Sunday, July 17, 2016

Introducing HTTPS for virtual hosts

The staff of the OCF strongly believe in the need for encryption of everyday communication. This case has been made not just by invasive government spying, but also by wireless carriers (like Verizon) maliciously modifying requests to increase ad revenue.We think that the internet needs to transition to encrypting all communications whenever possible.

Two years ago, we transitioned all of www.ocf.berkeley.edu (all regular user websites) to HTTPS-only. At the time, it was impractical to also transition virtual hosts, because there was no way for us to acquire the necessary SSL certificates without a lot of manual effort.

With the creation of Let's Encrypt, a free provider of SSL certificates that prioritizes automation, we're finally able to start offering HTTPS for virtually-host websites as well. Starting today, we'll be slowly rolling out HTTPS for our virtual hosts. We expect the full roll-out to complete within about 3 months.

What do I need to do?
Most likely, nothing. We'll automatically switch your site over to HTTPS when we acquire a certificate for it. (We're unable to immediately acquire certificates for all of our ~500 virtual hosts due to Let's Encrypt's rate limits.)

Will this break existing links to my website? Do I need to update posters with the new link?
No. We will issue 301 redirects to the updated URL.

Are you sending the HSTS header?
Not yet, but we'd like to in the future. We want to make sure we've tested the current setup for some time first, as once we start sending the header, we can never go back to plain HTTP.

We do send the HSTS header for www.ocf.berkeley.edu (user websites).

My site broke after the switch to HTTPS, what do I do?
It's unlikely, but possible, that some sites will break because of this. Typically, this is because of the wrong site URL set within a CMS like WordPress. You should be able to fix this by logging in to the admin panel and making sure your site URL has https:// at the front.

If there's anything we can do to help, don't hesitate to send us an email.

Update 2016-10-09: The roll-out is complete.