Trixology

General Category => General Discussion => Topic started by: Randall75 on September 19, 2018, 05:51:21 PM

Title: Secured Weather Sites
Post by: Randall75 on September 19, 2018, 05:51:21 PM
Does anyone here have their weather site set up as secured?
Godaddy contacted me to day to see if I wanted to upgrade mine to https.
That with the new updates coming some people may not be able to view my site with the updates like Chrome.
Do we really need to do that?

Thanks

cheers
Title: Re: Secured Weather Sites
Post by: Blicj11 on September 19, 2018, 08:16:01 PM
Randall:

I know that several of us have switched to a secure site, including Reinhard and me. We really shouldn't have to do it, because we aren't collecting viewer information. The reason I did it is because browsers are now warning people that they are viewing an "unsafe" or an "unsecured" site and this will worry the folks who don't realize it's ok to view an unsecured weather page. Switching to https is just reassuring the casual viewer that he or she doesn't have to worry about all that in the first place. It's not a very complicated change, but you do have to pay a modest annual fee for a secure certificate. There are providers that will give you one for free, but you have to renew them every month or 90 days, rather than annually. GoDaddy would handle all that for you. I am curious as to what they are proposing to charge you for making the switch. The most recent release of Mark's SteelSeries Gauges, which I know you have on your website, makes the switch to https easy as far as the Gauges are concerned.

That's my 2¢ worth. Let us know how it turns out if you proceed, etc.

Here in northern Utah we are about to choke to death from the ash and smoke raining down from these very close wildfires so I trust your air smells a lot better than ours.
Title: Re: Secured Weather Sites
Post by: xairbusdriver on September 19, 2018, 08:56:23 PM
In another part of web site upkeep, Google has become their indexing and ranking mobile designated sites first. If you build a responsive design, it shouldn't make any difference. If the site doesn't work well on small screens, your ranking will probably be lowered.

As for https, I've noticed that some domain and web providers are slowly moving to all the free certificate providers to be used and will do the updating for you automatically. You will usually pay for this "service" which is supposed to be fairly simple. I'm dragging my feet on the matter as I have so few visitors. However, Hosgator (https://www.hostgator.com/help/article/hostgator-free-ssl?utm_campaign=email-clm&utm_medium=email&utm_source=email-HGfreessl-email2) is now offering a free "https" service that automatically renews every 90 days. I might take them up on that even though I plan on moving to another web host when my current arrangement expires.

So far, no browsers are blocking viewers from plain http sites, they are simply showing different colored "favocons" or images on non-SSL sites.
Title: I won't and sorry about the smoke (Re: Secured Weather Sites)
Post by: elagache on September 19, 2018, 10:51:55 PM
Dear Randall, Blick, X-Air, and WeatherCat web spinners,

Does anyone here have their weather site set up as secured?

My website is badly neglected as it is, but I'm certainly not going to bother with upgrading it to secure http.  As far as I'm concerned, Google and other companies are spinning some mass hysteria by marking websites as "not secure."  They web crawlers can determine if the website is capable of collecting any information from the user or not.  A website that only provides information for visitors should - not - be https.  It is simply wasting computing power for absolutely no benefit.

Here in northern Utah we are about to choke to death from the ash and smoke raining down from these very close wildfires so I trust your air smells a lot better than ours.

Not to hijack Randall's thread, but sorry you have such bad air quality.  At the moment California is in better shape, but we are fast approaching the "Santa Ana" season when the wildfires might come back with a vengeance.

Cheers, Edouard  [cheers1]
Title: Re: Secured Weather Sites
Post by: xairbusdriver on May 15, 2019, 12:00:38 AM
Was searching for more SSL info today and came across https://www.whynopadlock.com// (https://www.whynopadlock.com//). Just for grins, I plugged in my Wx site and up came a report saying it was 'secured' with a valid certificate! Further sleuthing revealed that Hosgator had "completed installing certificates for all domains" back in the Summer of last year. It's a LetsEncrypt cert but it doesn't expire until the end of July this year.

Went to HG and saw that my primary domain was show as having a cert, but not the Wx site. Chatted with Support and the fixed that.

I still need to confirm that it is automatically renewed by HG or if it was a one-time, one year deal. I didn't think about that while chatting. [blush] I have not modified any links on this or the other site they host, but I think all my on-site links are relative. Hope this is not the beginning of a royal mess!

My updated report from Why No Padlock has this note:
Quote
You currently have TLSv1 enabled.
This version of TLS is being phased out. This warning won't break your padlock, however if you run an eCommerce site, PCI requirements state that TLSv1 must be disabled by June 30, 2018.
That may be a function of the 'free' cert.

