SSL Everywhere

Warning; technical details ahead: Over the weekend, the entirety of the Commons was switched over to the HTTPS protocol. This has been in the works for a few months now, and took a few key steps.

We first needed to secure all of the content that you share on your site. We accomplished this by shifting all our media content to be served up using an S3 Offloads plugin developed by a company from Nova Scotia named Delicious Brains. For the most part all 200 000+ media items made the shift over to their new home. You might find you need to add your header back to the top of you blog, or if you manually referenced an image or file in a widget on your sidebar, you may need to grab the URL again now that it’s being served from a different server.

The next step was to procure certificates for all our our custom domains. Most of the sites on the site are covered under a wildcard certificate: *.commons.hwdsb.on.ca, but users who have opted for a custom URL aren’t covered by this certificate. We leveraged an exciting new initiative called Let’s Encrypt to secure sites like mrpuley.ca, suedunlop.ca, adunsiger.com, and mrjarbenne.ca. Although these sites comprise a small subsection of the 7097 sites hosted on the Commons, I’m inspired by the work of the Domain of One’s Own project, and would love to eventually see our work extend out to allow students to being building out their own digital cloud, as referenced in that linked article from Wired Magazine:

“Writing for EDUCAUSE Review in 2009, Gardner Campbell took the argument a step further. In A Personal Cyberinfrastructure he argued that learning to build and operate a personal cloud was a life skill students would need and should be taught”

If you don’t see the green lock at the top of the browser bar, you might have “mixed content”. A picture of a browser bar, with the green link indicating an SSL connection.This is caused by elements on the page that aren’t secured, and are still being delivered via http, and not https. In many cases, you can navigate to the post in question, and just add an “s” to the end of the “http” portion of the URL in the embed code (most sites that offer embedded content are secured by SSL. If you use a service that isn’t secure, reach out to them on Twitter and ask them to secure their embeddable content). Mixed content has been an “issue” within the HUB (Desire2Learn/Brightspace) for a few years now, so users who navigate that space will be aware of the issue. There is a movement to secure the web that we heartily support.

We couldn’t have done this without the help of our web-host and WordPress security specialist @boreal321.

As always, if you run into issues, don’t hesitate to comment below, or reach out to your 21CL Consultant via email.