Question

Photo of Ken Roach

0

SSL/TLS Encryption best practice - by page or by site?

Rock can force encryption (https) by page (Page Properties > Advanced Settings > Force SSL), 
or by site (Admin Tools > CMS > Sites > Edit Site > Require Encryption).

But which is best practice?  Why would you not just turn it on at site level?  

  • Photo of Shawn Ross

    1

    Ken, good question. When Rock first launched, the tech landscape was a bit different in terms of SSL. Let's Encrypt wasn't really a thing yet, Google (& others) hadn't really pushed HTTPS everywhere yet, etc. There are also some very fringe cases where using SSL is undesirable.

    I see no reason not to enable it at the site level. In fact, the excellent ACME Certificates plugin makes it really easy to add SSL to most Rock servers.

  • Photo of Jim Michael

    1

    I agree with Shawn, but I would go a step further and say you SHOULD NOT run a Rock site that is not 100% https. Browsers now alert the user when a site is "not secure" and you really don't want to be answering to your leadership why Susie Attender is asking why the church website is "not secure." ;-)

    Take that along with the kind of information Rock is passing back and forth between the client and server and there's zero reason to have any non-encrypted pages.... so just set it at the site and you're good (assuming you have your cert set up). As Shawn says, the Lets Encrypt plugin makes this pretty painless (and free) for those that don't want to buy or manually install their certs.

    • Ken Roach

      Thanks Jim and Shawn. I wasn't able to use the Lets Encrypt plugin on our site, but this may have been because we use a subdomain address (porirua.elim.org.nz). I successfully used the "Certify The Web" tool to generate a Lets Encrypt cert, and now have the entire site encrypted.

      Thanks again for your helpful replies.