Better solution for HTTPS "vanity URLs"

Jeremy Reynolds · October 2017

Ok, several threads have been popping up in recent weeks related to secure pages being hard-coded to secureX.convio.net and the proposed solution has been that everyone should talk to their rep about getting a security certificate and vanity URL so that secure pages use the same root domain as non-secure pages. At least one KB article recommends that everyone make the change.

So we talked to our rep, here's what that'd entail:

Implementation project costing thousands of dollars.
Three-year service agreement costing thousands of dollars.
Buy your own SSL certificate from GeoTrust for hundreds or thousands of dollars.
Redo all pagewrappers and individual pages on your own (not clear if S29 will work), costing hundreds of work hours.

Anyone come up with a solution here that won't cost five figures?

Just to be clear, here's what every single LO customer trades off if they don't change anything and keep using convio's secure URLs:

Google Grant accounts being suspended when orgs try to target donation page with Adwords
Donation & secure PageBuilder pages show up in Google search as owned by Convio
Chrome "Not Secure" warning when normal pages target secure pages with forms
Full-page security warning if outside links target your url instead of Convio's
Donors may think it's a phishing attack when the Donation URL doesn't match the org URL
SEO ranking penalty for non-secure pages (e.g. TeamRaiser entry pages)
If full-page security warning is ignored, some pages redirect and other pages give a "not found" error
Facebook links preview convio.net instead of org website

Quick illustration of how broken things have become. TeamBuilder's product-built greeting pages contain a participant search form that targets a non-secure page. The only reason that it doesn't trigger Chrome's new "not secure" address bar warning is because LO has a hack (as in, the form submit button class is literally "default-submit-hack") to hide it. According to Google, trying to hide things is a violation of their Webmaster Guidelines, and just about everyone is going to be on the hook.

Look, I'm not trying to start a war here, I just want to have a site that doesn't throw errors, scare visitors, and make Google mad. Every BlackBaud LO client is facing this issue, and it's not going to work for everyone to spend $10k to fix it.

Blackbaud, is there another solution?

Brian Mucha · October 2017

Implementation project costing thousands of dollars.

This part is the most unbelievable to me. There needs to be a pretty good reason for why this is anything less than preposterous gouging.

Noah Cooper · October 2017

Jeremy Reynolds:

Ok, several threads have been popping up in recent weeks related to secure pages being hard-coded to secureX.convio.net and the proposed solution has been that everyone should talk to their rep about getting a security certificate and vanity URL so that secure pages use the same root domain as non-secure pages. At least one KB article recommends that everyone make the change.

So we talked to our rep, here's what that'd entail:

Implementation project costing thousands of dollars.

Three-year service agreement costing thousands of dollars.

Buy your own SSL certificate from GeoTrust for hundreds or thousands of dollars.

Redo all pagewrappers and individual pages on your own (not clear if S29 will work), costing hundreds of work hours.
Anyone come up with a solution here that won't cost five figures?

Just to be clear, here's what every single LO customer trades off if they don't change anything and keep using convio's secure URLs:

Google Grant accounts being suspended when orgs try to target donation page with Adwords

Donation & secure PageBuilder pages show up in Google search as owned by Convio

Chrome "Not Secure" warning when normal pages target secure pages with forms

Full-page security warning if outside links target your url instead of Convio's

Donors may think it's a phishing attack when the Donation URL doesn't match the org URL

SEO ranking penalty for non-secure pages (e.g. TeamRaiser entry pages)

If full-page security warning is ignored, some pages redirect and other pages give a "not found" error

Facebook links preview convio.net instead of org website
Quick illustration of how broken things have become. TeamBuilder's product-built greeting pages contain a participant search form that targets a non-secure page. The only reason that it doesn't trigger Chrome's new "not secure" address bar warning is because LO has a hack (as in, the form submit button class is literally "default-submit-hack") to hide it. According to Google, trying to hide things is a violation of their Webmaster Guidelines, and just about everyone is going to be on the hook.

Look, I'm not trying to start a war here, I just want to have a site that doesn't throw errors, scare visitors, and make Google mad. Every BlackBaud LO client is facing this issue, and it's not going to work for everyone to spend $10k to fix it.

Blackbaud, is there another solution?

Just to clarify, I think you're talking about two slightly different issues. One is that is that very soon, it will be necessary for all pages to be served over HTTPS, so that browsers won't show a "Not Secure" message, your site won't be penalized by search engines, etc. The other is that by default, Luminate Online's secure domain is convio.net, and changing that to your organization's domain requires purchasing an SSL certificate, and paying Blackbaud to implement that cert. Blackbaud is working on the first issue, so that to your point, things like the TeamRaiser greeting page will soon be able to be served over HTTPS. With that change, the browser security warning will go away. Of course, that doesn't address the concern of having a branded secure domain which I completely understand, I just want to be sure people understand the two issues are independent of one another -- one requires a software change, the other does not.

