ClassCreator.com | Blockbuster sites, amazing reunions

Share Tips

New Topic Subscription Options  

How to Secure Website

Forums: Questions and Answers About Building Your Site
Created on: 04/15/19 06:24 PM Views: 838 Replies: 25
Monday, April 15, 2019 at 6:24 PM

Is there an easy way to secure our website so it shows up as https vs. http? What are the steps needed to do this? Since we are accepting credit card payments, I was asked to do this for our website.

George Ybarra
www.ephs69.com

Reply
Monday, April 15, 2019 at 9:21 PM - Response #1

We are working on a solution, but currently, all pages that accept credit card payments are already secure. If you go to your Ticket page or your Donation page or your Products page, any time the classmate is asked for a credit card, the website changes to https:

The way domain names work with our ClassCreator system, it is not possible for each website that owns a domain name to have a certificate to verify that you are a secure website, so those places where https:// is required, it goes to the ClassCreator domain name which is secure.


Reply
Thursday, April 18, 2019 at 3:44 PM - Response #2
non secure site.JPG

When we log in to our site, it shows Not Secure as does this forum. That may discourage classmates from signing in. Is there a way to secure it?

Reply
Saturday, April 20, 2019 at 1:24 PM - Response #3

Bev,
Unfortunately, some members will be concerned by the new browser warnings, But, as Kyle said, any pages which involve financial transactions or need to be encrypted are secure. The login page and even the Edit Contact Information page are secure.

Other pages, like profile views and pages which you have restricted which can only be seen by logged in classmates and guests would normally not contain any sensitive information. And other pages which you've left unrestricted would normally not need to be encrypted.

The browser notice that viewing a page over a network connection which is not encrypted is worth noting, but would not be a risk in most cases. The exception is the unlikely event when a member is accessing your site from a wi-fi connection in a hotel or restaurant where someone with specialized equipment could monitor network traffic. Even then, our sites are secure and encrypt network traffic for access which needs to be encrypted.

Reply
Sunday, April 21, 2019 at 10:10 AM - Response #4

Thanks for the response. I played with it and it seems that Class Creator web address shows and no "not secure" notice appears on certain pages. Those seem to be pages where you are putting your password in or editing your contact information. However, when looking at a classmate's profile, depending on the what that person has entered, there is a little more information showing, generally birthdates, spouse information, children's names and birthyears. Those are restricted to only classmates, but it shows on my browser as not secure. If that is correct, then I'm inclined to remove that from profiles or at least suggest that people not enter any information they considered to be sensitive.

Reply
Edited 04/21/19 10:17 AM
Sunday, April 21, 2019 at 12:32 PM - Response #5

We've kicked this around too, and came to the conclusion that while there is some limited personal info in profile views, it's limited to logged in members only - just as it has been since day one. And on our site, we added an option which removes the choice to allow your profile to be seen by search engines and outsiders - which we saw as a valid security concern.

Sharing profile info between classmates has never been considered 'risky', although we do have a few who didn't enter some fields (like birthday, even though we all know how old our classmates are). Details do have more personal information, but most of that is only viewable by admins.

In any case, viewable profile info is no more risky now than it always was. Again, when someone is viewing our site (or their bank) when using a coffee shop's wi-fi, there is a remote chance that network traffic could be monitored. I see that risk for our sites as minimal - and avoidable.

Reply
Tuesday, April 23, 2019 at 4:59 PM - Response #6

If you'll notice, go to your Member Functions > Edit Contact Info page, and you will see that the URL is actually under the https:www.classcreator.com domain name.... as would be any other security sensitive pages such as login screens and Event Planner cart pages.


Reply
Saturday, April 27, 2019 at 11:31 PM - Response #7

Hi - Scott - I see that the Not Secure does go away when one edits their contact info as you said, but that isn't going to make our users any more comfortable. As other admins have said - we have users who are hesitant to use the site now and I have had several complaints about this "Not Secure" which they see as a warning. Is there anything we can do to make it go away? FaceBook doesn't have that warning - why do we?

