Looming SSL issue – What to do?
The topic of security certificates has come up in the past with the answer being, it’s not urgent—yet.
Well, Google just announced on their blog that when Chrome 68 comes out in July, all non–https web sites will be labeled “Not Secure” in red text. Mozilla and Microsoft will follow suit by end of 2018. Up to this point, the security warning has been subtle and only on pages asking for password or CC info.
Things have changed since I last looked into SSL and opted not to pay $100 for it. Now Symantec is out, other options are available (including free “self–certification,” whatever that means), and I certainly can’t have my owner website labeled “Not Secure” when the big OTA’s are already warning guests from booking direct!
How do I get certified? Not through DNS registrar because my site is hosted on MyVR server (I think) ergo I can’t install it myself either. Must it be renewed every 90 days and is there a way to automate that? Do I need separate certificates for additional domains directing to my site?
Hi @Ann-D-Liptak ,
Thank you for reaching out. I'm happy to help with your inquiry.
As long as your site is hosted on MyVR, it's up to us to provide the SSL certificate. While one is not available at this time, we are currently working on it and the SSL certificate for your site will become available very soon.
What kind of redirection is being used for the additional domains which direct to your site? Do the additional domains link to the MyVR registered domain, or is the redirection done in an HTTP response? With this clarification we can advise further.
It's a 301 redirect. I use namecheap/cPanel. I will have to create new redirects to the https when that's available, right?
@wendy-gold could you please give some more direction how we have MYVR implement an SSL certificate for us? Also could you please give me a better inclination of timeline?
The reason I ask is I have now been called by 5 guests telling them that google chrome is marking our site as "non-secure" and redirects them to "safety" we never had this issue till we switched to MyVR earlier this month. We really need this taken care of ASAP!
We don't have an exact timeline right now. However, the development has been finished and now we are just working on testing. I'll try to gather more information about how it will be implemented and will get back to you.
@Spencer-K-Bailey I took a look at your site, and noticed that you had embedded a widget by tawk.to - This widget has caused problems for other customers, and indeed on your site it was actually preventing some pages from loading intermittently. I would strongly suggest finding a better alternative, and not using this product.
In order to get your site working again, I've removed it. Please open a support ticket if you'd like to discuss further.
As @Wendy-Gold has mentioned, MyVR has implemented and is currently testing HTTPS support for all websites. It will be released several months before the Chrome 68 release in July 2018. No action by MyVR users will be required to setup or manage HTTPS certificates - all MyVR websites will have HTTPS certificates automatically issued and renewed at no additional cost. Once HTTPS support for all websites is released the switchover from HTTP to HTTPS will also happen automatically via permanent redirects (i.e. any request made to HTTP will be redirected to HTTPS). If you have other domains, not registered in MyVR but are redirecting to a MyVR registered domain you will not need to change anything - those redirections will continue to work. After HTTPS support is released you may change those redirections to point to HTTPS but it will not be required. Lastly, checkout pages (where credit card details are entered) on MyVR websites have always been and always will be served over HTTPS.
The following was sent to me by a friend trying to access my site that I pointed to MyVR. She is using Chrome. .
Is this message a result of the HTTP not HTTPS or because my domain is pointed to MyVR that is hosting my site?
That is the result of you going to HTTPS, which is not supported by your site yet. If you change the location to http://oceanfrontsheltercove.com your site will work fine. The HTTPS version will start working soon as mentioned above.
I wanted to provide some additional thoughts and try to clear up any confusion that may exist around MyVR’s secure website support.
All MyVR websites provide a secure checkout experience, whether your website uses a subdomain of MyVR (eg: http://your-website.myvr.com) or a custom domain (eg: http://your-website.com). If you use a custom domain, we run the checkout experience through a secure subdomain of MyVR to guarantee the security of rental transactions.
All websites that use a subdomain of MyVR (eg: http://your-website.myvr.com) come with HTTPS support out of the box. There is nothing you need to do, HTTPS support is provided for you the second you create your website and setup your subdomain.
All websites that use a custom domain (eg: http://your-website.com) have historically not come with HTTPS support out of the box. They work great and still provide a secure checkout experience, but we have not been provisioning security certificates for custom domains out of the box. We are actively working to change this, and will be rolling out HTTPS support for all custom domains hosted on MyVR in the coming days. This includes domains purchased outside of MyVR as well as those purchased with MyVR. Behind the scenes it's a complicated process with lots of websites to transition, so it will take some time to complete. Nothing is required of you as we make this change.
Going forward, MyVR will offer HTTPS support for all websites out of the box, including custom domain websites. In fact, we will be shutting down support for HTTP entirely and will exclusively use HTTPS for website traffic. Customers do not need to do anything to enable this support, it will happen automatically for you.
If you currently have a website using a custom domain on MyVR and you want HTTPS support now, please write into support and we can try to bump your website up in the transition queue. Otherwise, plan on your website automatically receiving an HTTPS support upgrade in the coming days.
I hope that clarifies some of the questions that have come up. As we roll out full HTTPS support, we'll send out a product update outlining the new functionality in greater detail. If you have any other questions, don't hesitate to ask them here and I’ll do my best to answer them.