Also, note that the "default-submit-hack" element (which is used to ensure that submitting the form works correctly even when hitting "Enter" on the keyboard), is not the thing that prevents the "Not Secure" message from being displayed. Currently, Chrome only shows that message if a form contains either username/password, or a credit card number. That will change soon, however, and Chrome will show the message for any page that has any form whatsoever. (The final phase of this change will be Chrome showing "Not Secure" on all pages served over HTTP, with or without forms.)

Jeremy Reynolds · October 2017

Jeremy Reynolds:
Just to be clear, here's what every single LO customer trades off if they don't change anything and keep using convio's secure URLs:
Google Grant accounts being suspended when orgs try to target donation page with Adwords

Donation & secure PageBuilder pages show up in Google search as owned by Convio

Chrome "Not Secure" warning when normal pages target secure pages with forms

Full-page security warning if outside links target your url instead of Convio's

Donors may think it's a phishing attack when the Donation URL doesn't match the org URL

SEO ranking penalty for non-secure pages (e.g. TeamRaiser entry pages)

Negative SEO impact from having unbranded URLs for key webpages

If full-page security warning is ignored, some pages redirect and other pages give a "not found" error

Facebook links preview convio.net instead of org websitea

Good point, I guess we're really talking about three issues here, all of which are live and impacting client sites at this moment. Each problem, when fixed on its own, will make the next one worse:

Cloaking: Some product-built features hide code on the page.
Fixing it: Go back to a clearly insecure form until HTTPS fix is in place.
If not fixed: Google is likely to freak out at any moment.
HTTP content: Some parts of LO make non-secure server requests.
Fixing it: BB has identified the fix and is rolling it out to early adapters. Everyone else gets it by request only (!!), and even then the ETA could be mid-2018 (!!!)
If not fixed: Security warnings, broken pages.
Unbranded Domains - LO's default domain is on convio.net
Fixing it: Custom project to buy and implement SSL key and update client instance. Cost in the tens of thousands, as I understand it.
If not fixed: All of the bullets above except for the third one. The SEO penalty will change, but still be in place (instead of getting dinged for insecure page, we'll get dinged for unbranded URLs)

So, it sounds like #1 & #2 above are on the docket already. According to the KB article, clients get that by request only, and even then could take half a year to implement. Am I understanding that correctly?

Noah, do you know if BB has workarounds for any of the bullet points caused by issue #3? Anyone else figure out workable solutions?

Jeremy Reynolds · October 2017

Brian Mucha:

Implementation project costing thousands of dollars.
This part is the most unbelievable to me. There needs to be a pretty good reason for why this is anything less than preposterous gouging.

+1. I want to be reasonable here, and I figure that if the fix were easy, BB probably wouldn't still be using the convio URL a half-decade later.

But I'm also scratching my head a little bit, wondering what the powers that be at BlackBaud think about the severity of problem #3. From folks I've talked to, I get the feeling that they're seeing this as a preference and branding issue.

At some point, one crosses the bridge from "nice to have" into the land of "broke and bleeding." We're facing broken links and full-page security warnings. We're seeing folks lose Google Grants. We're showing up in Google as a for-profit business (that doesn't even exist anymore), and we're going to lose all ability to point ads at our own websites. These things are happening now, and will become even worse when the site switches to HTTPS only.

Jill Freidmutter · October 2017

This thread is scary, and I'm not sure if these problems apply to our situation. We have an SSL certificate for our agency's website. We use a vanity address over the convio address. Will this affect us? How do I figure out if I need to do anything and what I need to do? Thanks.

Jeremy Reynolds · October 2017

Jill Freidmutter:

This thread is scary, and I'm not sure if these problems apply to our situation. We have an SSL certificate for our agency's website. We use a vanity address over the convio address. Will this affect us? How do I figure out if I need to do anything and what I need to do? Thanks.

Jill, looking at your profile, I'm assuming you're with Hospicare? Looks like you'll have problems on your TeamRaiser fundraising events (e.g. swim to celebrate life).

Sorry to tell you, there are already a couple of security warnings visitors can see right now on that site. If you visit http://support.hospicare.org/site/TR?fr_id=1040&pg=entry in Chrome browser and click the login button, it'll change your URL/Address bar to say "Not Secure." This also happens on all of your fundraiser's personal pages. Any time people link to https

/womenswimmin.org (in any web browser) they'll get a full-page security warning. Both of these will be fixed with #2 above, but will still leave you with problems from #3 if you don't do the custom project with BB (e.g. no Adwords, SEO penalties, urls you don't appear to own, etc.).

