options +FollowSymlinks

  RewriteEngine On

</IfModule>

Type the following into the address bar of the browser and see what happens

http://bunchoblokes.org/

BenPleysier  wrote All you need to do is add the following to the .htaccess file. # Rewrite secure requests properly to prevent SSL cert warnings, e.g. prevent # https://www.example.com when your cert only allows https://secure.example.com # Uncomment the following lines to use this feature. <IfModule mod_rewrite.c>   RewriteCond %{SERVER_PORT} !^443    RewriteRule ^ https://example-domain-please-change-me.com%{REQUEST_URI} [R=301,L] </IfModule> Edit: Sorry the following code should be added <IfModule mod_rewrite.c>   RewriteCond %{HTTPS} !=on   RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]   RewriteRule ^ http://%1%{REQUEST_URI} [R=301,L] </IfModule> Make sure that the rewrite engine is turned on as in # ---------------------------------------------------------------------- # Start rewrite engine # ---------------------------------------------------------------------- # Turning on the rewrite engine is necessary for the following rules and features. # FollowSymLinks must be enabled for this to work. <IfModule mod_rewrite.c>   Options +FollowSymlinks   RewriteEngine On </IfModule>

OK Ben thanks, I'll snap that snippet up and when I get around to doing this, see if it works.

As for redirecting to https you just use .htaccess to set the redirect. I believe every hosting company has this explained in the support section. And in order to see the "green paddlock" you need to make sure every link inside the page like images or scripts are called using https.

https://forums.adobe.com/people/Teodor+K  wrote As for redirecting to https you just use .htaccess to set the redirect. I believe every hosting company has this explained in the support section. And in order to see the "green paddlock" you need to make sure every link inside the page like images or scripts are called using https.

Ok, thanks for that. I've not seen that mentioned but I may have just Googled with he wrong phrase, that seems simple enough to do.

I think the page I tested did have all the links pointing to https:// but I'll do another check.

What should the padlock result be if an external url link within the website is not a secure link, somethig I cant change? Would that be ignored or would that cause the orange/grey paddlock combination?

Os

What should the padlock result be if an external url link within the website is not a secure link, somethig I cant change? Would that be ignored or would that cause the orange/grey paddlock combination?

It will turn grey with that orange trianlge until you make sure all of the links in the page are using https.

https://forums.adobe.com/people/Teodor+K  wrote What should the padlock result be if an external url link within the website is not a secure link, somethig I cant change? Would that be ignored or would that cause the orange/grey paddlock combination? It will turn grey with that orange trianlge until you make sure all of the links in the page are using https.

So really to make a website 100% secure in the eyes of the visitors you have to rely on links to external websites to also be secure. That doesnt make much sense if the secrurity aspect is not in your own hands.

I know the info says with an orange traingle and grey paddlock any personal data provided through the website should be secure but its not amazingly clear for incomong visitors what is an what is not secure.

So for insatnce in the case of an external link http:/joe_bloggs_shoes.com the website in which that link resided would not be deemed to be secure but if it was changed to https://joe_bloggs_shoes.com that link would take the user to a nice page warning them that joe_bloggs_shoes.com is not a secure site..........

That's an interesting article on the topic: What Is Mixed Content?  |  Web Fundamentals  |  Google Developers

While in most of the cases this is not a real security risk, browsers will still mark it as such - no idea why

I don't think direct links to other pages are considered as risks or are even checked, the idea here is the includes (images, scripts, css files, fonts) you are using on your site must be using https.

https://forums.adobe.com/people/Teodor+K  wrote That's an interesting article on the topic: What Is Mixed Content?  |  Web Fundamentals  |  Google Developers While in most of the cases this is not a real security risk, browsers will still mark it as such - no idea why I don't think direct links to other pages are considered as risks or are even checked, the idea here is the includes (images, scripts, css files, fonts) you are using on your site must be using https.

Fair enough I'll just leave the external links to websites I cannot change as http:// 

Were you moderated?

No - no moderation? Do i deserve to be moderated?

https://forums.adobe.com/people/Teodor+K  wrote No - no moderation? Do i deserve to be moderated?

No, but why shouldn't everyone join in the fun of being moderated .

https://forums.adobe.com/people/Teodor+K  wrote Encrypting data sent from the forms to the database is just a small part of GDPR. Also you need to make sure that not only you are using SSL for your site (to ensure personal data encrypted during the transit) but also you have to encrypt the pesonal data in the database table so if the database was breached the data would still be exposed.

Thankfully no personal data is stored in a database

osgood_  wrote Thankfully no personal data is stored in a database

It's not just personal info stored in a database, but all personal date that the person/company/organisation stores by any means, (even the old card index) that must be securerly protected.

This is one of the reasons that the js api does not allow access to a users personal contacts from a browser, and why a number of old iOS/Android apps have been removed, (they sent the data back to a server).

pziecina  wrote osgood_   wrote Thankfully no personal data is stored in a database It's not just personal info stored in a database, but all personal date that the person/company/organisation stores by any means, (even the old card index) that must be securerly protected. This is one of the reasons that the js api does not allow access to a users personal contacts from a browser, and why a number of old iOS/Android apps have been removed, (they sent the data back to a server).

I reallly doubt that many will change to a secure server set up. Must be zillion of websites collecting email addresess and names through unprotected forms.

There was/is a clause in the legislation that excludes personal web sites providing they are not asking for excessive info, and the info is kept for a very limited time. If I remember correctly that was defined as something like just enough info to reply to someone, (name, email) and that the info was then deleted.

We can discuss all day about if a buisness can afford to comply with the legislation, but not complying is no different to driving a car without insurance.

pziecina  wrote What I have never been able to work out about data protection laws, is that anyone can register a domain name from any country. To me it would make more sense if they restricted domain registration to the country the registrant is living in, (obviously not retrospective, as that would cause chaos). That way it would be easy for the user to check which country to site is registered to, and what laws should apply. eg - if you live in the U/K then the domain name would end in .uk Currently one can register any domain name from almost any country.

Its all foreign to me at the moment.

I have tried to get into the habit of using protocol agnostic links for everything.

<script src="//domain.com/scripts/jquery.js"></script>

Like so.  I do it because my personal dev environment doesn't have SSL/TLS, but production does, so I don't have to change the code before pushing to production, and I don't have to write hack-ish code conditionals.  But it has the benefit of using whichever protocol the browser is accessing, so all links are either secure or not-secure, simultaneously.

HTH,

^ _ ^

whooooahhh..............I got a green padlock!

It can be a bit of a PITA though as a lot of the http links were in include files so I'm having to hunt around a lot to track them down. I guess I could do a sitewide find and replace but I dunno if it would find a link in commented out bits of php code, which needs to be updated.

Think the best workflow is to duplicate the folder just incase I need to fall back and change all the links in the duplicated folder then upload the effected files, which might be quite a few, then insert the https redirect in the htaccess file and keep fingers crossed.

pziecina  wrote What I have never been able to work out about data protection laws, is that anyone can register a domain name from any country. To me it would make more sense if they restricted domain registration to the country the registrant is living in, (obviously not retrospective, as that would cause chaos). That way it would be easy for the user to check which country the site is registered to, and what laws should apply. eg - if you live in the U/K then the domain name would end in .uk Currently one can register any domain name from almost any country.

I totally agree that there should be better safeguards regarding domain names.

Any domain name using '.com.au' must be a registered company complete with a valid Australian Business Number (ABN). The site must also publish their Privacy Policy and if they sell products, they must include three modes of contact, i.e. phone, postal address and email.