Mosaic moves to HTTPS-only

15 November 2017

To avoid security alerts appearing in the Google Chrome web browser, support for https was added to all Mosaic sites on 24 October.

From 16 November, we are redirecting all http traffic to https.

What is changing?

We are making 3 changes to implement support for HTTPS in the Oxford Mosaic web platform:

  1. On 24 October 2017, we updated the platform’s SSL Security Certificate to add support for https for all sites, using each site’s primary domain - whether that is the platform address (sitename.web.ox.ac.uk) or a custom domain (usually www.sitename.ox.ac.uk, but also other forms, including non-ox.ac.uk domain names).
    At this point, even though each site supports https, it remains accessible over http, so a user following a ‘http://’ link or bookmark would not benefit from the more secure protocol. So …
     
  2. On 16 November 2017, we are adding a rule to redirect all requests for webpages using http to go via https instead.
     
  3. From 1 November, our process for adding new custom domains to our SSL Security Certificate is changing. Earlier, we only implemented support for https for sites that required web users to login to view web content restricted to Oxford members only, and a charge of £250 was made to add the domain. Now, custom domains will always be added and this will be done without charge.

Content editing on the platform domain, sitename.web.ox.ac.uk, is already supported and sites which also use this address as their primary domain will be supported from the point their site is created. For new sites requesting a custom primary domain, the custom domain will need to be added to the SSL Certificate before the site goes live. It is essential that this is requested sufficiently early for us to make this update – see below.

What is the benefit for website users and what will they see?

https adds a security layer, providing authentication of the website and webserver the user is communicating with. It also makes communications over the web – e.g. sent in a web form or entered on a Search box – encrypted. Together this means website users can have confidence that the website they are using is the real one and not a fake, and that their communications with it cannot be ‘overheard’ or forged.

https is not new, but using it everywhere and allowing https only and not http is. Mosaic websites always used https wherever needed, but now adding it everywhere makes things simpler and more reassuring for users.

Starting with Google Chrome, web browsers are increasing their support for https. Alerts similar to the following will increasingly be seen in browser address bars.

A website supporting https, displaying the green padlock and additional text:

secure address

A website without https, displaying a red warning symbol and text in the address bar, accompanied by warning text on the page and browser tab:

Example alert for a not secure page

(The precise text displayed varies depending on the browser, and different browsers will implement changes at different times.)

If webpages which support https include embedded resources within them – e.g. images, video, or audio – not using https, then rarely (depending on browser settings) an alert may appear or the content may not display correctly. Website content editors can minimise this risk by ensuring that wherever their external resources support https they include them on their pages using the correct form of address – see below.

Do Site Administrators and content editors need to do anything?

As we are automatically redirecting all traffic that comes into Mosaic over http to go over https, if you have links or embedded elements in your website to your own or other Mosaic sites using ‘http’ this won’t cause problems. However, from now on you should use ‘https’ or a root-relative format to add these. If you are linking or referring to non-Mosaic sites, you should also do this wherever the sites support https.

To do this you need to ensure that none of the links or embed references in your website are given in the form ‘http://sitename.web.ox.ac.uk/pagea’. Instead:

  • If linking to a page on the same site, use the editing methods within Mosaic to add links, e.g. using a generated listing or by selecting a page using the page name auto-complete look-up:
link to page
  • If adding a link in the WYSIWYG widget to a page on the same site, use the Link to Content button to add the link to the page:
Link to Content
  • If linking to an external site, if that site supports https, use https as the protocol NOT http, i.e. give links in the form ‘https://www.sitename.org/link/’:
https link
  • If inserting an image, video or audio file from the Files media library into the WYSIWYG Content Area widget, https will be used automatically. If you add a link to the image, however, remember to use the https:// protocol in the Link to URL field:
insert ml image
  • If inserting an external image, video or audio file into the WYSIWYG Content Area widget using ‘Link from the Web’, use the https:// protocol in the URL field:
insert ext image
  • If you are using the WYSIWYG Content Area widget in Source view to add embed code from a third party tool – e.g. embedding a YouTube video – this will already use https in the embed code supplied by the tool.

Adding HTTPS support for new Custom Domains

In future, when a website wants to add a custom domain as the primary domain for the site, we will need to make a change to the Mosaic platform SSL Security Certificate to add it so that https is supported on the custom domain. This requires us to purchase an updated certificate from a 3rd party Trust Vendor, so it is particularly important that we are informed in good time to avoid delays to sites going live. At least 1 month’s notice is required.

Please note: In order to be added to the SSL Security Certificate, the domain MUST be registered by the University Domain Registrar. See https://oxfordmosaic.web.ox.ac.uk/domains for more information.