The good news is that your non-event donation form is embedded in your wordpress site. That'll keep the warning from creeping in (you'll still have it when people donate , and you'll dodge most of the bullet points in #3. You'll still have them for TeamRaiser, though.

Kathryn Hall · October 2017

Jeremy Reynolds:

Brian Mucha:

Implementation project costing thousands of dollars.
This part is the most unbelievable to me. There needs to be a pretty good reason for why this is anything less than preposterous gouging.

+1. I want to be reasonable here, and I figure that if the fix were easy, BB probably wouldn't still be using the convio URL a half-decade later.

But I'm also scratching my head a little bit, wondering what the powers that be at BlackBaud think about the severity of problem #3. From folks I've talked to, I get the feeling that they're seeing this as a preference and branding issue.

At some point, one crosses the bridge from "nice to have" into the land of "broke and bleeding." We're facing broken links and full-page security warnings. We're seeing folks lose Google Grants. We're showing up in Google as a for-profit business (that doesn't even exist anymore), and we're going to lose all ability to point ads at our own websites. These things are happening now, and will become even worse when the site switches to HTTPS only.

Hey, Jeremy - I'm working on this issue behind the scenes with a couple of the other good folks at Blackbaud... As you surmise there are legacy issues and processes to work around. I'll reach out to you directly. Kathryn

Karen Cincotti · November 2017

Kathryn Hall:

Jeremy Reynolds:

Brian Mucha:

Implementation project costing thousands of dollars.
This part is the most unbelievable to me. There needs to be a pretty good reason for why this is anything less than preposterous gouging.

+1. I want to be reasonable here, and I figure that if the fix were easy, BB probably wouldn't still be using the convio URL a half-decade later.

But I'm also scratching my head a little bit, wondering what the powers that be at BlackBaud think about the severity of problem #3. From folks I've talked to, I get the feeling that they're seeing this as a preference and branding issue.

At some point, one crosses the bridge from "nice to have" into the land of "broke and bleeding." We're facing broken links and full-page security warnings. We're seeing folks lose Google Grants. We're showing up in Google as a for-profit business (that doesn't even exist anymore), and we're going to lose all ability to point ads at our own websites. These things are happening now, and will become even worse when the site switches to HTTPS only.

Hey, Jeremy - I'm working on this issue behind the scenes with a couple of the other good folks at Blackbaud... As you surmise there are legacy issues and processes to work around. I'll reach out to you directly. Kathryn

Definitely interested in following this post. When we are running Facebook ads, promoting our Holiday donation campaign, this is what happened last night:
"Just FYI that Facebook paused the ads in the middle of the night because of the display link issue. They won’t run an ad that features a display link that doesn’t match the URL (roswellpark.org vs. convio). We have run into this before with previous FB campaigns, but I wanted to try to sneak it past them. Worked for about 12 hours or so. Either way, the display link is now defaulting to convio. Both ads are up and running again." We are thinking of adding a landing page for important campaigns but that defeats the purpose of getting someone right to the donation page. I had heard at BBCON about getting setting up with a vanity URL and was about to ask my rep about this. Little worried about what I am reading in terms of costs and hours.

Kim Ethridge · November 2017

Jeremy Reynolds:

Jeremy Reynolds:
Just to be clear, here's what every single LO customer trades off if they don't change anything and keep using convio's secure URLs:
Google Grant accounts being suspended when orgs try to target donation page with Adwords

Donation & secure PageBuilder pages show up in Google search as owned by Convio

Chrome "Not Secure" warning when normal pages target secure pages with forms

Full-page security warning if outside links target your url instead of Convio's

Donors may think it's a phishing attack when the Donation URL doesn't match the org URL

SEO ranking penalty for non-secure pages (e.g. TeamRaiser entry pages)

Negative SEO impact from having unbranded URLs for key webpages

If full-page security warning is ignored, some pages redirect and other pages give a "not found" error

Facebook links preview convio.net instead of org websitea

Good point, I guess we're really talking about three issues here, all of which are live and impacting client sites at this moment. Each problem, when fixed on its own, will make the next one worse:

Cloaking: Some product-built features hide code on the page.
Fixing it: Go back to a clearly insecure form until HTTPS fix is in place.
If not fixed: Google is likely to freak out at any moment.

HTTP content: Some parts of LO make non-secure server requests.
Fixing it: BB has identified the fix and is rolling it out to early adapters. Everyone else gets it by request only (!!), and even then the ETA could be mid-2018 (!!!)
If not fixed: Security warnings, broken pages.