Reply
Sunday, April 28, 2019 at 2:33 AM - Response #8

This is the response I sent to a classmate that sent an email to complain about the not secure warning. I was thinking about posting this on the website and sending as an email to the class, if I have the information correct. It could be worded better, too.
"The “not secure” message does not indicate the site is unsafe.
The NEHI1970.com website is private and requires a password to be accessed. There is extra security for pages where information is entered.
When editing contact information, the web page will change from “http” to “https” indicating it is a secure (encrypted for extra safety) page to enter credit card or other personal information. There have not been any changes to our website as far as security is concerned. Some of the browsers are now displaying “not secure” warnings in front of the http or www, to indicate the page is not encrypted and might not be safe enough to enter credit card or bank account information on that particular page of the website. All pages that require sensitive information, such as Donation page, Products page, Ticket page, Contact Information page, etc., are set up to go to the ClassCreator (our Web Hosting company) domain name, which has the certificate to verify that we have a secure website, with encrypting on those pages.
Encryption is the process of scrambling or enciphering data so only someone with the means to return it to its original state can read it. Encryption keeps criminals and spies from stealing information. NEHI70.com requires the combination of your email address and password to login, and the necessary web pages are encrypted, therefore our website is safe and secure for use."

Reply
Sunday, April 28, 2019 at 2:37 AM - Response #9

Google has updated their browser (and subsequently, major browsers have followed), to alert users whenever they are on any page of any site that is not secured by a security certificate. Your site is currently secured on all pages that were previously necessary such as cart check out pages of the Event Planner as well as your Login pages. Rest assured that your site is safe and secure. However, we are still looking into a solution for admins to acquire a security certificate for their sites so that all pages reflect a secure status. We are working with our team to solve the logistics of this task. We will inform all of our administrators as soon as we have a solution that will work for our unique site scenario.


Reply
Sunday, April 28, 2019 at 8:06 AM - Response #10

Belinda - Thank you!!

Reply
Edited 04/28/19 8:07 AM
Tuesday, April 30, 2019 at 12:27 PM - Response #11

Scott,

Please get this corrected as soon as possible. This is causing a major problem in our reunion efforts.

Reply
Tuesday, April 30, 2019 at 3:48 PM - Response #12

Hi - I read that the now grey "Not Secure" warning is turning red! I am afraid I will lose classmates.

Reply
Wednesday, May 1, 2019 at 2:01 PM - Response #13

This is a priority for out team and we continue to work toward a solution.


Reply
Monday, May 20, 2019 at 4:41 PM - Response #14

This jumped out at me today. I too, am concerned about losing or some newbies not joining due to this warning.
Good luck at getting it resolved asap!! Is it possible to send the admins a notice when all clear?

Reply
Monday, May 20, 2019 at 4:54 PM - Response #15

We will let everyone know once this is resolved.


Reply
Thursday, May 28, 2020 at 2:40 PM - Response #16

Can you please update the status of this problem. It has been a year since you posted " This is a priority for out team and we continue to work toward a solution ". I, too, have classmates that are very concerned when they see the Not Secure warning.

Reply
Edited 05/28/20 3:34 PM
Thursday, May 28, 2020 at 5:34 PM - Response #17

Peggy,

Did you receive the email from Class Creator on May 20, 2020 which said this about the securuty issue?

"We're making improvements! There's several important things you must know.

"Class Creator is becoming faster, more user friendly, and more secure!

"In order to facilitate our upcoming improvements, Class Creator is moving to a brand new, super fast, highly secure cloud-based network. Here's some of the things we're improving:

"Secure Certificates: Most Class Creator admins own a domain name. Shortly you will be able to purchase a secure certificate for your domain name. This will eliminate the "not secure" tags that most browsers are now displaying on pages that historically did not require a secure certificate. Sounds a bit complex but no worries...if you own a domain name you will receive a seprate email about secure certificates."

Reply
Edited 05/28/20 5:34 PM
Thursday, May 28, 2020 at 5:42 PM - Response #18

Talking about super-fast - anyone notice how the "OLD" system is now super fast after the restore? Looks like it fixed something that was wrong.

And how much is this going to cost? I thought they were going to offer a FREE option that would use the CC certificate? That's what was stated before. It is very easy to do, just that it won't show your "domain" name after logging in. Some care, some don't.

