In our October 2017 SpringyNews Newsletter, we informed Springy users that recent updates to web and mobile browsers (Chrome, Firefox, Safari, etc.) mark any HTTP webpage that contains form content as insecure. Meaning that any public webpage containing a search box, LibCal booking form, or LibAnswers Question Submission form will automatically display a ‘Not Secure‘ warning to end users.
The security and privacy of your patron’s data is of prime importance to Springshare. Having any webpage, especially your Springshare-licensed tools, marked as unsecure is not good PR for us or you! You don’t want your patrons thinking your LibGuides, LibAnswers, and LibCal websites are untrustworthy.
To that end, we’ve made all v2 products hosted on a Springshare-controlled domain HTTPS enabled. For those of you on a custom domain, we’ve enabled security certificate hosting for LibGuides, LibAnswers, and LibCal!
And, we’ve taken it one-step further. If you have a custom domain, we’ve added integration with Let’s Encrypt to provide completely free security certificates for your LibGuides, LibAnswers, and LibCal v2 tools. We’ve made it as easy as 1,2,3 to ensure your Springshare tools are HTTPS secure, trustworthy, and safe for your end-users.
Why HTTPS Matters
HTTPS secures the communication and data transferred between our servers and your users’ browsers. Hackers and intruders exploit every unprotected resource between your websites and users. And every time a user interacts with your Springshare tool, whether it’s sending a search query through a LibGuides search-box or submitting a LibCal room booking request, they are sending data from that website through the interwebs to our data servers. If any part of your website is loaded over HTTP, that data is unsecure and could potentially be used to exploit other secure parts of your website. So we recommend that all pages, resources, and widgets be loaded securely over HTTPS.
Furthermore, HTTPS doesn’t just block misuse. It’s often a requirement for many browsers.
HTTPS Protects the Integrity of Your Web Presence
HTTPS helps prevent intruders from interfering with the communication between your Springshare websites and your users’ browsers. They exploit HTTP/unprotected communications to trick your users into giving up sensitive information or installing malware. Given the opportunity, they will exploit every resource that travels between your Springshare websites to your users. Resources like images, cookies, scripts, HTML… etc.
Getting a Security Certificate is Important
Security Certificates are provided by reputable and trusted third-party companies that verify your organization and your website transactions. These Certificate Authorities provide a security certificate that proves that the website/domain really belongs to you and nobody else. Essentially, the security certificate is what allows you to put the S in HTTPS.
HTTP stands for Hyper Text Transfer Protocol, and its what allows users to access webpages. When you enter in http:// in front of your web address, it tells the browser to connect, fetch, and transfer the requested webpage.
HTTPS stands for Hyper Text Transfer Protocol Secure, which uses an encrypted connection when transporting webpage data.
My Domain Ends in .libguides.com, .libcal.com, .libanswers.com, etc.
If your v2 system is on a Springshare-owned domain, you’re all set! These domains already have SSL/HTTPS support built-in. So you can update all links to / within your system to HTTPS links now. Learn more about enabling HTTPS for Springshare-owned domains.
Wait, I Have a Custom Domain (ends in .edu, .org, .co.nz, etc.)
If your v2 systems have custom domains (e.g., ask.mylibrary.org, calendar.university.edu), then you must obtain and install an SSL certificate in order to avoid warnings. There are two ways in which you can obtain an SSL certificate.
1. Work with Your Local IT Department
Connect with your IT colleagues to obtain an HTTPS certificate for each custom domain. You own your domain and thereby you own the certificate, too… just install it on our servers when it’s ready.
If – gasp – you ever decide to cancel any of your Springshare tools where you have an HTTPS certificate, you still own your certificate(s) and can move it/them to any other server.
2. Use Our Free ‘Let’s Encrypt’ Security Certificate
We’ve added integration with Let’s Encrypt, an industry-leader, to provide free and automated security certificates… right inside your Springshare tool.
LibGuides Users
We’ll do all the hard-work by requesting and installing a free ‘Let’s Encrypt’ certificate for you! Poof, magic! Plus, we’ll automatically renew your ‘Let’s Encrypt’ certificate. This way, you can spend less time chasing down certificates and more time doing the stuff you need to do. And, if your IT department is going to need a few months before they can get your custom certificate, your site can still be protected with ‘Let’s Encrypt’ in the meantime.
The only thing you need to do on your end is to update your custom domain to point to the secure server. Once you’re pointing to the secure server, we’ll automagically install your free ‘Let’s Encrypt’ security certificate. Check-out this FAQ outlining the secure endpoints for your CNAME record.
If at any point you want to upload your own custom certificate, simply follow these steps.
For LibAnswers/LibCal Users
The first thing you’ll need to do is update your CNAME record to the secure server endpoints. Then, contact our support team about requesting a ‘Let’s Encrypt’ certificate on your behalf. It’s still free, and you can replace it anytime with your own certificate, but we haven’t fully automated the process… yet!
So, You’ve Added a Security Certificate… What’s Next?
Kudos to you – you’ve taken a huge step in ensuring that your patrons’ experience a safe web experience. But, there’s still a few more things you need to do!
1. Update All Links to HTTPS
Most likely, you’re linking to your LibGuides, LibAnswers, and LibCal systems from a variety of websites like your Library homepage, on your blog, your Facebook page, etc.
It’s imperative that you update all references to these systems with the updated HTTPS link. There’s no point in doing all this work to make your Springy tools secure if you’re still pointing to the HTTP/unsecure URL.
2. Update Embedded Widgets to HTTPS
Although your site is configured correctly to display over HTTPS, individual pages can still be considered unsecured if they contain content from HTTP sources (such as embedded videos, search widgets, etc.). To prevent this from happening, you will either need to change the content’s source URL to HTTPS, or remove the content from the page.
Be sure to check with your database vendors about getting HTTPS widget code.
We’ve made it as easy, and free, as possible for you to ensure a secure and trustworthy experience for your end users. So, c’mon folks – let’s make sure your Springshare sites are safe and ‘Let’s Encrypt’!
Is there a timeframe for when this needs to be completed?
Hi Lucy!
There is no timeframe, but we do encourage you to do this as soon as possible.
Update 3/7: After triple-checking, its uncertain as to how browsers will flag http/unsecured webpages whether its a simple page flag or not loading the page at all. However, getting a flag is still cause to be proactive and HTTP is still bad for security and protection of patron privacy.
Best,
Talia
We are in the process of updating to accommodate https and read on this page:
“We’ll do all the hard-work by requesting and installing a free ‘Let’s Encrypt’ certificate for you! Poof, magic! Plus, we’ll automatically renew your ‘Let’s Encrypt’ certificate. This way, you can spend less time chasing down certificates and more time doing the stuff you need to do.”
How exactly do we start that process? We don’t see anything within the Springshare tool to start this process. Is there any additional documentation about where in the Springshare tool we should be looking?
Your help is appreciated.
Hi John!
The only thing you need to do on your end is to update your custom domain to point to the secure server. Once you’re pointing to the secure server, we’ll automagically install your free ‘Let’s Encrypt’ security certificate. Check out this FAQ outlining the secure endpoints for your CNAME record.
Hi the link you give in the Custom Domains section of this article is dead.
Can you let us know which link specifically? We checked all the links in that section, and they’re working.