37: What Happened with SSL

Darryl: Hi and welcome to The My Bloody Website podcast, where we talk about all things online, especially for small and medium business owners or marketers. I'm Darryl King, and I've been running a web agency for over 25 years. I’m here with my co-host Ed Pelgen. He has been running his online marketing agency for just as long. Our goal is to cover things in a way anyone can understand, and can improve how you’ll use online for your business. This is Episode 37 - July 26, 2018 and it’s titled “What happen with SSL?” Hey Ed how you going?

Edmund: Good mate. Yourself?

Darryl: Yeah really good, really good, I enjoyed our last few episodes. Now we went on a bit of a tangent; sort of challenging people to you know think about stuff. There was some really good traction on a couple of those that; I don't know and for whatever reason; they’ve got a lot of little lessons a lot of sharing and stuff so that was great. Today we're gonna get back into the nuts and bolts. What’s been going on in online kick-start world?

Edmund: Mate, I've been doing a lot of audits lately looking at campaigns for people, making sure things are working. It's been really quite interesting some lots of insights actually maybe; maybe; we'll share them in one of these episodes in the next few weeks

Darryl: excellent; excellent, well this; This episode I want to talk about this week, is timely. Like we're at the end of July, the 1st of July there were some changes, and we hopped on it and I look back and we first hopped on episode 2. Which is a little while ago; where we talked about SSL and just [1:33 coughing] and we've talked about it on the way through, when we talk about things that people need to do, when we're talking about you know making sure your website's going well. But July 1, 2018 was when chrome update came out, and started marking sites, that didn't have SSL implementation done properly, as insecure.

Edmund: well, actually it's chrome 68 which is the actual version that's updating, and its pending update now. I've been trying to check and check, but you're right. The difference between 67 and 68 - sorry for those who are looking for technicalities - 67 shows a little— gosh I'm getting slow. A little icon. A little circular icon.

Darryl: Yep

Edmund: which indicates that it's not secure. Sixty-eight, oh, sorry 67. 68 will actually show “not secure”, so that’s gonna be a [kick up? (2:19)]

Darryl: Yeah; yeah, that's the big one that's, you know, gonna make a big difference. And so I think, what we really want to do - is make people understand, just in simple terms, what the impact is. And I've seen a lot of people sort of being more cognizant of it, like we've talked about it for a while, but now that people are starting to see it. Now that there was a date put out, like everyone heard July 1; which is why I use that day, and it's of course its dependant on whether you update chrome; you know, if you don't have updating Chrome

Edmund: Absolutely

Darryl: you won't see it straight away, but there are other impacts as well, and there's going to be impacts as far as what's showing up in search results.

Edmund: hmm-what one thing I want, what I think you should talk about is - why people still keep screwing up the migration. Because, I've...almost every campaign that I've looked at, in the last two or three months, where they've either done a migration to SSL, or they still...they said they've implemented SSL, and it's not working on a site. They’re constantly screwed up, you know. Someone's— like I talked to you the other day. Someone did an SSL implementation, and it's not working. And there are others where they're doing these implementations but the SSL— the little uh secure syncs [laughing] — the security symbol on the browser is still showing as insecure. So maybe you can talk about that.

Darryl: yeah, I think that's what the idea behind this episode really was. Just hey...how do you know as a business owner, or as a marketing person that's responsible for this. It could be technical you know, it might not be your area especially on the web. How do you know that it's done right, and it's not as simple in some cases of just going oh, the home page’s got that little secure badge - move on. And that's where I think people get tripped up, and it's an ongoing thing too. It’s something you actually have to pay attention to. So, the— one of the key things that you see is - the mixed content warning. So, for people listening - if you look; let's start with what to look for. So, if you’re in your browser, when you go to your website, it should say - there should be a little green padlock, and it should say - “secure”. Now, depending on the browser, sometimes it's just a padlock and sometimes it says - “secure”. But, we'll use chrome as an example. Has a green padlock and on the left of the URL line. Then it has the word - “secure”. Then it has a pipe, and then it shows the URL. And they also highlight the HTTPS as green. So you can really see what secure means. That, instead of “HTTP”, so that just an “S” on the end shows the difference. Now, if it shows green, then it's saying that the SSL implementation is correct on that URL. And it is not - oh well, I went to my home page, that means my whole site’s secure. That is incorrect. Now, the next thing down is - if it doesn't show that, and the URL is “HTTPS”, but its insecure, then the HTTPS will be gray. I think is the correct way it looks. And it has the little “I” symbol, like information symbol in a circle. And that's the bit which will soon show “not secure”. Now, if you click on that, and same as you can click on this “secure” when it's secure, and you get a little pop-up, and it will tell you - “connection is secure”. if you go to one that isn't secure, it'll tell you this connection is not secure, it's a warning, and you can actually dig in more and find out what it is. But a common problem is - mixed content. And what mixed content means is - I have a page that is being processed under HTTPS, but there are resources within the page being called from an HTTP URL. So that means they're being called from insecure, and one of the things with secure pages is - they can't be secure if even just one icon being called as coming from insecure. So maybe

