Skip to main content

Here at Social Strata, we are always looking for ways to increase security for our customer communities, and today we are announcing a new offering to allow our customers to use HTTPS (i.e. "SSL")at no cost.

Both of our community platforms, Hoop.la and Eve Community, have supported Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), both frequently referred to as "SSL", for several years. SSL adds a layer of security to the original HTTP protocol by encrypting all communications between a visitor’s browser and the website. This means that all our customers can switch to HTTPS (the ‘S’ at the end stands for “Secure”) and have the traffic to and from their website fully encrypted. HTTPS requires an SSL certificate which, until now, our customers had to purchase. The cost varies depending on what Certificate Authority (CA) the customer purchases it from and requires some manual work to setup and install. This setup and installation process has to be done every time the certificate needs to be renewed, as well.

There are three types of certificates that can be used currently:  

  • Domain Validation (DV) certificates provide privacy and data integrity between a internet user and the site they are visiting.
  • Organization Validation (OV)  certificates provide the same privacy and data integrity as the DV certificates, but give the visitor a higher level of assurance about the company or organization they are interacting with.

  • Extended Validation (EV) certificates uses the same encryption as DV and OV certificates, but there is increased security due to a thorough identity validation process.


Let’s Encrypt is a free, automated, and open Certificate Authority. It is a service provided by the  nonprofit Internet Security Research Group (ISRG), and their mission is to create a more secure and privacy-respecting Web by promoting the widespread adoption of HTTPS. As a result, their service offers free DV certificates.

Social Strata is pleased to announce that our customers can now request Let’s Encrypt certificates on their communities at no charge! The benefits of enabling HTTPS on your community are numerous:

  • Improve search engine ranking: Search engines (like Google) have previously announced that they give priority in search results to sites that use HTTPS. This will give our customers that have not yet switched to HTTPS a boost in their community’s SEO. If you look carefully at the results of internet searches, you will likely notice that the links on the first result page are primarily HTTPS sites.

  • Protect visitors: By using HTTPS, all data sent to and from our your community is fully encrypted. This will protect your community and increase confidence of the members using your community.

  • Eliminate security warnings: Several browsers (like Chrome and Firefox), in an effort to protect internet users, already display warnings when they visit a site that does not use HTTPS. Google announced that beginning in October 2017, Chrome will show the “Not secure” warning in additional situations. With HTTPS, this will not happen.

  • Full automation: Social Strata is providing a fully automated process so that the request and renewal of the certificates does not require any work by you, our customers. Let’s Encrypt certificates will be automatically renewed every 90 days.

  • Free certificates: The certificates provided by Let’s Encrypt are completely free.

  • Full transparency: All certificates issued or revoked will be publicly recorded and available for anyone to inspect.

If you are interested in getting SSL enabled for your community at no cost, please submit your request via support topic to [email protected] or https://hey.crowdstack.com/support.

Frequently Asked Questions:

Can Social Strata also provide free OV and EV certificates?

It is not possible to offer full automation for OV and EV certificates, so these can’t be offered for free at the moment unfortunately.

What is the difference between the free and the paid DV certificates?

The main difference is between the free and the paid DV certificates is the validation period. Free DV certificates are (at the moment) valid for 90 days and paid DV certificates can be valid for up to 3 years. The 90 day limit of Let’s Encrypt certificates is used to limit the damage from misuse and to encourage automation. The shorter validity period does not represent any inconvenience to our customers because the renewal process is completely automated.

What information will be used in the Certificate Signing Request (CSR) to create the DV certificate?

Because Let’s Encrypt only issues DV certificates only the domain control is verified. The only relevant information is the Distinguished Name (DN), i.e. the fully qualified domain name to secure. All the other fields of a regular CSR are discarded because the automated process that Let’s Encrypt uses has no way to check if information is accurate.

Can SAML Single Sign-On (SSO) customers use Let’s Encrypt certificates?

Due to the 90 day expiration, Let’s Encrypt certificates are not currently supported for SAML SSO usage. The SAML metadata XML exchange process requires engagement between Social Strata and the customer’s SAML server that is not reasonable to complete every 90 days.

Where can I find more technical details about Let’s Encrypt?

You can visit this page for further information.

Photo Credit: System Lock flickr photo by Yuri Samoilov shared under a Creative Commons (BY) license

Add Comment

Comments (7)

Newest · Oldest · Popular

Thanks for clarifying, Brian. Our "embedded" content consists almost entirely of https youtube (iframe) so we should be okay. 

What's the next step for authorizing and getting this done?

 

neil

@neil, the process to enable TLS/SSL will automatically update your community URLs (including embedded image attachments, etc.) to use SSL. Any external URLs will not be updated, however, as Hoop.la can't make any guarantees about whether those external data sources support HTTPS or not. Note that this would only be an issue for embedded content; any external URL links wouldn't be an issue.

Does that help?

Brian Lenz

Thanks Rich and Rosemary. 

We have a ton of links embedded by users in their posts. Are you saying all those would need to be changed ? <- 1st time ever using the exploding sausage/balloon

neil

Neil, we run banner ads in our Hoopla forum served from an outfit called "Adpeeps.com." When we first made the Hoopla change to https, the banners did not appear. The browser would not display a mix of "secure" and "non-secure" content. All I had to do was go into the Adpeeps code and add the "s" where appropriate and all was OK. Adpeeps now generates code that contains "https" so the problem has solved itself on both ends.

External LINKS appeared just fine, even though the link was going to an unsecure site.

Rich Melvin

Hi @neil, all of the links within Hoop.la, and external links TO your Hoop.la site, will just work magically. However, you would want to check your header, footer, any custom CSS, ad slots, images or videos from an external source, etc., for anything loading http:// and change it to https://.

Rosemary O'Neill
×
×
×
Link copied to your clipboard.
×