• English
  • Japanese

Always On SSL transition for websites on Shared Workspace

Always On SSL transition for websites on Shared Workspace (http://*.sfc.keio.ac.jp/) will be supported by Shonan Fujisawa ITC.

What is Always On SSL (Always HTTPS)

It was previously common practice to protect communication by using HTTPS only for pages to enter passwords, personal information and etc. on website such as login pages and credit card settlement pages.

However, in recent years, increasing of security awareness on internet and measure main browser such as Google chrome took require whole websites to be used HTTPS. It is called Always On SSL (Always HTTPS) that providing HTTPS for not only some parts of website, but also whole website.

What happens if Always On SSL is not implemented?

Warning may be displayed on address bar on main Web browser when http website displays. Access to http website have address bar displayed “Unprotected communication” after Google Chrome 68 and “Not Secure” after Safari 12.1. In order not to display warning that website visitors feel anxiety, Always On SSL implementing HTTPS to whole website is required.

Notes for Always On SSL transition

Measure for mixed content

When Always On SSL is implemented, URL will be changed to start from https. Therefore, all URL written in internal links or site map on HTML files need to be changed to start from https. Especially when using absolute path started from http on link destinations to load img tag or css and mixed with http and https on one page, it will be a state of mixed content. With the state, key mark may not be displayed or warning may be displayed depends on browser and that results to user confusion.

To get rid of mixed content, either following way will be required to take for internal link URL.

  • Rewrite to absolute path starts from https without no exception.
  • Write with relative path, not with absolute path.

In addition, regarding external link, if http URL is written, usually it won’t be mixed content. But when it loads style sheets or images from external and that URL is http, it will be mixed content. If the load destination supports https, need to rewrite with https. And if not, measure such as to stop loading from external is required.

With using tools installed on browser for developers, it is possible to identify caused parts of mixed content on source code.

Care of URL starts from http

Although the following two URL 'https://hoge.sfc.keio.ac.jp' and 'http://hoge.sfc.keio.ac.jp' are very similar, they are treated as different URL on Internet. If linked URL described on external websites starts from http, it become unaccusable from link source when Always On SSL is implemented and the URL is changed to https. So URL provided with http will need the care.

In order not to be error when there is access to http website 'http://hoge.sfc.keio.ac.jp/', redirect setting to https website 'https://hoge.sfc.keio.ac.jp/' will be needed. In addition, if public http website closed suddenly, links from other sites may be broken or access from bookmark of web browser may be disabled.

Change setting of external linkage service

If you are using external linkage service such as access analysis tools or site search, registered URL need to be changed from URL starts from http to URL starts from https.


Implementing Always On SSL on websites on shared workspaces

Always On SSL transition for websites on Shared Workspace (http://*.sfc.keio.ac.jp/) will be supported by Shonan Fujisawa ITC.
By doing this, Always On SSL will be realized usually without any working for contents etc. by users.

  • Arrangement and installation of SSL certificate
    • No need to arrange SSL certificate by users
    • Wild card SSL certificate can also support sub domain
  • Redirect http accesses from external to https
    • Access to 'http://hoge.sfc.keio.ac.jp' will be automatically redirected to 'https://hoge.sfc.keio.ac.jp'
    • Both access to http/https is possible for a while
  • Automatic translation (http -> https) of own site’s (*.sfc.keio.ac.jp) URL in contents
    • In case there are still some http references to own site in contents, that will be translated with https automatically.
    • Load balancer in the preceding paragraph mechanically process providing SSL and rewrite.
    • Although http reference to external site won’t be translate, you need to change sources by yourself if necessary.

However, you need to work by yourself for parts related to mixed content (especially in the case of loading style sheets or images from external) depend on the situation.

If you have any questions, please contact us.

Transition period of Always On SSL for website on Sheared Workspace.

After the following date and time, all the http access to websites on Shared Workspace will be redirected to https.


Modified date: 10:00am, Monday, 3 June, 2019


Note

Regarding SFC-CNS personal Web domain

The following SFC-CNS personal Web domains have been already on the accessible status both with http (Non SSL) and https (SSL). Shonan Fujisawa ITC doesn’t support Always On SSL (forced redirection to https) for them.


SFC-CNS personal Website (http) http://web.sfc.keio.ac.jp/~{username}/
SFC-CNS personal Website (https) https://web.sfc.keio.ac.jp/~{username}/


If your personal Web domain need to be implemented Always On SSL, please write redirect process on such as htaccess or so.


Reference

Last-Modified: May 24, 2019

The content ends at this position.