Springshare Buzz: SpringyNews: The ABCs of Web Safety: HTTPS Protect Your Sites

In this Issue:

For Those About to HTTPS...We Salute You!

Now that you've got your GDPR-related privacy notices in place and have opted-in to our awesome mailing lists, it's time to focus on another aspect of security: browsers! Good security as a baseline is important, and with browsers also working toward that goal, it’s time to really dive into the HTTPS action with all of your sites.

We recently wrote about all of this on our blog, so please take a minute to go over there and read...well, at least the first part! This newsletter is going to simply outline the pertinent changes and talk more about what you need to do to be ready, so if you want a bit more background, please read the post. Go ahead, we'll wait! :)

Living in an HTTPS World - Springshare Blog - June 7, 2018

Read the post? Great! Before moving on we want to highlight something in case you didn't catch this at the end of the blog post. In the coming months, we will completely disable HTTP (i.e., loading pages via HTTPS will be forced automatically) and make other important security upgrades for all products, such as enabling HSTS and other security-related headers. So, it's important that you prepare your sites for this, as it will eventually be the standard for our all of our product sites.

Okay - let's check out the changes & what you need to do to be ready to live in an HTTPS world!

Overview of Changes

Starting with the July 2018 release of Chrome, all HTTP webpages will be marked as "Not Secure".
We've made it so that all customers with custom domains have Let's Encrypt security certificates (which we will also automatically renew), so everyone is covered when it comes to enabling HTTPS in Springshare apps.
(Remember, anyone on a product domain (e.g., libguides.com) is covered by our wildcard certificate.)
We are removing TLS 1.0 from our products, which means we are no longer supporting outdated browsers, like IE10. TLS 1.0 is an older security protocol and its end of life deadline is June 30, 2018.

Are you using LibAnswers v1 or LibAnalytics?

The best advice we can give is to move to LibAnswers v2 or LibInsight / LibInsight Lite (respectively).
We do not support security certificates for v1 products.

Are you on a domain other than libguides.com for your LibGuides site?

(e.g., campusguides.com, communityguides.com, libguidescms.com, etc.)

Contact our support team to discuss changing your domain to use libguides.com instead so you can use our security certificate. We are not supporting certs for those other LibGuides-related domains.

What Does This Mean for You?

We're writing this in terms of your Springshare apps, but really, the general idea applies to any webpage.

Make sure you're using a modern browser, to ensure you can load pages via HTTPS.
Check your sites for mixed content. All embedded content must load via HTTPS.
Set your LibGuides, LibAnswers, LibCal, and LibWizard sites to "force HTTPS"!

It's as easy as 1-2-3 to get your Springshare apps ready for HTTPS-mania. (Not sure the same could be said for the security crews who worked at Beatles shows... ;) )

What is Mixed Content?

A "mixed content" warning occurs when you're loading your webpage via HTTPS, but something embedded in the page is loading over HTTP. Secure pages do not like it when you try to load insecure things on them. In fact, they just won't load that content. So, if you've embedded anything on your webpages like an image, YouTube video, anything loaded via iframe, or calls to JavaScript / style sheets, you need to verify it was added using an HTTPS-based URL.

If it wasn't, you'll need to verify that you can load it via HTTPS (either through testing or verifying with the vendor / other website) and update the URL to use https://. If it can't load over an HTTPS connection, you'll need to remove it from the page / replace it with something that can load via HTTPS.

Simply changing http:// to https:// does not guarantee that the embedded item will load over HTTPS. The website where you got the code for that embedded item must support HTTPS in order for it to load over HTTPS.

Springshare has no control over whether other vendors / websites allow their content to load via HTTPS. That is at the sole discretion of that other vendor / website. So your mileage may vary as you take a look at your sites to ensure that all embedded content loads via HTTPS. If it's a Springshare product, however, we've got you covered. ;)

How Do You Find These HTTP Embedded Things in Your Site?

In LibGuides, find embedded content in Rich Text areas via the "Search" part of the Admin > Search & Replace tool.
Search on http: (with the colon at the end), then review the list for embedded content. If the item is simply a link out to another website (or page on your LibGuides site), you don't have to update that...unless the other site supports HTTPS and you want to update it. (This may be the majority of the list.) You're looking for content embedded in the page, JavaScript, calls to stylesheets, etc. You can use CONTROL+A to highlight all text on the page, copy it, and paste it into Excel for easier scanning, if you wish.

In LibGuides, search for http embedded content in Widget Assets via Content > Assets.
Limit Type to Widgets, enter http: in the Description / Metadata field, and click Filter. Click the edit icon for each item and review as noted above.

In LibAnswers, you can use the "Search" part of the Admin > Assets > Search & Replace Links tool.
Like LibGuides, you can search on http: to find all instances of that in your public FAQs. Be sure to check off the "Perform a search only" checkbox when using this tool. The first section will list any Public FAQ Links that contain http:. The second section lists the same, but for the Public FAQ Answer content. Be sure to check this second area, as it's likely where you may have embedded something.

Also, remember to check through your embedded Media/Widgets in your Public FAQs!

Use your browser's Developer Tools to see notifications of mixed content.
Most modern browsers have something along the equivalent of: right click on the page > select Inspect. This allows you to peek into the back end of a webpage and see the HTML, related CSS, and (important for this process) a console area where you can see any warnings or errors that occurred when loading the page...including mixed content errors. This may take a while, as you'll have to do this for every page in your site, but it is certainly an option!

Use one of the tools developed recently to help with this very thing!
Do a web search on "mixed content checker" (or similar keywords) and you'll find options like "Why No Padlock?", etc. We're not endorsing any particular thing; that site is simply noted as an example. Continuing with using that site as an example, it works like this: you enter your https link into the tool and it scans that page (and any page that it links out to), notes any mixed content, and reports back to you with a list. It's a great way to find all mixed content at once and/or as a check before forcing HTTPs for your site.

How Do You Force HTTPS?

Only LibGuides, LibAnswers, LibCal, and LibWizard sites need to be set to force loading over HTTPS. LibStaffer, LibInsight, and LibCRM operate solely via HTTPS, so there is nothing to change.

LibGuides, LibAnswers, and LibCal:

Go to LibApps > Admin > Domains and Certificates.
Click the padlock icon in the Actions column.
Go to the Force HTTPS tab and choose Required.
Click the Return to Domains and Certificates button at the bottom and repeat the steps.

LibWizard:

Go to LibWizard > Admin > System Settings > Misc Settings.
Check off the Load Site in HTTPS? option and click Save.

Are You Ready to Rock HTTPS?

We are, too! Springshare agrees with the moves browsers are making toward making security a standard, which is why we've made it easy for our customers to make the transition. Here at Springy HQ, we're working (and will continue to work) tirelessly to ensure the security and privacy of all of our users and their patrons in their online activities.