SSL Encrypting all Tendenci Hosted Sites
To our clients. The above graph is a filtered subset of what is a *typical* day of network alerts. As the media has stated, the issue is quite real.
We greatly appreciate you and it is important to us that you remain safe. To further advance that objective in the current geopolitical environment, all hosted Tendenci sites will be encrypted going forward per our CEO.
Why? Because security. The Internet has changed and we must adapt.
Adapt? Remember when that Steve Jobs guy invented the iPhone and suddenly sites that were awesome the week before... well... they weren't as awesome the next day? The. Next. Day. Technology is like that.
Wait, what is encryption again?
Remember writing notes to your friends and using different letters pretending you were a secret agent? It's like that. Encryption is just a way to make your data difficult for a hacker (or Russia) to read as it travels across the Internet.
If a board member is traveling and logs in to your site from St. Petersburg at the local cafe, you don't want anyone to be able to see their interactions on your site, right?
What do I need to do?
Probably nothing except update a few records. Keep reading please.
Does the new requirement that all sites be encrypted apply to me?
YES. OK possibly, because you probably already are encrypted. If you see a lock at the top in your browser bar, then you are already encrypted and you can ignore this news release.
What if I don't see the lock?
If you don't see a lock on your site, then you will see it appear very soon.
What is my cost?
Zero. For the few sites not encrypted we will be using LetsEncrypt.
Non-Zero - Clients using their own SSL certs already - there is a support cost given the complexity of multi-domain SSL certificates. We *do* charge support (gotta pay people, right?) to install your certs. Yet as a best practice - we recommend using a different certificate for your public web site anyway.
The LetsEncrypt SSL cert installation being deployed is no cost to hosted clients. Please read on to determine which category of encryption your site is in.
What about credit cards? (Those are already encrypted.)
All financial transactions have ALWAYS been encrypted. This is just us expanding encryption to all content on your site.
NOTE: Tendenci does *NOT* store credit card info. And never has. CC data ONLY exists on your merchant provider. Tendenci only records the status of the transaction ("yes, card is ok" .... or .... "nope, card is not ok").
Is this going to be expensive?
Again no. Tendenci will be doing an automated roll out of LetsEncrypt from eff.org for any site that is not already using encryption. If you have your own SSL certificate then you will keep using that. Please just make sure it doesn't expire. If using LetsEncrypt then it gets renewed automatically. For some organizations with multiple sites you may need a multi-site SSL. (Your Tendenci site however will be encrypted regardless.)
What do we need to do?
There are three sets of hosted clients so I'll answer this in a numbered list:
- Already using encryption. Yea! You don't have to do anything. ACES! Go get a beer and enjoy the day!
- Not using encryption and do NOT take credit cards. Yea! You don't have to do much besides check your Google Analytics account. MAYBE ACTION .
- Not using encryption on the whole site but you DO take credit cards. And again, credit card data has always been encrypted and does not live anywhere on our servers. That's what merchant providers are for. ***** ACTION REQUIRED ****
WAIT! I'm in category 3 and it says "ACTION REQUIRED" - what?!?
Thanks to the EFF making LetsEncrypt free, for the most part, you probably will need to make one or two updates. These are things Tendenci, the community as well as the company, can't do for you for security reasons.
- Merchant Provider updates:
(YOUR Merchant provider we mean.) You may need to update the "post back" URL at your Merchant Provider. We do not have or store cc information. This is something YOU will need to do. But it's OK. It's pretty easy - and explained fully here: https://www.tendenci.com/help-files/configure-online-payments-merchant-provider-tendenci/
- DNS updates (possibly):
Your network admin will need to update your DNS records if requested. If you get an email from our team, first OBVIOUSLY MAKE SURE IT ISN'T A PHISHING ATTACK. Once you are sure it's from us, double and triple and check again and again to be sure it is a legitimate link and make your updates.
*** OUR TEAM WILL NOT ASK FOR YOUR LOGIN INFORMATION. WE DO NOT WANT IT. WE DO NOT STORE IT. WE CAN DO BILLABLE SUPPORT SCREEN SHARE TO HELP YOU BUT THAT'S IT. *** (Seriously, don't email your merchant login to anyone. Please.)
- Analytics Updates (possibly)
Google Analytics, Bing, etc, will score you BETTER if you are SSL encrypted. Yea! However, your canonical URL (official domain name) might need to be updated. All sites will, most do already, but they will need to have "https" and start with "www". Really anything in front of the example.org part. For example https://example.og is not valid but https://www.example.og is valid. So is https://intranet.example.org.
Why doesn't Tendenci (the company) give us greater advance notice on security updates?
I get this question a lot and it still puzzles me. Pause and think this one through. It's the difference between calling the local telephone number for the police or calling 911.
Bad actors don't sleep. Even doing this news release gives them a brief advance notice and they are watching your site probably more than you.
Our clients are global. Time is fluid to our team. And you need to be protected. Anyone in the Tendenci community with permissions is not only allowed to, but strongly encouraged and sometimes required to, immediately run an update and reboot a site as needed. Most of it is automated - although we obviously monitor it and log it over and over.
I'd like to emphasize this point. We have ALWAYS done automatic security updates whenever they come out. This is automated. If a reboot is required your site may be offline briefly (usually two to three minutes). It doesn't matter what time of day it is - if a security update is needed it is installed. Period.
Your security is important to us. Let's do this!