ClassCreator.com | Blockbuster sites, amazing reunions

Share Tips

New Topic Subscription Options  

How to Secure Website

Forums: Questions and Answers About Building Your Site
Created on: 04/15/19 06:24 PM Views: 1388 Replies: 36
Monday, April 15, 2019 at 6:24 PM

Is there an easy way to secure our website so it shows up as https vs. http? What are the steps needed to do this? Since we are accepting credit card payments, I was asked to do this for our website.

George Ybarra
www.ephs69.com

Reply
Monday, April 15, 2019 at 9:21 PM - Response #1

We are working on a solution, but currently, all pages that accept credit card payments are already secure. If you go to your Ticket page or your Donation page or your Products page, any time the classmate is asked for a credit card, the website changes to https:

The way domain names work with our ClassCreator system, it is not possible for each website that owns a domain name to have a certificate to verify that you are a secure website, so those places where https:// is required, it goes to the ClassCreator domain name which is secure.


Reply
Thursday, April 18, 2019 at 3:44 PM - Response #2
non secure site.JPG

When we log in to our site, it shows Not Secure as does this forum. That may discourage classmates from signing in. Is there a way to secure it?

Reply
Saturday, April 20, 2019 at 1:24 PM - Response #3

Bev,
Unfortunately, some members will be concerned by the new browser warnings, But, as Kyle said, any pages which involve financial transactions or need to be encrypted are secure. The login page and even the Edit Contact Information page are secure.

Other pages, like profile views and pages which you have restricted which can only be seen by logged in classmates and guests would normally not contain any sensitive information. And other pages which you've left unrestricted would normally not need to be encrypted.

The browser notice that viewing a page over a network connection which is not encrypted is worth noting, but would not be a risk in most cases. The exception is the unlikely event when a member is accessing your site from a wi-fi connection in a hotel or restaurant where someone with specialized equipment could monitor network traffic. Even then, our sites are secure and encrypt network traffic for access which needs to be encrypted.

Reply
Sunday, April 21, 2019 at 10:10 AM - Response #4

Thanks for the response. I played with it and it seems that Class Creator web address shows and no "not secure" notice appears on certain pages. Those seem to be pages where you are putting your password in or editing your contact information. However, when looking at a classmate's profile, depending on the what that person has entered, there is a little more information showing, generally birthdates, spouse information, children's names and birthyears. Those are restricted to only classmates, but it shows on my browser as not secure. If that is correct, then I'm inclined to remove that from profiles or at least suggest that people not enter any information they considered to be sensitive.

Reply
Edited 04/21/19 10:17 AM
Sunday, April 21, 2019 at 12:32 PM - Response #5

We've kicked this around too, and came to the conclusion that while there is some limited personal info in profile views, it's limited to logged in members only - just as it has been since day one. And on our site, we added an option which removes the choice to allow your profile to be seen by search engines and outsiders - which we saw as a valid security concern.

Sharing profile info between classmates has never been considered 'risky', although we do have a few who didn't enter some fields (like birthday, even though we all know how old our classmates are). Details do have more personal information, but most of that is only viewable by admins.

In any case, viewable profile info is no more risky now than it always was. Again, when someone is viewing our site (or their bank) when using a coffee shop's wi-fi, there is a remote chance that network traffic could be monitored. I see that risk for our sites as minimal - and avoidable.

Reply
Tuesday, April 23, 2019 at 4:59 PM - Response #6

If you'll notice, go to your Member Functions > Edit Contact Info page, and you will see that the URL is actually under the https:www.classcreator.com domain name.... as would be any other security sensitive pages such as login screens and Event Planner cart pages.


Reply
Saturday, April 27, 2019 at 11:31 PM - Response #7

Hi - Scott - I see that the Not Secure does go away when one edits their contact info as you said, but that isn't going to make our users any more comfortable. As other admins have said - we have users who are hesitant to use the site now and I have had several complaints about this "Not Secure" which they see as a warning. Is there anything we can do to make it go away? FaceBook doesn't have that warning - why do we?

