Securing NDSU Websites
In June 2015, all www.ndsu.edu websites will be secured with HTTPS. This change will lead to improved security for all users of NDSU websites, including those who submit sensitive information through online forms.
An extended rationale for securing NDSU websites is offered below.
Authors, editors and managers of NDSU websites must review and prepare each site for this change. If you have questions or need assistance, please contact the IT Help Desk at 231-8685 (option 1) or firstname.lastname@example.org.
Existing links from other sites to NDSU pages that use http://www.ndsu.edu will be automatically redirected to https://www.ndsu.edu. There is no requirement for external sites to update their links, but there is also nothing preventing them from doing so. A security feature being enabled will make it so that many browsers will skip the redirect and go directly to https:// even when a link uses http://.
Review and Prepare CMS Sites
If you are a TYPO3 Web Content Management System (CMS) user, all of the required work will be done for you automatically on June 16. However, you should review your website to identify HTTP links and images that will not update automatically to HTTPS when NDSU sites are secured. Links and images that use http are highlighted in the workspace preview for each CMS page to make them easier to find. If a page preview looks as you expect, and no links or images are highlighted for change, the page will make the transition to https without any further work from you. If you repair a link or image on a CMS page, check the Preview Mode again to make certain there are no fixes marked as needing attention -- the workspace preview is already HTTPS, so you know that your page is repaired when the content is no longer marked for remediation in the workspace preview.
Review and Prepare Pubweb Sites
Pubweb users should review their sites to identify any mixed content. Pubweb users are responsible for fixing all mixed content in advance to ensure continued functionality after NDSU sites are secured. Content is called mixed when a secure page is requested via HTTPS, but some content on that page is available only via HTTP.
- Links – All links should be updated to HTTPS if the destination website is ready for and can handle HTTPS. When updating links that point to HTTPS-ready sites, be sure to use the final destination URL for the link, not a redirect or shortcut, and include the trailing slash (e.g., https://www.ndsu.edu/its/). These strategies shorten page-loading speeds and ultimately improve the user's experience on your website.
- Images – Review images to identify any that are referenced from another website. Once identified, serve the image up via HTTPS. If necessary, you can move the image to your www.ndsu.edu site, and publish it with proper attribution.
- Forms - Update forms to submit via HTTPS.
- Embedded Content - If your site includes embedded content (e.g., YouTube video, live Twitter feed), you must ensure that content is available via HTTPS. Unsecured embedded content will not display on your site.
Use Google Chrome's Console
There are several different tools that can be used to identify problematic content, also referred to as "mixed content." The instructions below use the Google Chrome developer tool, Console, which is available for Windows, Mac and Linux computers.
- If you have not yet done so, install Google Chrome on your computer
- To open the Console, press command - option - J (for Mac) or Control - Shift - J (for Windows / Linux). Depending on your browser and whether you have used the tool in the past, the Console may appear on the bottom, left or right side of your screen, or it may pop up as a new window.
- With the Console open, visit or reload the Web page you want to review. Be sure to open the page via HTTPS, not via HTTP, by typing HTTPS:// in front of the URL. Any existing mixed content errors and warnings will appear in the Console once the page loads.
- The console provides the error, and the line number in the viewable page source where the reference is made. Once the errors and warnings have been identified, determine how to proceed:
Errors must be fixed, because Chrome and other Web browsers will actively block that content as soon as NDSU sites are secured.
Warnings identify content that will need to be fixed eventually; however, warnings are not critical at this time. We anticipate browsers will actively block such content at some point. If possible, consider fixing these issues now or in the near future.
As different pages are loaded, the console is updated to reflect the errors of the current page.
Several sample pages are available. The broken versions still have all of the mixed content errors, and the sample provides a way to verify that the console is working as expected.
Mozilla's Firefox browser also has a web console tool that can be used to identify "mixed content." Instructions for accessing the tool may be found on the mozilla web.
- NDSU already has the technology and certificate (GlobalSign) in place to secure all www.ndsu.edu websites.
- Google gives HTTPS websites higher ranking in search results. Securing NDSU websites may improve the discoverability and visibility of those sites.
- Some www.ndsu.edu websites require HTTPS, as these sites ask users to authenticate with a username and password.
- The Firefox Web browser prefers to remain on HTTPS. Because some www.ndsu.edu sites are already on HTTPS, a user's experience may be negatively impacted as they move from a secure NDSU website to a non-secure NDSU website.
- Modern hardware on both the server and the client can easily handle the encryption overhead.
- The Chromium project may eventually label websites as "insecure" if those sites do not have HTTPS or have insecure implementations of HTTPS.
- The Mozilla Foundation, Cisco, the Electronic Frontier Foundation and other organizations are behind the Let's Encrypt effort to provide free certificates, which indicates the industry is moving to a TLS future.
- HTTP/2 is now a formal specification, which can offer a significant improvement in Web page performance and user experience. While not required, most HTTP/2 implementations probably will use TLS. NDSU will eventually be able to offer HTTP/2.
- Once a website fully supports HTTPS / TLS, the site can enable HTTP Strict Transport Security, offering better security on untrusted networks.
- The only day better than today to make the change to HTTPS is yesterday, as there is more content to change today than there was yesterday. At some point, www.ndsu.edu is going to need to offer its content up via HTTPS. Now is the right time to make that transition.