This is AFTER one logs into the site, it reverts to secure using the actual long CC URL. You can actually make FREE sites secure using a little app I made, doing exactly that Idea

Reply
Thursday, May 28, 2020 at 10:04 PM - Response #19

Hi Jack,

Yes as previously stated non-domain owners will automatically be secured after the change and domain owners will have an option of using our secure ID for free - their domain will simply forward to the longer classcreator assigned address they received when they started their site. It is the same address they would see on their Sign-in page if they are not logged in and click sign-in if they want to see an example.

We will have additional options for domain owners who do not wish to user our domain to secure their site as well. All details will be sent to domain owners sometime after we complete the system upgrade.

Jessica
Class Creator Support


Reply
Thursday, May 28, 2020 at 10:34 PM - Response #20

That sounds great and what you said before.

To clarify, the email Brad sent says nothing like that Jessica. It just talks about purchasing a certificate. Maybe CC should post and email a more complete description that says what you just said.

Reply
Thursday, June 4, 2020 at 1:44 AM - Response #21

Scott,

Were you all able to determine if the Free Security Certificates from Let's Encrypt will be compatible with the new platform?

They say:
Let’s Encrypt aims to be compatible with as much software as possible without compromising security. The main determining factor for whether a platform can validate Let’s Encrypt certificates is whether that platform includes ISRG’s “ISRG Root X1” certificate or IdenTrust’s “DST Root CA X3” certificate in its trust store. Source

Do our sites and platform fit this requirement?

Their FAQ says:
What does it cost to use Let’s Encrypt? Is it really free?

We do not charge a fee for our certificates. Let’s Encrypt is a nonprofit, our mission is to create a more secure and privacy-respecting Web by promoting the widespread adoption of HTTPS. Our services are free and easy to use so that every website can deploy HTTPS.

I've been using Let's Encrypt for my security certificate on one of my other sites for several years with no problems whatsoever.

February 27, 2020 they just issued their BILLIONTH Certificate they are quite well established.

Does this appear to be compatible with our platform?

Reply
Thursday, June 4, 2020 at 1:57 AM - Response #22

Hi Gary,

It does not work well with our environment -- at least not on the prior environment. We will be testing several things on the new configuration before we send out our notice to admins on this topic. If it works better in our new environment we will consider it. Our system is unique because we allow you to add a domain name, however, do you not have to have a domain name and if you choose to let your domain name expire the site needs to be able to roll back to loading intact at the original assigned classcreator.com address so it is not as cut and dry as most configurations. Their certificates expire every 90 days and are constantly having to be reissued - we have many thousands of domains that would be constantly needing updating and scheduled. Since domains can not be registered for less than a year I will never understand why they choose a 90 day window for reissuing certificates. This is a consideration, however, it is not our only tested solution so we will give it another go on this configuration before we make final decisions and then if it is not a go we have another tested solution that we will be offering instead.

Stay tuned - we will be emailing all admins when this is ready soon. We just have a few things to work out from the migration and then that is the very next item - and again when I say next we just need to run some more tests on the multiple solutions in this environment and then pick the final one and roll with it. We already have the test work ready to test.

Jessica
Class Creator Support


Reply
Thursday, June 4, 2020 at 11:17 AM - Response #23

I purchased the ID protect option. Is that going to make the site more secure? I purchased right before the migration and am not sure what changed. I also think I got spam emailed as soon as I set up the site and would like to have someone help me determine if I did. Who can help me with that?

Reply
Monday, June 8, 2020 at 9:37 PM - Response #24

Thanks Jessica,

I'm sure that you all are aware that they have an ACME Client program to handle updating the certificates automatically.

Whether or not it will work on this platform, I can't say, but IF the systems are compatible, their ACME client will automatically update the certificates.

If anyone else is interested, you can find more information here.

Getting Started

Web Hosting Providers List who support Let's Encrypt - you all can check to see if your host is on the list.

ACME Client Implementations including Certbot and others

Thanks for the update. It's hard to beat free, if it's compatible.

Reply
Edited 06/09/20 2:28 AM
Monday, June 8, 2020 at 10:09 PM - Response #25

Hi Gary,

It is one that we considered and we are aware of the tools. Unfortunately, they weren't ideal for our configuration. We will be testing it further shortly. We haven't made a final decision. We have several tested options and will go with the one that is best suited for our unique configuration.

Jessica


Reply
New Topic  
Subscription Options: Have all new forum posts sent directly to your email.
Subscription options are available after you log in.