Reply
Sunday, April 28, 2019 at 2:33 AM - Response #8

This is the response I sent to a classmate that sent an email to complain about the not secure warning. I was thinking about posting this on the website and sending as an email to the class, if I have the information correct. It could be worded better, too.
"The “not secure” message does not indicate the site is unsafe.
The NEHI1970.com website is private and requires a password to be accessed. There is extra security for pages where information is entered.
When editing contact information, the web page will change from “http” to “https” indicating it is a secure (encrypted for extra safety) page to enter credit card or other personal information. There have not been any changes to our website as far as security is concerned. Some of the browsers are now displaying “not secure” warnings in front of the http or www, to indicate the page is not encrypted and might not be safe enough to enter credit card or bank account information on that particular page of the website. All pages that require sensitive information, such as Donation page, Products page, Ticket page, Contact Information page, etc., are set up to go to the ClassCreator (our Web Hosting company) domain name, which has the certificate to verify that we have a secure website, with encrypting on those pages.
Encryption is the process of scrambling or enciphering data so only someone with the means to return it to its original state can read it. Encryption keeps criminals and spies from stealing information. NEHI70.com requires the combination of your email address and password to login, and the necessary web pages are encrypted, therefore our website is safe and secure for use."

Reply
Sunday, April 28, 2019 at 2:37 AM - Response #9

Google has updated their browser (and subsequently, major browsers have followed), to alert users whenever they are on any page of any site that is not secured by a security certificate. Your site is currently secured on all pages that were previously necessary such as cart check out pages of the Event Planner as well as your Login pages. Rest assured that your site is safe and secure. However, we are still looking into a solution for admins to acquire a security certificate for their sites so that all pages reflect a secure status. We are working with our team to solve the logistics of this task. We will inform all of our administrators as soon as we have a solution that will work for our unique site scenario.


Reply
Sunday, April 28, 2019 at 8:06 AM - Response #10

Belinda - Thank you!!

Reply
Edited 04/28/19 8:07 AM
Tuesday, April 30, 2019 at 12:27 PM - Response #11

Scott,

Please get this corrected as soon as possible. This is causing a major problem in our reunion efforts.

Reply
Tuesday, April 30, 2019 at 3:48 PM - Response #12

Hi - I read that the now grey "Not Secure" warning is turning red! I am afraid I will lose classmates.

Reply
Wednesday, May 1, 2019 at 2:01 PM - Response #13

This is a priority for out team and we continue to work toward a solution.


Reply
Monday, May 20, 2019 at 4:41 PM - Response #14

This jumped out at me today. I too, am concerned about losing or some newbies not joining due to this warning.
Good luck at getting it resolved asap!! Is it possible to send the admins a notice when all clear?

Reply
Monday, May 20, 2019 at 4:54 PM - Response #15

We will let everyone know once this is resolved.


Reply
Thursday, May 28, 2020 at 2:40 PM - Response #16

Can you please update the status of this problem. It has been a year since you posted " This is a priority for out team and we continue to work toward a solution ". I, too, have classmates that are very concerned when they see the Not Secure warning.

Reply
Edited 05/28/20 3:34 PM
Thursday, May 28, 2020 at 5:34 PM - Response #17

Peggy,

Did you receive the email from Class Creator on May 20, 2020 which said this about the securuty issue?

"We're making improvements! There's several important things you must know.

"Class Creator is becoming faster, more user friendly, and more secure!

"In order to facilitate our upcoming improvements, Class Creator is moving to a brand new, super fast, highly secure cloud-based network. Here's some of the things we're improving:

"Secure Certificates: Most Class Creator admins own a domain name. Shortly you will be able to purchase a secure certificate for your domain name. This will eliminate the "not secure" tags that most browsers are now displaying on pages that historically did not require a secure certificate. Sounds a bit complex but no worries...if you own a domain name you will receive a seprate email about secure certificates."

Reply
Edited 05/28/20 5:34 PM
Thursday, May 28, 2020 at 5:42 PM - Response #18

Talking about super-fast - anyone notice how the "OLD" system is now super fast after the restore? Looks like it fixed something that was wrong.

