Moving to SSL

Author: Erik Runyon

Site security has become more and more important over the years. For the past couple of years, every new site in Conductor has been set up to use SSL (https) by default. To see if your site is using SSL, check the url to see if the site address either starts with "https", or if there's a lock next to the domain name.

LocksSecure site indicator for the top four desktop browsers

Why require SSL?

Serving a site over SSL prevents malicious actors from hijacking your site between the server and the end user. For instance, several years ago, Jonathan Mayer of Stanford University found that the AT&T wireless hotspot he was using at the airport was injecting ads on the Stanford homepage. Had the site been served over SSL, they would not have been able to do this. And ads aren't the only malicious thing someone could do to your content.

Also, over the past year, Google Chrome has begun displaying warnings to users on sites that are not on SSL. First it was only pages with forms that asked for social security numbers or passwords. They have since, with Chrome 62, started showing the warning on any page with a form that's not served over SSL (usually once the user starts filling out the form). Since 44% of traffic across all Conductor sites happens in Chrome, this is a big deal for our community.

Not SecureThe address bar of a non-secure site when a user starts filling out a form

If your site has an embed (such as a form or social feed) that does not function over SSL, then the embed code will need to be updated to function correctly. This may require going back to the vendor of the service to get an updated code. You can test by forcing your site to be served over SSL by changing the url to start with "https" and then checking pages with embeds.

All Conductor sites can be served over SSL right now, but not all sites are being forced to use it.

Moving Forward

On January 16, 2018, we will switch all sites to SSL (https). It is important that you test your site before we make the switch to ensure third party embeds/products are either functional, or can be updated. If for some reason you believe your site will have issues with this switch, please contact with specifics. We will try and help you rectify any problems that will prevent your site from functioning correctly. In the case your site has third-party requirements that simply prevent it from functioning correctly over SSL, we will exempt your site at this time.