Edmund: What's the most common cause of that? This next content issue like yeah

Darryl: ok, so good, so like a common thing you'll see in WordPress themes is that they might have inbuilt calls to font files. So say, your icons like font awesome is one. Now if the theme hasn't been updated in the while, or you're one of those people that hasn't done the updates, or you're using a bad theme. In the source files they are still referencing that library of files using HTTP. So it's actually a very very quick fix. That’s one thing. And you can get other things like that. You could have a plugin that calls resources externally so somewhere in the site it's calling. And this is why it's not just about the homepage. You actually have to look at each of the pages because the plugin might only be invoked on your about page. And so, the about page might be insecure, but you're not going to look at that. Other ones, and a very very common one, you talk about the term migration. So what we mean by migration is - my site was non HTTPS, and I made it HTTPS. So, I moved it to HTTPS. And that that's probably the most common time that things go wrong. The reason that they go wrong is that there are, typically, references in the site code or the database of the site, which are HTTP://. So, for example, let's just use the URL of a generic contact page

Edmund: Hmm

Darryl: on, you know, like, the outside. So, mybloodywebsitepodcast.com/contact. Now, you could have relative pathing where it's just “slash contacts” stored in the database. That will work anywhere. But, when you have a full URL in there - absolute - it's going all the way through HTTP:// then, that has to change. And until you change that, your site will show mixed content.

Edmund: right; right, so is it something that I can do myself. Or the average planner can do. Or seriously, do we need to contact the web developer?

Darryl: ah look, depends on your platform. So if you've got a very small site and it's, you know— I don't know— it might be your logo file is hard-coded into a widget, and you put it there, and you know how to do it. It's as simple as changing the call. But if you— so say you use things like WordPress, and you've had the site for a few years, and you've got some posts and pages. This is where I would probably say get your web dev involved, or your hosting company involved. I run a script - it's called search and replace, and if you go to the— you Google search and replace, you know, on Google. The— and I'm not sure we'll link it directly, like I don't want everyone to go there. If you read the warnings, this is actually a dangerous script for your site. So if you installed it on your site, ran it yourself, you could break

could be used to do nefarious things on your site. So yeah. It’s something to be used with extreme caution. But, if you know what you're doing, these types of scripts allow you to process across the database and say - “find every instance of HTTP://mybloodywebsitepodcast.com and replace it with HTTPS://”, and you do exact thing. You run a dry run of it, then you say - “yep, that found stuff”, run a live run, and it literally goes through the databases and changes things. Now believe you— believe you me, you can really mess things up by putting the wrong slashes in the wrong place, or doing it inadvertently, you know, and you can make a bit of a mess. So, I would suggest you get someone else to look at it. The key thing is - identify the pages that have problems, so when you go back to your developer, you could say - “you know. I found four pages that appear to have mixed content, or have an SSL warning. Could you please resolve these?”.

Edmund: yep I've just been looking, as we've been talking, I've been looking at a few sites and I've noticed that, you know, one implementation is the home page is secure, and then I go to some of the internal pages, and there's a tiny little link to an old icon or something like that, which is showing the mixed-signal. And it's just one of those small things you want to just address, you know, sooner than later. Not that your— the world will end, but it's worth cleaning them up, right? Because it's...

Darryl: Yeah, and look, it sends errors and— when you look at, you know, like if you look under the hood, you— look it's common. I mean the people have hard-coded calls to analytics type things or, you know, other JavaScript libraries that were hard-coded into the theme. So if you have a child theme in WordPress, or you have custom code site. You know, in the header includes there's these hard code references because that's how you do it.

Edmund: Hmm

Darryl: and those need to be corrected, but I guess the key thing about this is being observant and knowing what it means. You don't want your site to come up to say “not secure” to people. Like you just— that's not good from trust signal, it sends the wrong message, and it's super important you resolve that. I mean that's, you know, that's a key thing. So, [sic]that the other common problem is - that people don't have a global server-side redirect from non HTTPS to HTTPS. So, what I mean by that is - if I typed in a URL on your site with HTTP, for a lot of sites it renders as HTTP. But, if I type HTTPS, that renders as well. So, technically we now have duplicate content, we have two iterations of the other content.

Edmund: yep

Darryl: And, if you set it up correctly, you— and, this is something that, if you are a little bit ok with editing stuff on your website, you can do. And that is in the HTaccess file on your site. You can put a couple of lines of code

Edmund: Hmm

Darryl: that say - “hey any URL that's non-HTPPS, make it redirect to HTTPS”. So, if you've got the odd thing [sic] page that, you know, is a bit like, you know, duplicitous like that. It just takes that out of the equation. It handles it for you [sic]at on the server side, so that the user just gets it. Now, in theory you want to resolve any links that go to HTTP, and, you know, so they're not hops in the whole equation, but the cool thing is to make sure that the site is set up. And, I had someone fixing a site with this two days ago.