And how much is this going to cost? I thought they were going to offer a FREE option that would use the CC certificate? That's what was stated before. It is very easy to do, just that it won't show your "domain" name after logging in. Some care, some don't.

This is AFTER one logs into the site, it reverts to secure using the actual long CC URL. You can actually make FREE sites secure using a little app I made, doing exactly that Idea

Reply
Thursday, May 28, 2020 at 10:04 PM - Response #19

Hi Jack,

Yes as previously stated non-domain owners will automatically be secured after the change and domain owners will have an option of using our secure ID for free - their domain will simply forward to the longer classcreator assigned address they received when they started their site. It is the same address they would see on their Sign-in page if they are not logged in and click sign-in if they want to see an example.

We will have additional options for domain owners who do not wish to user our domain to secure their site as well. All details will be sent to domain owners sometime after we complete the system upgrade.

Jessica
Class Creator Support


Reply
Thursday, May 28, 2020 at 10:34 PM - Response #20

That sounds great and what you said before.

To clarify, the email Brad sent says nothing like that Jessica. It just talks about purchasing a certificate. Maybe CC should post and email a more complete description that says what you just said.

Reply
Thursday, June 4, 2020 at 1:44 AM - Response #21

Scott,

Were you all able to determine if the Free Security Certificates from Let's Encrypt will be compatible with the new platform?

They say:
Let’s Encrypt aims to be compatible with as much software as possible without compromising security. The main determining factor for whether a platform can validate Let’s Encrypt certificates is whether that platform includes ISRG’s “ISRG Root X1” certificate or IdenTrust’s “DST Root CA X3” certificate in its trust store. Source

Do our sites and platform fit this requirement?

Their FAQ says:
What does it cost to use Let’s Encrypt? Is it really free?

We do not charge a fee for our certificates. Let’s Encrypt is a nonprofit, our mission is to create a more secure and privacy-respecting Web by promoting the widespread adoption of HTTPS. Our services are free and easy to use so that every website can deploy HTTPS.

I've been using Let's Encrypt for my security certificate on one of my other sites for several years with no problems whatsoever.

February 27, 2020 they just issued their BILLIONTH Certificate they are quite well established.

Does this appear to be compatible with our platform?

Reply
Thursday, June 4, 2020 at 1:57 AM - Response #22

Hi Gary,

It does not work well with our environment -- at least not on the prior environment. We will be testing several things on the new configuration before we send out our notice to admins on this topic. If it works better in our new environment we will consider it. Our system is unique because we allow you to add a domain name, however, do you not have to have a domain name and if you choose to let your domain name expire the site needs to be able to roll back to loading intact at the original assigned classcreator.com address so it is not as cut and dry as most configurations. Their certificates expire every 90 days and are constantly having to be reissued - we have many thousands of domains that would be constantly needing updating and scheduled. Since domains can not be registered for less than a year I will never understand why they choose a 90 day window for reissuing certificates. This is a consideration, however, it is not our only tested solution so we will give it another go on this configuration before we make final decisions and then if it is not a go we have another tested solution that we will be offering instead.

Stay tuned - we will be emailing all admins when this is ready soon. We just have a few things to work out from the migration and then that is the very next item - and again when I say next we just need to run some more tests on the multiple solutions in this environment and then pick the final one and roll with it. We already have the test work ready to test.

Jessica
Class Creator Support


Reply
Thursday, June 4, 2020 at 11:17 AM - Response #23

I purchased the ID protect option. Is that going to make the site more secure? I purchased right before the migration and am not sure what changed. I also think I got spam emailed as soon as I set up the site and would like to have someone help me determine if I did. Who can help me with that?

Reply
Monday, June 8, 2020 at 9:37 PM - Response #24

Thanks Jessica,

I'm sure that you all are aware that they have an ACME Client program to handle updating the certificates automatically.

Whether or not it will work on this platform, I can't say, but IF the systems are compatible, their ACME client will automatically update the certificates.

If anyone else is interested, you can find more information here.

Getting Started

Web Hosting Providers List who support Let's Encrypt - you all can check to see if your host is on the list.

ACME Client Implementations including Certbot and others

Thanks for the update. It's hard to beat free, if it's compatible.

