LO page security concerns

Options
Sam Li
Sam Li
Ninth Anniversary 10 Comments Photogenic Blackbaud Certified
in Blackbaud Luminate Online® & Blackbaud TeamRaiser® Discussions
More and more we are asked by the donors why the pages we have are not secure (mostly due to many of the browser now being more strict on getting warnings out for anything that's not associated with a https). Have any of you ever got asked this question by someone who also happened to work in the internet security industry? What would your standard responses be when asked?


Greatly appreciated,
Tagged:

Comments

  • Grace Rose Khalsa
    Grace Rose Khalsa
    Ninth Anniversary 10 Comments 25 Likes Photogenic

    Sam Li:

    More and more we are asked by the donors why the pages we have are not secure (mostly due to many of the browser now being more strict on getting warnings out for anything that's not associated with a https). Have any of you ever got asked this question by someone who also happened to work in the internet security industry? What would your standard responses be when asked?


    Greatly appreciated,

    Sam, this is often due to images within the email or pages, I've found. If your images are in the LO Image Library, they can be/should be https:// based - go to the library and Preview any image you have stored there. If you look at its URL in the preview, it says https://secure3.convio.net/[your-org]/admin/ImageLibrary... BUT! If you look at the code for your page or email, I've found, the "s" part of https has been stripped out, and suddenly the URL has changed to http://cjp.convio.net/images/content/pagebuilder/image-name...


    Perhaps a BB person could answer this? why this happens, and how to repair so that images from the Image Library don't trigger the security warnings?


    Cheers,

    Gurukarm

  • Jeremy Reynolds
    Jeremy Reynolds
    Ancient Membership 100 Comments 25 Likes Name Dropper

    Gurukarm Khalsa:

    Sam Li:

    More and more we are asked by the donors why the pages we have are not secure (mostly due to many of the browser now being more strict on getting warnings out for anything that's not associated with a https). Have any of you ever got asked this question by someone who also happened to work in the internet security industry? What would your standard responses be when asked?


    Greatly appreciated,

    Sam, this is often due to images within the email or pages, I've found. If your images are in the LO Image Library, they can be/should be https:// based - go to the library and Preview any image you have stored there. If you look at its URL in the preview, it says https://secure3.convio.net/[your-org]/admin/ImageLibrary... BUT! If you look at the code for your page or email, I've found, the "s" part of https has been stripped out, and suddenly the URL has changed to http://cjp.convio.net/images/content/pagebuilder/image-name...


    Perhaps a BB person could answer this? why this happens, and how to repair so that images from the Image Library don't trigger the security warnings?


    Cheers,

    Gurukarm

    Gurukarm, the URL decides whether you're requesting a secure or non-secure resource. Any give image is available at two URLs:

     







    Most of LO also comes in both non-secure and secure flavors as well (also triggered by the format of the URL). For example, pagebuilder can be accessed at...

     






    ...but there is a setting you can turn on to force these pages to redirect to a secure version (manage the PB page, click the "edit page attributes" button, and it's number 6 on the "Identify page" screen). If you've got "This is a secure Page that will be encrypted via SSL" checked, then the first url will automaticallly forward to the second one.


    Sam, the other thing that can happen is if you have a form embedded on a page that isn't secure. Only really comes up if you've had some customization work done, though.

  • Sam Li
    Sam Li
    Ninth Anniversary 10 Comments Photogenic Blackbaud Certified

    Gurukarm Khalsa:

    Sam Li:

    More and more we are asked by the donors why the pages we have are not secure (mostly due to many of the browser now being more strict on getting warnings out for anything that's not associated with a https). Have any of you ever got asked this question by someone who also happened to work in the internet security industry? What would your standard responses be when asked?


    Greatly appreciated,

    Sam, this is often due to images within the email or pages, I've found. If your images are in the LO Image Library, they can be/should be https:// based - go to the library and Preview any image you have stored there. If you look at its URL in the preview, it says https://secure3.convio.net/[your-org]/admin/ImageLibrary... BUT! If you look at the code for your page or email, I've found, the "s" part of https has been stripped out, and suddenly the URL has changed to http://cjp.convio.net/images/content/pagebuilder/image-name...


    Perhaps a BB person could answer this? why this happens, and how to repair so that images from the Image Library don't trigger the security warnings?


    Cheers,

    Gurukarm

     

    Thanks Gurukarm, as Jeremy pointed out, the domain should be available in both forms, and my concern is not really the absolute linking (hardcoded href to an insecure form of the image/doc location) but rather LO's default custom pages. When coding in LO, relative links are always recommended. 

  • Sam Li
    Sam Li
    Ninth Anniversary 10 Comments Photogenic Blackbaud Certified

    Jeremy Reynolds:

    Gurukarm, the URL decides whether you're requesting a secure or non-secure resource. Any give image is available at two URLs:

     

    NON-SECUREhttp://orgname.convio.net/images/path/to/file.jpg
    SECURE: https://secureX.convio.net/orgname/images/path/to/file.jpg





    Most of LO also comes in both non-secure and secure flavors as well (also triggered by the format of the URL). For example, pagebuilder can be accessed at...

     


    NON-SECUREhttp://orgname.convio.net/site/PageNavigator/pagebuilder_name_here.html
    SECURE: https://secureX.convio.net/orgname/SPageNavigator/pagebuilder_name_here.html




    ...but there is a setting you can turn on to force these pages to redirect to a secure version (manage the PB page, click the "edit page attributes" button, and it's number 6 on the "Identify page" screen). If you've got "This is a secure Page that will be encrypted via SSL" checked, then the first url will automaticallly forward to the second one.


    Sam, the other thing that can happen is if you have a form embedded on a page that isn't secure. Only really comes up if you've had some customization work done, though.

     

    Do you have experience with a custom secure domain implemented by BB? Our instance recently added that feature, which should in term remedy a lot of the insecurity but also resulted in some issues. Often time, when one sets up the pagebuilder page, the SSL encryption attr was not checked off, and some script only can be run in the http environment. Plus, the default LOTR pages are still not encryted with SSL. And yeah, hacked survey on a pagebuilder page is a huge problem too.

  • Alex Russell
    Alex Russell
    Seventh Anniversary 25 Likes 10 Comments Photogenic

    Gurukarm Khalsa:

    Sam Li:

    More and more we are asked by the donors why the pages we have are not secure (mostly due to many of the browser now being more strict on getting warnings out for anything that's not associated with a https). Have any of you ever got asked this question by someone who also happened to work in the internet security industry? What would your standard responses be when asked?


    Greatly appreciated,

    Sam, this is often due to images within the email or pages, I've found. If your images are in the LO Image Library, they can be/should be https:// based - go to the library and Preview any image you have stored there. If you look at its URL in the preview, it says https://secure3.convio.net/[your-org]/admin/ImageLibrary... BUT! If you look at the code for your page or email, I've found, the "s" part of https has been stripped out, and suddenly the URL has changed to http://cjp.convio.net/images/content/pagebuilder/image-name...


    Perhaps a BB person could answer this? why this happens, and how to repair so that images from the Image Library don't trigger the security warnings?


    Cheers,

    Gurukarm

     

    It could also be the search function, if you have one! We had converted all our images and links and our page was still being marked as "Not Secure". It ended up being the search function redirecting to http://www.ourdomain.org instead of https. Fixing this seems to have fixed our security problems.

Categories