Edmund: Yep

Darryl: and it was actually commented out in the htaccess file. They had actually implemented it. It was commented out, and that could be because the development environment didn't have a HTTPS. So, the developers commented it out while I were working on it so I didn't keep getting all these browser warnings. And then when they would put that file back live it wasn’t un-commented. So you really have to keep your eye on it, because it's not like - “Oh, I fixed it in July, 2018. It's done. I never have to worry about it again”.

Edmund: That's right. And I was just— I should say [sic]to the simplest way to do this, if you want to see that there are in fact— you know, if you want to find out what URL or what link is causing the issue— it's like if you see a page and it's not secure, you can just right click on it and view the source, the HTML code, and then just do a find function, and search for “HTTP:”. And then it'll just flag up the URL, and then you'll be able to say to your web developer - “hey, here's the link to an image or a resource, that is not HTTPS. Can we fix it up?”.

Darryl: And, if you’re using say Chrome for example, how we talked about it, and you do the right-click around the page, and use “inspect”. And you can actually go into the console, and it will actually show you which files are being called in securely. And so then you can actually search for the file. So the— you know, like you can act— if you go to those sites, you can actually see quite clearly. So, your developer knows how to do those things. So, it's not hard to find it.

Edmund: Yep

Darryl: I will say, though, that I have found instances of themes, where it's a clusterfuck, [Edmund laughing] like, it's just the way that it's thought. Like, you know, like without an update from the theme developer, it’s just a mess. And I actually had to recommend to someone, to say - “unless you're prepared to invest in the premium support from this theme and hit them up and see if they've done a fix. You’ve actually—” you know, it's not an easy fix. It's, you know, this was baked into their framework. It was very cumbersome, and they had these ridiculous calls out that should have been updated already. And, you know, there was no update showing for the theme, you know sometimes they don't show. So, it was like, you know, it wasn't just a simple fix, and the problem with that too is that, you know, you rolled out some version of the theme that might be five iterations later, because these guys haven't been keeping it up to date, it might make more fundamental changes to the site. So, it's not always simple if you leave things long. So, I think that goes to if your plugins are up to date, your WordPress is up to date, or your Drupal is up to date or you— whatever it is that, if you're using open source software. If they're totally up to date - you're okay. Now, if you're using some hosted and things, like Shopify or, you know, BigCommerce or things like that, in most cases you're not going to have to think about this as much if you've implemented HTTPS. They tend to have that covered for you, but don't assume that everyone's got it covered. This is another check that you periodically need to do - pay attention to what you see in the URL line. You’d be surprised what shows up there and, you know, learn from it and just check it, and don't just check your homepage.

Edmund: hmm, I'd suggest that if anyone is interested and wants to chat to someone. Why don't they reach out to Darryl. His contact details are on the “about us” section of the website. You know

Darryl: Yeah sure. Facebook page, you know, ask a question, put it on there. We’ll find ways to do it. I'll put the code that goes into the HTaccess file in the resources section. It's really simple to cut and paste, and put a couple notes there just to instruct it, but it's the sort of thing, if you get a bit of blowback from your developer, you know, - “oh, I'm not really sure how to do that. That’s a server thing you guys do”. Alright. This here, here's the notes

Edmund: Yeah

Darryl: and potentially even link it. I might link with it out to Stack Overflow article, or something like that, that just shows— you know, has a bit of a Q&A around it so people understand. But, that's for that one. But as far as, you know, just checking at secure, anyone can do that and

Edmund: Easy

Darryl: pretty straightforward. What about anything else that you've seen with security you had, you know, bowsers.

Edmund: I think that's it for the— I would consider this episode a community service announcement, and a reminder to check this out. It’s something simple to check, and it's relatively easy to fix. So get to it.

Darryl: Yep, Excellent.

Edmund: What do you reckon Darryl? Is at it for today?

Darryl: I reckon.

Edmund: excellent; alright, thanks for listening to this episode of The My Bloody Website Podcast. For everything about my bloody website, check out - bloodywebsite.com. And when you get there, make sure you click on the “subscribe by email” button on the top right, so you don't miss anything bloody website related. If you'd like to check out the show notes for this episode, or any past episode, all of that information can be found at bloodywebsite.com. If you'd like to reach out to Darryl or myself, as I said, you can find ways to talk to us on the “about us” page of the website. And lastly, if you want to support the show you can do that by telling another website owner about the show, and by visiting Apple podcasts, and leaving an awesome review. It’s goodbye from me

Darryl: and it's goodbye from him