Unbranded Domains - LO's default domain is on convio.net
Fixing it: Custom project to buy and implement SSL key and update client instance. Cost in the tens of thousands, as I understand it.
If not fixed: All of the bullets above except for the third one. The SEO penalty will change, but still be in place (instead of getting dinged for insecure page, we'll get dinged for unbranded URLs)

So, it sounds like #1 & #2 above are on the docket already. According to the KB article, clients get that by request only, and even then could take half a year to implement. Am I understanding that correctly?

Noah, do you know if BB has workarounds for any of the bullet points caused by issue #3? Anyone else figure out workable solutions?

I'm a little dubious about the "tens of thousands of dollars." I'd like to know if anyone has seen a solid dollar figure from Blackbaud. Getting a security certificate and custom url are not big deals. We have secure.cbf.org for our secure pages and chesapeake.cbf.org for our unsecure LO pages (Our main domain, cbf.org, is for our LCMS site). Blackbaud implemented it as part of our rollover from NetCommunity to Luminate Online. The secure domain build out on Blackbaud's end was about 5 hours.

Kim

Kim Ethridge · November 2017

Jeremy Reynolds:

Jill Freidmutter:

This thread is scary, and I'm not sure if these problems apply to our situation. We have an SSL certificate for our agency's website. We use a vanity address over the convio address. Will this affect us? How do I figure out if I need to do anything and what I need to do? Thanks.

Jill, looking at your profile, I'm assuming you're with Hospicare? Looks like you'll have problems on your TeamRaiser fundraising events (e.g. swim to celebrate life).

Sorry to tell you, there are already a couple of security warnings visitors can see right now on that site. If you visit http://support.hospicare.org/site/TR?fr_id=1040&pg=entry in Chrome browser and click the login button, it'll change your URL/Address bar to say "Not Secure." This also happens on all of your fundraiser's personal pages. Any time people link to https/womenswimmin.org (in any web browser) they'll get a full-page security warning. Both of these will be fixed with #2 above, but will still leave you with problems from #3 if you don't do the custom project with BB (e.g. no Adwords, SEO penalties, urls you don't appear to own, etc.).

The good news is that your non-event donation form is embedded in your wordpress site. That'll keep the warning from creeping in (you'll still have it when people donate , and you'll dodge most of the bullet points in #3. You'll still have them for TeamRaiser, though.

Our donation pages throw the Not Secure message because our secure pages are pulling in content--specifically .js, .css and some other items--from our non-secure CMS. Could that be happening with your TeamRaiser pages? Our site was built in LO and LCMS and even though the wrappers are in PageBuilder they are pulling some content from LCMS. Until we are able to completely move all our wrapper content out of LCMS and into LO we're going to have that problem.

At least those of you who are only using LO have the https:// solution at hand. We're probably going to roll over LO in January. But we are also using LCMS, and BB doesn't even have an https:// solution for that yet.

Kim

Laura Rabell · March 2018

Hi Jeremy,

I just replied to another thread on a similar topic, so I thought I would share that idea here as well... has anyone tried embedding the Convio (or similar 3rd party URL donation form) as an iframe on their existing site? The URL, header, and footer would match your main site, and the content of the page would contain the donation form embedded via iframe. It's not a perfect solution by any means (since your main site can't control the CSS output of the iframe content) but it would go a long way towards solving this problem it sounds like a lot of people are experiencing!

iframes are incredibly simple to implement with just one line of HTML, any web developer could do this very quickly.

Here is a quick tutorial.

https://www.tutorialrepublic.com/html-tutorial/html-iframes.php

Please don't hesitate to reach out if you want to chat or need more information. I can provide more examples via email, laura@rabellcreative.com.

Erik Leaver · March 2018

Hi Laura,

iFrames are vulnerable to clickjacking & are not a recommended solution. After undergoing a PCI Audit, last year Blackbaud elimited thier use.

However, organizations can use the more secure xFrame & whitelist the IP that they will be using in Luminate.

This KB article, "xFrame Restrictions for increased Luminate Online Security" outlines the reasons why we switched to xFrames & gives detailed instructions on how to whitelist any IPs using xFrames.

Best,

Erik

Laura Rabell · March 2018

Hi Erik,

Thanks for the additional information. Just to be clear since there are so many different Blackbaud services that use forms with 3rd party URLs, are iframes banned across all products? (Convio, Altru, etc?) And are xframes allowed and accommodated across all products as well (no just Luminate Online?) Thanks!

