Yes, that is a green lock up there…

6 minute read

February 21, 2016, 10:12 AM

So in case you haven’t noticed yet, I would like to bring something to your attention.  Up until this past Friday morning, Schumin Web appeared like this in your address bar:

Schumin Web over HTTP

Now it looks like this:

Schumin Web over HTTPS

Yes, Schumin Web is now being served over HTTPS, i.e. the site is now encrypted.

I consider it kind of funny that the site is now encrypted, because in the grand scheme of things, Schumin Web is rather inconsequential as far as things worth encrypting.  After all, it’s primarily a blog and photography site.  You can’t buy anything directly on Schumin Web, as all of the areas in the Store section are outsourced to third parties.  The content is also very one-way.  Other than the email contact form and the comment sections on Journal entries and such, it’s basically whatever I want to show you.  Oh, and the aforementioned two areas are also outsourced to third parties (Bravenet and Disqus, respectively).  Therefore, I wasn’t about to shell out money to get a certificate and go through the trouble of installing it and all of that.

However, things have a way of changing.  In December, as part of the push to encrypt the entire Web, my hosting provider, DreamHost, announced that it would begin to offer free SSL certificates through Let’s Encrypt directly through the hosting control panel.  It seemed like a good idea, so I got free certificates for all of my domains.  Going into this, I was amazed to discover once again exactly how many different parts there are to a website, and was reminded of the fact that, in order to get the green lock, it all has to come through an encrypted channel.  In other words, no HTTP is allowed.  Everything must be HTTPS.  And if it isn’t 100% HTTPS, the browser will rat you out for it.

My proof of concept was a site that I don’t publicize much, but seemed like a good testbed for encryption: Anonymous DC.  When we all stopped raiding Scientology at the end of 2011 (not a conscious action to end things – we all basically just moved on), the owner of the domain name for the Anonymous DC website allowed the registration to lapse.  Even though we had all basically moved on, I really didn’t want Scientology to get its hands on our domain name.  So I backordered it, and took possession of it on May 1, 2012.  I mirrored onto it, which I had obtained in 2010 when another Anon was looking to unload it.  All that said, it made sense to use Anonymous DC as a proof of concept for encryption on Schumin Web, because Anonymous, that’s why.  The goal was to get the certificate, install it, make all parts of the site secure, and then make the use of HTTPS mandatory.  Done, done, done, and done.  It worked.  Then since Anonymous DC and You Saw The Sign are mirrors of each other, I did the same to the other site.  That worked, too.  Excellent.

So the concept was proven.  I can make encryption work on a site that I operate.  However, Schumin Web is a very different beast from Anonymous DC.  While Anonymous DC is a single-page, self-contained website, Schumin Web uses WordPress.  Schumin Web also has pieces that come from other places.  I run advertising, I have outsourced fonts, I have commenting, I have YouTube, and I have search.

I initially had a bit of difficulty in getting the green lock to come up on Schumin Web’s sandbox site.  Surprisingly, the biggest issue there was human.  I was practically pulling what was left of my hair out trying to get Google Fonts to load over HTTPS after doing everything that I could find on the matter, and actually came to the point where I needed to stop for the evening to regroup.  And since my changes didn’t work, I reverted back to the master for the theme, erasing all of my changes.  When I came back a few days later, I discovered that I had left an alternate theme active on the sandbox site, which I had been using a while back to field test some minor design changes a while back that I ultimately decided not to implement.  Then the realization hit home: I had been doing everything correctly when I was playing with it a few days prior, but the normal theme that I test things on was not active, therefore explaining why my edits didn’t work.  And because I reverted back to the master, I now had to make all of those changes over again.  Stupid, stupid, stupid, stupid, stupid.  Once I activated the normal theme for the sandbox and put the changes back in, it all worked as expected.

The biggest thing was in getting Google custom search to come in over HTTPS.  No matter what I did, I couldn’t get certain elements to go.  That’s why, back on February 11, an update came across indicating that the search function had been brought in-house.  I had run Google’s custom search in its final form since February 2011, but Schumin Web had been running Google search since the 2003 design went live.  The idea was to capture some revenue from the ads on the search.  However, the search results page was ugly, and would often give rather strange results, showing RSS feeds and category pages.  I was willing to tolerate an ugly results page to an extent, but an inability to make it serve over HTTPS was a deal-breaker.  In researching alternates, I discovered that WordPress had a native search functionality, and it actually worked pretty well.  And then I could do searches and have ads: on my site.

If you’re wondering why I didn’t know about WordPress’s native search until now, historically, it made enough sense: when I converted the site to WordPress in 2011-2012, I carried a lot of elements over from the old version of the site.  Recall that when Schumin Web launched on WordPress, all of the page URLs changed, but, for the most part, the site looked mostly the same on July 1 as it did on June 30 – enough that one then-coworker genuinely didn’t understand the significance of the move because the new version of the site looked the same as the old.  And that custom search was an instance of something that had been carried over because it had always been there.

Then the first major part of Schumin Web that was switched to HTTPS was College Life.  For those not familiar, College Life originated as a section on the main site, and then was moved to its own area after I graduated.  It’s there as a time capsule of sorts, and I don’t update the content anymore, because (A) I can’t write like that anymore, and (B) I want to preserve the memories as they were, including the way I styled things back then.  However, behind the scenes, I have always kept the site up to date.  I converted it to WordPress over the course of about a week in November 2012, and it released with very little fanfare.  And I have occasionally used it to test things on a production site, since, among other things, my sandbox doesn’t run live ads (the sandbox runs dummy ads).  In this case, I converted College Life’s search to in-house just like I did for the main site, updated the ad code, and voila – it worked.  So I put out an update announcing the change, and that was that.

Doing the main site was a bit harder, just because there was a whole lot more to do.  I specifically had to change a number of areas on the theme, such as the photo feature, because things were hardcoded a certain way.  And operating with mixed content was out of the question.  I had to do lots of little changes to a number of areas, and had to mass-update all of the image URLs to pull from HTTPS.  But it got done.  And Schumin Web over HTTPS launched this past Friday.

Then the Today’s Special site was easy.  I just removed the Google custom search and updated the ad code, and boom – it worked.  That site, as you may recall, is really old.  It was last overhauled in 2007, so it doesn’t run WordPress, and doesn’t contain a lot of the fancy features that Schumin Web has.  That site is slated for complete replacement with something way better than what’s currently there, so it was just a matter of adding the lock and moving along.  The major overhaul that I promised in 2013 is still coming, but it got shelved for a while due to other priorities, but I’m working on it again now.  It’s going to take a long time to do, but it will be worth the wait.

So there you have it, I suppose.  Schumin Web is now encrypted, and that’s going to be the new standard around here going forward.