Reply
Edited 06/09/20 2:28 AM
Monday, June 8, 2020 at 10:09 PM - Response #25

Hi Gary,

It is one that we considered and we are aware of the tools. Unfortunately, they weren't ideal for our configuration. We will be testing it further shortly. We haven't made a final decision. We have several tested options and will go with the one that is best suited for our unique configuration.

Jessica


Reply
Monday, February 22, 2021 at 2:51 PM - Response #26

What is the meaning of Response #19 to this thread, from Jessica of Class Creator Support. In her response she says, "... and domain owners will have an option of using our secure ID for free - their domain will simply forward to the longer classcreator assigned address they received when they started their site."

I'm not too interested in having to raise certificate funds every year for yet another renewal cost. (The domain name, the classcreator website, and now a certificate.) How can we implement what Jessica has mentioned here?

Reply
Edited 02/22/21 2:53 PM
Monday, February 22, 2021 at 3:03 PM - Response #27

Hi Tom,

It means once a user types in your domain name they would be immediately redirected to the secure longer classcreator.com name that you currently see on secure pages like the sign-in page. https://www.classcreator.com/Salt-Lake-City-Utah-Highland-1965/member_login.cfm I would need to implement it for you.

Jessica


Reply
Monday, February 22, 2021 at 6:52 PM - Response #28

Jessica, would all emails to the class still have the actual domain name?

Reply
Wednesday, February 24, 2021 at 8:10 PM - Response #29

Hello, Jessica,

Really would like to know if optioning for a 301 redirect to longer name keeps MX records the same. IOW, will class emails still come from Bothellhigh61.com?

Reply
Wednesday, February 24, 2021 at 11:20 PM - Response #30

Hi Jack,

It doesn't affect your MX Records. We aren't actually changing anything about the domain record - we are just changing what loads when you type in the domain. We have been testing this option and I went ahead and added it to Tom's site and then sent myself an email test.

The email still comes up in your site template that it has always gone out in with your logo, school colors etc.
The domain name is still listed at the bottom of the emails as a link back to the site. When you click the link it instantly auto forwards to the secure version of the site.
So from an email standpoint nothing really changes except when you click the link it automatically goes to the secure longer address.

Do you want me to make this change for Bothellhigh61.com? The change is reversible if needed.

Jessica


Reply
Thursday, February 25, 2021 at 1:26 PM - Response #31

Thanks for the info. I'm discussing with other admins and getting all the pieces that might change. The email stuff was the only one I was not sure about.

I'll see if they would like to do that.

Reply
Thursday, February 25, 2021 at 11:13 PM - Response #32

Jessica,

Could you please change it so Bothellhigh61.com redirects to the longer CC URL.

Please let me know if you read this.

You have no idea how hard that was to explain to the other admins Very Happy

Reply
Thursday, February 25, 2021 at 11:20 PM - Response #33

Hi Jack,

Try it now.

Jessica


Reply
Friday, February 26, 2021 at 1:10 AM - Response #34

Hi Jack,

Thanks for stopping by, sorry I missed you. I assume you might have been checking to see if I'd implemented the 301 redirect.

No, haven't had time to get in to it, but I am still following these posts. Interested in what you all decide on your site, but [Jessica] I'm delighted to see the email still reflects the domain name, although, Jack, I don't remember if you have a class creator domain or if you purchased on separately (which I assume is likely).

I'm assuming the 301 redirect will retain the domain name on the email regardless of who the registrar is?

Thanks all

Reply
Friday, February 26, 2021 at 9:45 AM - Response #35

It has no impact on email. Just the address the site loads.

Jessica


Reply
Friday, February 26, 2021 at 1:24 PM - Response #36

Thank you Jessica. It all works as advertised Smile

Now to see if I explained it well enough to the other admins.

And to Gary, CC handles the registration. That was done before I got involved, but probably would still recommend for ease of use. Saving $8/yr is not worth it.

Reply
Edited 02/26/21 2:54 PM
New Topic  
Subscription Options: Have all new forum posts sent directly to your email.
Subscription options are available after you log in.