1. What is the difference between HTTP and HTTPS?
The "S", clearly. Ha! For a more serious and technical answer, please check out HTTPS - Wikipedia. In a nutshell, the internet is passed via servers to web browsers in packets of data. For HTTPS connections, those packets are encrypted so that should someone intercept the traffic, the data being transferred wouldn't be decipherable. This is why anywhere that sensitive data is transferred via Luminate Online, the pages are already served securely via HTTPS.
 
2. Why isn’t every page in Luminate Online served via HTTPS already?
In many cases the data transferred on a page is not sensitive information (images, links, text from a server).  In other cases, the data sent via form fields wouldn’t be considered sensitive (search terms for example).  These pages were designed to be served via either protocol (http or https) and those that served static information were set to serve via http.

3. Why do sites do this? What's the reasoning behind this change?
In 2017, Google led the push to have all web traffic served via HTTPS to ensure the most secure web experience for all users. They’ve done so in a couple of ways:

4. Why is Luminate Online doing this now rather than earlier?
Luminate Online has always served any page with sensitive information via https, and offered the option on many of the modules for many years (Surveys, PageBuilder, UserLogin, for example).  On pages where there are not fields to enter data (though they could be added in PageWrappers) the original design used non-secure pages to maintain branding in the URL.  More than half of the top 100 websites on the internet don’t serve via https, meaning that Luminate Online is well within the curve of adoption of an “all https” web.

5. What is the plan for serving Luminate Online via HTTPS in places where it is currently not an option?
The plan is to allow for clients to request that their pages be switched to serve only via HTTPS via Support Portal case.

6. What parts of Luminate Online will be served via HTTPS after this process is complete?
  • TeamRaiser pages
  • Ecommerce pages
  • UserLogin
  • Email Redirector Links (link tracking from email)
Note: Switching additional pages to https will be considered in the near future.
 
7. What parts of Luminate Online have pages that are not currently available to be served securely (via HTTPS)?
  • TellAFriend
  • Vote Center (planned for in the future)
  • eCards
  • Rewards
  • Clubs
Note: These will be evaluated and offered via https in the future.

8. What do I have to do to get ready for the switch and how do I request it?
  • ​​It is important to understand the process that will occur on pages that are switched to secure. Once the update is made, any of the pages formerly served via HTTP will redirect to the HTTPS version of the page. You will need to verify that all images, stylesheets, and javascript files are served securely.
  • To prepare for the update you should verify that all URLs referencing these files on your pages are relative links as opposed to absolute links:
    • Absolute links look like this: <img src="http://hotdog.org/images/hotdog.jpeg">
    • Relative links look like this: <img src="../images/hotdog.jpeg">
    • Note the double quotation mark and double period ("..) in place of the URL
  • You will receive a readout of absolute links on your site. These will need to be found and changed to relative links.
  • If you don't host the content on your site that you are linking to, you will need to update absolute links to use the HTTPS variant of the URL. This may not be possible for some third-party sources. Most third parties will allow for a link type that is similar to a relative link, in that it takes on the protocol (HTTP or HTTPS) of the page it is on.
    • These types of links will look like this: <script type="text/javascript" src="//s7.addthis.com/js/300/addthis_widget.js”>
    • Note the double quotation mark (“) and absence of HTTP or HTTPS at the beginning of the URL
  • Once this is complete the request can be made to Support to switch your Luminate Online servlets to secure.

9. How do I request to have TeamRaiser (TR), eCommerce (Ecommerce) and User Login (UserLogin) sections of my site to be served only via HTTPS?
  • You can request this by submitting a Support case at the Customer Support Portal. Please include "LO Secure" in the title and a link to this KB so we can route your request appropriately. 
  • The change can be made to your site Monday-Friday 9 AM to 6 PM Central.  If the time of the change isn’t a priority, the hosting team will make the change sometime within 48 hours of the request.
  • To make this request, you must understand the following:
    • I understand that I will be provided with a list of urls that are within the site content that may need to be updated to be either relative or need to change to https (Yes/No) The result of content (images, javascripts, css files) that is served via http on pages that overall are served on https will be a mixed content warning in the url bar, which shows the page as not secure (https://www.globalsign.com/en/blog/how-to-fix-mixed-content-warnings-on-your-ssl-site/).  If you are not comfortable doing this or need assistance, work with your Client Success Manager and schedule the change to be a part of a services engagement which will come at a fee.
    • I understand that once the change is made to make the pages secure, all eCommerce pages, UserLogin and TeamRaiser pages that used to be served via http will be served via https.
    • I understand that once complete, this case will be updated and the pages can be checked for any mixed content warning or possible display issues due to the change.
    • If you are planning to also request a custom secure domain (Custom SSL Setup Instructions) this should be done simultaneously so that double work can be avoided.
10. Frequently asked questions about the change to LO Secure
  • Can we first switch to HTTPS on our dev site to test impact?
    • If you have a dev site, we can switch that to LO Secure first.
  • When we make the switch to our Production instance, can we roll-out to specific TeamRaisers or eCommerce stores first, before pushing the switch to all pages?
    • We are not able to segment the switch to using secure pages, it’s all or nothing because it is at the servlet level.
  • Will there be any downtime or instability during the change?
    • There is no downtime and no effect on stability to make the switch to secure.
  • Are there any risks?
    • There are two known risks:
      • Absolute links to the http version of your URL will break. However, we have mitigated this by providing a readout of such links to clients to fix before the switch. More information is in #8 and #9 above.
      • Clients without a custom secure domain will lose URL branding (http://www.npsite.org will change to https://secure2.convio.net/npsite) if you go through this process before obtaining a custom SSL certificate. There is a separate process for that linked here. Please check with your CSM.
  • What should we do for testing after the change?
    • We suggest that clients perform a few QA tests after the roll-out:
      • Test out a TeamRaiser registration, personal pages, custom pages
      • Go to your ecommerce store, select item, and purchase
      • Try to login, either in wrapper or at UserLogin
  • What should I expect to see when this change is made?
    • All of your pages that have "TR", "Ecommerce", or "UserLogin" will always be served on HTTPS.