August 14, 2017

Hello everyone,

On August 4, the Ensemble web team began converting sites to https -- that effort is currently ramping up. The team is also migrating sites away from the www domain name prefix wherever possible.

Most content creators have found a few issues but nothing major or hard to fix. We appreciate your efforts to ensure your content displays properly.

You’ll want to check anything unique on your pages, including:

  • iframes (which you should now access over https)

  • any links or external resources using custom HTML

  • feeds (which should be updated to https; reports are that this process has been painless)

  • incorrectly linked javascript or other resources

  • social media content

  • local assets hosted outside of stash (bitbucket); please update the link to your local_assets so that they use https

  • also any links to images you might be importing via modifyGlobalTemplate.css

  • videos (YouTube and Vimeo; seem to be working under https)

We've also gotten some great questions from you all:

Should I convert my external links to https?
Yes, but please test sites outside of Ensemble to make sure they work properly over https.

What should I do when a cloud vendor or external site gives an error when I link to them over https?
You should notify them of the problem and ask them to correct it. In the meantime, link to them using http.

Please create a ticket if you have questions or concerns about how this affects your site.

Thank you for your attention to this,

Brad Soucy
Director of Design and Digital Strategy
University Relations

Here is even more technical information that those of us in the Division of IT have assembled as we talk to many of you about the https conversion. As you've probably noticed, internal Ensemble links are already https by default and we're working through the Ensemble websites to convert them entirely to https.

How do I open an Ensemble ticket?
Go to Ensemble.CMS.vt.edu and click the "Request CMS Support" link in the lower right-hand corner of your browser window. Please be sure to enter your name and email address: without those, we cannot respond.

What is HTTPS?
HTTPS is the HyperText Transfer Protocol Secure. It is the underlying system for communicating between a web browser and a server. It provides additional data integrity and privacy compared with the older HTTP protocol.

What is TLS?
TLS is transport layer security, the modern version of SSL (secure sockets layer encryption) and is the technology used to implement HTTPS in Ensemble.

Where can I learn more about HTTPS and SSL?
TLS All the Things! - Security with Performance - Chrome Dev Summit 2014 (Chris Palmer)
https://www.youtube.com/watch?v=ayD0LiZkWLQ

Mythbusting HTTPS - Progressive Web App Summit 2016 (Emily Schechter)
https://www.youtube.com/watch?v=e6DUrH56g14

Don't certs cost a lot of money?
No. Anyone can get a free signed certificate at https://letsencrypt.org/. Let's Encrypt is a great way to quickly get a certificate on a development server.

Virginia Tech units can request a certificate from the Virginia Tech Certificate Authority, part of the Secure Identity Services unit in the Division of IT. Learn more at https://vt4help.service-now.com/sp?id=kb_article&sys_id=29e0e6f6db82b200515ff209af961935

For Ensemble websites, we’ve taken care of getting and installing a certificate for you.

What about web hosting not supporting HTTPS?
The web hosting team is working to enable individual certificates and TLS configurations for hosting sites. While they are still several weeks away from production, there is a work-around for Web hosting sites that do not use WordPress: you can securely link to the site using URLs that begin with https://secure.hosting.vt.edu/<site>.vt.edu

Heavily used departmental sites which need modern TLS support can request a https configuration similar to that used by Ensemble sites at https://webapps.es.vt.edu/support/

S.B. Chandler, PhD
chandler@vt.edu