Bottom line, you might want to check your hosting service and discover that they may have 'given' you something useful and potentially free. Or empty your browser caches and type in "https" in front of your domain name. ::)

...Perhaps that's why my Banner has disappeared? [blush]

Yep, I've stepped into a pile of it!!!! [banghead]
Title: Re: Secured Weather Sites
Post by: xairbusdriver on May 16, 2019, 03:02:46 AM
Weird problem with my site. Once SSL was used, none of my gauges (png) or graphs (jpg) displayed. Nor the logos for NWS and other sites. Most of those images are at the same level as the pages that show them, but the ones in a separate directory don't display either. Strangely, both the hourly and daily videos still show. However, all PHP scripts work fine even when grouped in their own directories. If they can't figure out the fix, I plan on simply disabling the cert and forget about the "Not Secure" label. [rolleyes2]
Title: Re: Secured Weather Sites
Post by: wurzelmac on May 16, 2019, 06:44:40 AM
Hello xair,

maybe there is a problem with the rights of the linked png's and jüg's. If I open your site all of your pics are questionmarks - rightclick on one of them, copy the path and open this path in another tab it shows me an error message. So double check if you have given all of your images correct read/write rights.

Just a shot in the blue...
Title: Re: Secured Weather Sites
Post by: xairbusdriver on May 16, 2019, 03:12:41 PM
I have specifically "discouraged" downloading my images via some htaccess code. However, while I was working with "support", they seem to have added some more lines to that file. On the other hand, my second site, without the added htaccess code, also reflects this lack of images problem when it is accessed with https: rather than plain http:.

The image files themselves have 644 rather than 755 permissions. That basically just denies 'writing' to the files by everyone but me.

One of the options when control-clicking the missing image icon still allows one to "Copy" the path. The one on the NOAA warning note (in the highlighted box near the top of every page) shows "https://mid-southweather.com/img/NOAA_Icons_small/warning.png" [the forum software converts this text to an actual link which will simply show the 403 permission warning Reinhard sees], which is correct. That image is in a directory named "NOAA_Icons_small" in a directory called "img" at the root of the site (mid-southweather.com).

However, most of the WC created images (gauges, graphs) are actually sitting directly in the root directory, no need for path modification, they are at the same level as the viewing html. Here is the path to the Temperature gauge (normally viewed on the "Gauges" page: https://mid-southweather.com/customgauge1.png [you'll get the 403 warning here, also]
Title: Re: Secured Weather Sites
Post by: wurzelmac on May 16, 2019, 05:51:44 PM
Strange. Hopefully you get it fixed - fingers crossed.  :-[
Title: Re: Secured Weather Sites
Post by: xairbusdriver on May 18, 2019, 03:50:44 AM
Slowly and erratically returning to normal. [rolleyes2] I've removed any hint of https from the htaccess. >:( Wx maps/sites now working on index.html. NWS alert(s) now have the little icon. Graphs and Gauges still not visible. [banghead]

Hostgator seems to have elevated my concern to higher level and I think I have a ticket number. Unfortunately, they have made major site/UI changes and I can no longer find a page with support ticket history and/or status. I have no idea what they are doing as they have not bothered to acknowledge anything by emailed [rolleyes2].

The SSL "Status" still shows "Pending" and the "Enable" button is not active meaning I cannot click it to OFF! And since there is a support ticket, "Chat" contacts claim they cannot touch my site. [banghead] Seriously looking like an early hosting move approaching... [rockon]

Fortunately, WC is rock solid, of course! ThU5:-)
Title: Re: Secured Weather Sites
Post by: xairbusdriver on May 20, 2019, 01:00:34 AM
I removed (commented out) a line in the htaccess file that had been there for a couple of years. My site now appears to be back to normal with all images displaying properly. Since that occurred at exactly the time I changed the htaccess file, I am 99% sure that is the cause and not something changed by the "support" folks at Hostgator...

That also seems to have re-established the WC banner image here. [cheer]

It will be a very cold day in Hades before I try SSL again, even if it is free and auto re-newing! [banghead]
Title: Re: Secured Weather Sites
Post by: wurzelmac on May 20, 2019, 06:32:44 AM
Glad you are back to 'normal', xair! Just want to mention that you can do a free Lets'sEncrypt SSL zertificate via Free SSL Zertifikate Wizard (https://zerossl.com/free-ssl/#crt) on your own without your hosting provider. So do I every three months. Although I think you already know...

Cheers,
Title: Re: Secured Weather Sites
Post by: xairbusdriver on May 20, 2019, 01:53:42 PM
That’s actually the source the hosting company uses. What they do for free is the renewal process. I’m sure I caused most of the problems by “jumping in” to quickly. [banghead]
Title: Re: Secured Weather Sites
Post by: Blicj11 on May 20, 2019, 04:49:08 PM
I’m sure I caused most of the problems by “jumping in” to quickly. [banghead]

Surely this is the first time that has ever happened.
Title: Re: Secured Weather Sites
Post by: xairbusdriver on May 20, 2019, 05:24:38 PM
Quote
Surely this is the first time that has ever happened.
I think I actually maid won uther mistake in life, butt I cant remember what it was. :o [lol]