HTTP is currently the primary protocol for applications used on computers, tablets, smartphones, and many other devices. As internet use has grown, the risk to users' privacy and safety has grown with it. HTTPS makes your site more secure for your users, especially when they are giving you information. For example, when a user enters data into a form on your site in order to subscribe to updates or to make a donation, HTTPS protects that user's personal information between the user and the site. It is essential on pages where users are required to give their credit card information and/or other personal details. Data sent using HTTPS is secured via Transport Layer Security protocol (TLS), which provides three key layers of protection: Encryption, Data integrity, and Authentication.
Why HTTPS for everything?
It is a recommended industry best practice that you adopt HTTPS site-wide in order to protect your users' connection to your website. This means that your entire website will be rendered in a secure manner over HTTPS.
The internet’s standards bodies, web browsers, major tech companies, and the larger internet community have all come to the conclusion that HTTPS should be the baseline for all web traffic.
- The W3C’s Technical Architecture Group has found that the web should actively prefer secure connections and transition entirely to HTTPS.
- The IETF has said that pervasive monitoring is an attack, and the Internet Architecture Board (the IETF’s parent organization) recommends that new protocols use encryption by default.
- Google has begun to favor HTTPS websites in search rankings.
- Security teams for major web browsers such as Chrome and Firefox are working on gradually marking plain HTTP sites as non-secure. In fact, the Chrome security team recently announced that starting in January 2017, all websites that transmit passwords or credit cards will be marked non-secure with an eventual goal of marking ALL HTTP sites as non-secure.
What is happening with Blackbaud Internet Solutions Service Pack 10?
While the option to enable secure content (HTTPS) for your entire site has always been available in the product; starting with Service Pack 10, site-wide secure content (via https) will be hard coded and cannot be changed. As mentioned earlier, internet standards bodies and major technology companies all recommend this approach and it is being adopted to make our sites more secure.
How will this affect me?
Enabling site-wide HTTPS within Internet Solutions will make your site more secure. We recommend you do so as soon as possible. In some cases, after making this change, some content (such as images or content hosted from external sources) may not display or your browser may display a warning message indicating the site has mixed content. We recommend that you enable site-wide security in a non-production environment and review your site to identify any adjustments needed. If you do not make this configuration change proactively ahead of time, it will be automatically made when you upgrade to Service Pack 10. HTTPS requires a valid SSL certificate. Your website should already have a SSL certificate for security and PCI compliance when processing transactions. If you would like more information about obtaining a new SSL certificate for your hosted website, please click here.
I made the configuration change to enable site-wide HTTPS and reviewed my site but some content does not render correctly. What should I do?
In some cases, after making this change, some content (such as images or content hosted on external sources) may not display or your browser may display a warning message indicating the site has mixed content. Click here to see what actions you can take to correct any issues you may be seeing. While pages processing personal information, such as User Login/Registration pages and Donation forms, would likely already be designed to include only HTTPS references; some other types of pages may not be optimized. (such as home pages or news pages that may include non-secured images/slide-shows/etc.)
You can also approach your account team to engage Blackbaud Professional Services to scope any further improvements to your site.
I need time to review my site. What options do I have?
The shift to adopting site-wide HTTPS will occur when you upgrade to Service Pack 10, which includes a number of updates to comply with the latest payment industry standards (PCI-DSS 3.1 and PA-DSS 3.2). As mentioned earlier, internet standards bodies and major technology companies all recommend this approach. You can enable site-wide HTTPS today via a configuration option in the Administrative Settings in Internet Solutions. We recommend you to do so as soon as possible. This will allow to you test your site and make any adjustments needed before Service Pack 10 is installed to your site. It is recommended that you make the change in non-production to identify any design changes that need to occur before enabling in production.