Did you know that Uberflip automatically protects traffic to your Hub with HTTPS? Here's why that matters, and how it works.
This article is about a feature that may not yet be available on your Uberflip account, as it is being rolled out in phases:
- First Phase: Initially, this feature will be available to new customers who opened an account after mid-May 2019.
- Second Phase: After the initial phase ends, the feature will be progressively rolled out to all existing customers.
Note also that this feature replaces an existing feature. If you do not yet have access to this feature, you can find documentation on the existing functionality here.
HTTP vs. HTTPS: A Quick Primer
If you've heard that you should be using HTTPS but aren't really sure what it is or why you need it, this primer is for you. If you're already familiar with this topic, you can skip ahead.
What is HTTPS?
You've probably heard of HTTP, the HyperText Transfer Protocol. It's a system that web browsers and web servers use to talk to one another; a way for them to send requests ("send me this webpage") and responses ("here is the webpage you asked for") back and forth.
Most websites don't use HTTP anymore, because it has a major security flaw: it's not encrypted. This means that, with HTTP, anyone who's listening in can see exactly what's being sent back and forth between a browser and a web server. And it's not just three-letter government agencies who can do this: with HTTP, anyone on the open WiFi network at your local coffee shop could see which websites you're looking at.
HTTPS fixes this problem. The S stands for secure, to indicate that all communications over HTTPS are encrypted. Only the two parties talking to each other (the browser and the server) can decrypt and read each other's messages — to any eavesdroppers, the encrypted messages just look like garbled nonsense.
Why is using HTTPS important?
In the past, only websites dealing with "sensitive" information (like banks or ecommerce sites) used HTTPS, and HTTP was considered "good enough" for everything else. But HTTP has inherent flaws that make it a huge security risk: for example, HTTP does not verify that you're actually connecting to the website you asked for, so there's little to stop an attacker from impersonating a website and stealing your data.
In recognition of this problem, there has been a push over the last several years to use HTTPS for all kinds of websites. If you take a look at your browser's address bar, you should see something like this:
This padlock icon indicates that the website you're on uses HTTPS, and you're likely to see it on most websites you visit. In fact, as of 2019, the majority of the world's websites use HTTPS.
This push towards HTTPS has been driven in large part by internet giants like Google. Starting in 2014, Google decided to prioritize websites that use HTTPS in its search results, effectively downranking sites that use HTTP. And since July 2018, Chrome has displayed this message to highlight websites that don't use HTTPS:
On today's web, using HTTP is detrimental to your traffic, so you should make sure that all your web properties use HTTPS. The good news is, using HTTPS with an Uberflip Hub couldn't be easier.
A Quick Note on Terminology
You may have also seen the term SSL used in the context of HTTPS. This term refers to the encryption technology that HTTPS uses, and is sometimes used interchangeably with the term "HTTPS".
SSL has actually been replaced by the more-secure TLS technology — but although it's technically incorrect, the term "SSL" is still widely used. Whenever you see the term "SSL" (including in Uberflip's documentation), you can generally assume that this refers to more-secure TLS technology.
How does HTTPS work on Uberflip Hubs?
If you have set up HTTPS for another website in the past, you already know that it can be a hassle: you have to buy an SSL certificate from a Certificate Authority (CA), install the certificate on your web server (or, more often, wait for your IT team to do it), and then do it all over again every time the certificate expires.
You don't need to worry about any of this with your Uberflip Hub. Uberflip automatically obtains and sets up the SSL certificate for your Hub's domain, and automatically renews it when it expires. This means that you get all the benefits of HTTPS on your Hub, without the hassle of setting it up and maintaining it.
Where does Uberflip get the SSL certificate for my Hub?
To set up HTTPS for Hubs, we use certificates from Let's Encrypt. Let's Encrypt is a new kind of Certificate Authority run by the Internet Security Research Group, a public-benefit corporation backed by a number of major organizations, including Mozilla, Cisco, Shopify, the Ford Foundation, and the EFF. Their mission is to encourage the wider use of HTTPS by making the entire setup and maintenance process much easier. To that end, Let's Encrypt certificates are:
- Free: Unlike traditional CAs, Let's Encrypt provides and validates certificates at no cost
- Automated: The entire enrollment process for certificates is automated, as is renewal of the certificate upon expiration
- Open: Let's Encrypt uses open standards, and their code is open source
- Simple: With Let's Encrypt certificates, you don't need to worry about payment, installation, or keeping track of expiring certificates
Although they're free, Let's Encrypt certificates are just as secure as certificates from traditional CAs. And because they're automated, Uberflip can take care of provisioning, setting up and renewing your Let's Encrypt certificates for your Hub domains — you don't need to do a thing.
How do I set up HTTPS for my Hub?
Whenever you add a new domain to your Hub (under Hub Options > Change Domain > Add a Domain), it will be automatically set up to use HTTPS:
Seriously, that's all there is to it. The domain you set up with be secured with HTTPS, and you never need to worry about it again: when it's time to renew the certificate, Uberflip will just seamlessly do it for you.
Existing HTTP Hubs
If you have an existing Hub that uses HTTP, and you want to switch to HTTPS, you can do so with the click of a button.
To switch, click on your name in the top right corner of the Uberflip app, then go to Account Settings > Services > Domains. Find the domain in the list, and you should see the Enable HTTPS button beside it:
If a pre-provisioned Let's Encrypt certificate is available for your Hub, this will enable HTTPS on the selected domain immediately. If your Let's Encrypt certificate has not yet been provisioned, HTTPS will be enabled as soon as the certificate is ready, typically within a few hours.
Instead, please contact Uberflip Support for guidance on what you need to do before making the switch to HTTPS.
What if my Hub already uses HTTPS with a legacy certificate?
Uberflip-Managed Legacy Certificates
If you set up HTTPS for your Hub in the past and chose to let Uberflip handle the certificate setup, you'll be automatically moved onto a new Let's Encrypt certificate once your current legacy certificate expires. This process is seamless, and you don't need to do anything to make it happen. You shouldn't notice any change, and everything will continue to work just as it did before.
Self-Managed Legacy Certificates
If you opted to use a self-managed certificate with your Hub (i.e. if you sent us a PEM file), you will continue to follow the same process as before: whenever your current certificate expires, you will need to send us a new PEM file.
In addition, we have also provisioned a Let's Encrypt certificate for you as a fallback. If your self-managed certificate expires and you do not send us a new PEM file in time, we will automatically transition your Hub onto the Let's Encrypt certificate so that it remains secure.
If you are currently on a self-managed certificate and want to switch to a Let's Encrypt certificate, you can do so at any time. There are a lot of good reasons to switch: you will no longer need to keep track of your certificate expirations, pay for renewals, or prepare and send us a PEM files. If you're interesting in moving from self-managed to automated HTTPS, please contact our Support Team, or get in touch with your CSM.