Erik Leaver · March 2018

Hi Laura,

I'm not sure about Altru or how other products utilize iFrames/xFrames. You might reach out to those other communities.

Best,

Erik

Jill Freidmutter · March 2018

Hi Jeremy,

Thank you so much for your response and for checking out our site. (I just read this reply now. My sincere apologies for not keeping up at the time.

)

We made one change, which is to have all of our pages show up with https. I don't know how this will affect us. We are putting together our new annual TeamRaiser event and haven't seen these scary screens. I'll do more checking.

with gratitude, Jill

PS: It appears that the (convio) landing sites for Women Swimmin' do have the "this site is not secure" message, but the forms (registration form, donation form, participant center) are all secure.

Francis Lim · June 2018

Kathryn Hall:

Jeremy Reynolds:

Brian Mucha:

Implementation project costing thousands of dollars.
This part is the most unbelievable to me. There needs to be a pretty good reason for why this is anything less than preposterous gouging.

+1. I want to be reasonable here, and I figure that if the fix were easy, BB probably wouldn't still be using the convio URL a half-decade later.

But I'm also scratching my head a little bit, wondering what the powers that be at BlackBaud think about the severity of problem #3. From folks I've talked to, I get the feeling that they're seeing this as a preference and branding issue.

At some point, one crosses the bridge from "nice to have" into the land of "broke and bleeding." We're facing broken links and full-page security warnings. We're seeing folks lose Google Grants. We're showing up in Google as a for-profit business (that doesn't even exist anymore), and we're going to lose all ability to point ads at our own websites. These things are happening now, and will become even worse when the site switches to HTTPS only.

Hey, Jeremy - I'm working on this issue behind the scenes with a couple of the other good folks at Blackbaud... As you surmise there are legacy issues and processes to work around. I'll reach out to you directly. Kathryn

Hi Kathryn,

Is there any update on custom secure certificate for Luminate? It was mentioned in a recent roadmap that a new process is coming to allow organizations to customize secure domain, example: https://secure.mydomainname.com

Thanks,

Francis

Kathryn Hall · June 2018

Francis Lim:

Hey, Jeremy - I'm working on this issue behind the scenes with a couple of the other good folks at Blackbaud... As you surmise there are legacy issues and processes to work around. I'll reach out to you directly. Kathryn

Hi Kathryn,

Is there any update on custom secure certificate for Luminate? It was mentioned in a recent roadmap that a new process is coming to allow organizations to customize secure domain, example: https://secure.mydomainname.com

Thanks,

Francis

Hi, Francis - There are three updates in the area of SSL;

1. The process for obtaining a custom SSL certificate has been simplified. Blackbaud purchases the cert on behalf of the customer, and automatically submits the renewal. There's a lot less process around it. The cost is about 70% less than it was before. This knowledgebase article describes the process: https://kb.blackbaud.com/articles/Article/118032

2. Secure Luminate / TeamRaiser - we're serving up more Luminate & TeamRaiser pages via https. It's now possible to serve almost all of TeamRaiser via SSL. The additional areas of LO & TR that can now be served up via SSL are:

TeamRaiser pages
Ecommerce pages
UserLogin
Email Redirector Links (link tracking from email)

You can read more about it here: https://kb.blackbaud.com/articles/Article/117976. Having a custom secure certificate (#1) goes hand in hand with this, since once you flip your pages to https, they'll display the secureX.convio.net URL unless you have a custom SSL cert.

3. Secure Luminate Content Management System (CMS) - In July we expect to release a similar option for Luminate CMS, so that most CMS pages can be served up via SSL. Luminate CMS requires its own custom SSL certificate. This is not an absolute requirement, but I'd consider it essential as it allows you to maintain organization branding on the website.

Hope this helps, Kathryn

Jeremy Reynolds · July 2018

Woof, didn't realize this thread was still running.

So, shout-out to Kathryn; she did a lot of heavy lifting after this discussion started, defining the problem as it stood and creating the new "BB secures the SSL cert" process referred to in her post.

SSL in tow, we also turned on "all-HTTPS TeamRaiser" (#2 above). Folks, this had to have been an incredible amount of work for the LO product team, and they knocked it out of the park. Flipping the switch went just about as smoothly as you could possibly hope for. The update script automatically got most of our old references to secure3.convio, the only real updates I had to make were to our advanced code like roll-your-own API scripts.

Between those two changes, 99% of the issues in this thread are fixed. No more Chrome warnings, no need for i-/x-frames, search engine SERPs don't reference Convio anymore, we have access to Google Search Console on our secure pages, and we're able to target reg/donation pages with digital ads now.

Better solution for HTTPS "vanity URLs"

Comments

Categories