Weekly Tech Tidbit – Rethinking SSLs

September 12th, 2019
Weekly Tech Tidbit – Rethinking SSLs

We harp on the fact that if you have *ANY* VPN, or remote access capabilities into your district, you *MUST* use a commercial SSL certificate and not a self-signed SSL - no exceptions.

However, an area of growing frustration is that many current browsers are starting to give warnings about whether or not you should trust a legitimate, non-infected, web site that doesn't have an SSL.

Many of you have heard me say time and again, "if we ask the end user a question, we have failed".   This is the latest iteration of that edict.

Here is our own example:

We have our web site https://www.csiny.com.  We have had it for ages.   It is well maintained.  There are no eCommerce capabilities on the site.  We never chose to purchase an SSL for it.   However, over the last 6 months, we have had numerous anctedoctal reports about various customer's going to our site and getting a warning about whether or not to trust our site.   This has created confusion and fear that we might in some way be compromised.

That is absolutely not the case.  What is going on is that browsers such as Chrome are throwing up these warnings because we are not HTTPS (whether we need it or not).  They are trying to force all web traffic to be https.

We cried Uncle and worked with our hosting company to upload and attach our wildcard *.csiny commercial SSL to the site.

Once we were https://www.csiny.com Chrome quit complaining.

Your fall to do is to check all the internet-facing web pages in your district, and remove any remaining self-signed SSLs and replace them with your commercial SSL.

Then contact your web hosting company and arrange with them to flip your main web site from http to https: using the same commercial SSL.

If you need help with any of this, give us a call.