We're making an important change to how we manage the security of your Igloo - enabling SSL/HTTPS by default for all .igloocommunities by August 18.
Just because the summer is here and the sun is out, it doesn't stop our IT team from burrowing away at their desks to make your Igloo experience even better. In fact, this summer we're making an important change to how we manage the security of your Igloo.
If you've ever done your shopping or banking online, you may have noticed a small "lock" icon appear in your address bar. This indicates that your browser is using a secure connection ("HTTPS") and that any information you send remains private.
As of August 18, 2014 SSL is becoming a standard setting for all Igloo communities. That means your Igloo will be as secure as many of the big banks. For those with a .igloocommunities.com domain, this will be automatically activated and will become the default setting. For those with custom domain names, this process has a couple more steps, see our FAQ below for details.
What is SSL?
SSL (Secure Sockets Layer) is the recognized security standard for websites, creating an encrypted link between a web server and a browser.
What is encryption and why do I need it?
Encryption is a mathematical process of coding and decoding information. SSL encryption keeps online interactions private, even when you are travelling across public spaces. It prevents any information you enter (i.e. wiki article, blog post) from being accessed by an outside source.
What level of data encryption does Igloo support?
When an encrypted session is established, the strength is determined by the capability of the web browser, SSL certificate, web server and client computer operating system. Igloo uses up to 256 bit AES encryption to protect data in transit, which is equal to the online security level of many big banks.
When will this update take effect?
Beginning immediately, all .igloocommunities.com domains will begin the transition. We expect to have this completed by August 18, from this point any attempt to connect via http will automatically re-route to https for a secure connection.
I have an .igloocommunities.com domain. How will this impact me?
Our SSL update will be enabled by default for all sites using the .igloocommunities.com domain. Previously, HTTPS was only available to customers as a premium service, but this is now available for all customers as part of your service level agreement.
You can test SSL now by typing https:// before your community URL in the address bar. SSL will be enforced on all sites with the .igloocommunities.com domain by August 18.
How does this change impact the links shared in my Igloo?
When you switch to SSL, any pre-existing http: links to your Igloo will be automatically redirected to https, including:
- URL shortcuts managed in the control panel (under optimization)
- Bookmarks (community and personal) managed in the user bar
- Links captured in a links widget or hard-coded in the WYSIWYG editor
How will this impact the custom widgets or integrations that I've built?
All video, rich media and form embeds wrapped in an iframe should serve content over https. There are a few sites that serve embeds in this manner already, including YouTube, Vimeo, Twitter, Facebook, SlideShare, SurveyMonkey, Wufoo and more.
Some third-party applications are not currently supported in https. We recommend taking a moment to evaluate your third-party applications and check compatibility. If you do have unsupported apps, Igloo will still serve the insecure content, but you may find that a security warning will appear and your content may be blocked depending on the browser. This could be visible as a full page error message, pop-up warnings or blank app spaces where the content has not been delivered.
If you do suspect some of your apps are unsupported, it's definitely worth investigating an alternative that may be more compatible to ensure the very best user experience on your site. Speak to your Igloo contact, who should be able to assist with this process.
What if I have branded my Igloo with my logo or CSS?
The only thing you'll need to do is ensure that all images are being securely hosted and served over https. This goes for CSS files and custom fonts as well.
Are Igloo communities subject to the SSLv3 vulnerabilities?
Some media outlets have been reporting a flaw in SSLv3 protocol, which is leaving users vulnerable to attack. We would like to make it clear that this issue has no impact on Igloo or our customers, and there is no vulnerability for exploitation of this type within our system. We do not support SSL v3, but instead rely on TLS cryptographic protocols which are both more modern and more secure.