Home » Canvas Host blog

Converting a non-SSL Website to SSL

ssl certificate

There are two kinds of websites on the Internet: Those that use SSL, and those that do not. When accessing a website protected by SSL, your browser’s address bar may turn a green color, or a golden or green padlock icon may appear next to the start of the website URL in that address bar.

If the website is accessed at https://, but the SSL certificate is incorrectly configured, or more commonly, the website is not entirely encrypted because it is trying to serve files not protected under SSL, your browser will show you a popup alert informing you of this error. Websites serving errors to visitors can cause confusion or a breakdown in trust with the user, and potentially lead to lost sales and traffic. So, it is vital to ensure your website is correctly configured for use with SSL.

If you have just installed SSL on your hosting account, there are additional steps you will still need to take to ensure the site functions properly with SSL.

The following steps assume you are using WordPress, the most widely used application framework in our network. (Similar steps are required for other frameworks, such as Joomla, Drupal, and Magento, but are not addressed in the scope of this article.)

1. Change the main links within your application framework to reference “https://”

Log into your website’s administration panel. In WordPress, navigate to Settings -> General, and note the following:

WordPress Address (URL)
Site Address (URL)

Change these values to ensure the full URL in each contains https:// and not simply http://.

Optionally, if you are more of a database administrator type of person, you can log into the MySQL database for this WordPress installation using phpMyAdmin within Cpanel, and navigate to the the “homeurl” and “siteurl” variable values in WordPress’s wp_options table, ensuring the link for both variables begins with “https://”.

2. Force SSL requests with a .htaccess file

The .htaccess file lives in the document root of your website. In Cpanel, this directory is /public_html/. The file may not appear when using an SFTP program or when accessing File Manager through Cpanel, so be sure to set “show hidden files” is set in your application.

To force SSL requests throughout your website, include the following rules in your .htaccess file:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L
]

Make sure that “www.example.com” is replaced with your actual domain name.

3. Verify images and included files are called with https://, or an absolute file path for the URL

Though the first two steps should adequately enforce file and resource requests for your website should be served securely, we have found many cases where “hard-coded” links, such as an IMG tag with a TAG parameter requesting a file, beginning with “http://” can be all it takes to make a page fail to fully load in SSL and therefore result in a popup error.

A good example of this would be a WordPress blog post or page with an included file. By default, images placed using the WordPress Media Library, will by default be written out as a complete URL, meaning the IMG tag will show http:// or https:// as part of the included file’s URL.

For this reason, we recommend that you search for and replace all references to included files throughout your website, so none request http://. One plugin that achieves this at the database level is simply named, “Search & Replace”, and can be downloaded here:

Search & Replace

Even then, we suggest a manual review of all prominent pages or blog posts of your website, to ensure the links have been altered.

If performing this manually, you can simply change the IMG SRC value and strip out the entire protocol and URL, leaving just the file structure. For example, instead of a tag like this:

<img src="http://www.canvashost.com/path-to-the-included-file-or-image.jpg" alt="" />

You could change the reference to:

<img src="/path-to-the-included-file-or-image.jpg" alt="" />

When modifying links in this way, the browser automatically understands that whatever website address you are at (in this case, on our website, at https://www.canvashost.com), should be used to pre-pend that link, so the browser will understand the IMG tag to effectively read:

<img src="https://www.canvashost.com/path-to-the-included-file-or-image.jpg" alt="" />

This is a bit of a hack, but useful if you ever plan on changing the primary domain of your website, or wanting to reference the website through additional domain names that have been aliased/parked on the account, as the absolute file path will still be valid for each of those requests.

4. Verifying your website theme uses either SSL or absolute file path

This may present the trickiest aspect of website cleanup. Your website theme (or template) contains file path callouts to images, stylesheets, javascript files, and other included files, all of which will need to be hard-coded to “https://”, or be stripped down to the absolute file path as demonstrated in step 3.

You can verify the state of your website by first accessing it with a browser at https://(your domain), so your browser is attempting to reach it securely. If you don’t see any errors, you may be all done, as the same theme files will be loaded regardless of which page of the website you access.

If you happen to see a browser error, try viewing the page source. In Firefox and Chrome on a PC, for example, this can be done by pressing Ctrl-U with your keyboard. The actual, served HTML code will be displayed. Once viewing the source code, simply search for references to “http://”, such as “src=’http://”, to see cases where the theme is trying to load files or images with http:// and not https://.

The next step will be to individually log into the theme files and make necessary adjustments, just as done in step 3. Once you’ve completed this cleanup, try loading a fresh copy of the website and go over this until the broken padlock icon disappears from your browser’s address bar. You’ve done !

5. Canvas Host can help!

If you’re still stuck or simply want some help, Canvas Host is happy to assist. We’ve helped many customers through these steps. Though it is billed work, it costs about $200 to fully ensure a website is protected by and working properly with SSL. If you are interested in learning about our SSL clean service, please contact our Sales team at sales@canvashost.com.


Let’s Encrypt SSL Certificates (AutoSSL) Now Supported

Canvas Host is pleased to inform you that we will now offer Let’s Encrypt SSL certificates on our Shared and WordPress service lines, through Cpanel’s AutoSSL service. The certificates will not be available in our PCI Compliant hosting service line.

Let’s Encrypt provides basic, free SSL certificates to all domains hosted on a Cpanel account. The certificates are issued and installed automatically, and without the sometimes lengthy verification and installation process with other certificates.

Let’s Encrypt SSL certificates are issued for three months, and are automatically renewed so long as you wish to use them.

Let’s Encrypt SSL certificates do not require a static IP address in order to function on your account.

Let’s Encrypt SSL certificates are automatically issued for all service-related subdomains, such as mail.yourdomain.com or webmail.yourdomain.com, for added account access security.

Additionally, Let’s Encrypt SSL certificates will enable you to use your own domain name as the mailserver host when using secure mail, which previously required you to use the server host name.

Most importantly, Let’s Encrypt SSL certificates will allow your website to function under basic SSL security, which is now a requirement to maintain SEO rank with with Google’s indexing service. Websites not hosted under SSL may lose SEO rank among Google and other search engines.

Those are all the benefits of Let’s Encrypt SSL certificates. Here is what the certificates will not do.

Using Let’s Encrypt SSL Certificates

With Let’s Encrypt SSL certificates, you don’t have to configure anything. You can verify the status of all Let’s Encrypt SSL certificates by logging into your Cpanel interface, then going to TLS/SSL -> Manage SSL Sites. You will be shown a full list of currently installed certificates.

To use your website with SSL, you will need to verify several things:

  • Your application settings and/or program code will need to reference https:// and not http:// for website links, such as the “Home URL” and “Site URL” settings within WordPress.
  • You may additionally need to modify your application’s .htaccess file to force non-SSL requests to SSL.
  • You may need to change references to files and scripts in your website’s theme (template) files, as well as IMG SRC tags called throughout your website, changing them from http:// to https:// or better yet, making included files reference from the start of the document root and not include the domain in the link at all.

If you aren’t sure how to do this or do not have a Web designer, Canvas Host can perform these services for you at a cost of $60/hour. For a free quote, please contact our Sales team at sales@canvashost.com, or by calling us at 800.574.4299 x1.

Down Sides to Let’s Encrypt

Web browsers on Windows operating systems, XP and older, do not work well with Let’s Encrypt SSL certificates and may show errors to users of those platforms. If you run a website that serves a diverse range of customers, those users may see errors when visiting your website.

In terms of validation, Let’s Encrypt issues Domain Validation (DV) certificates. They do not offer Organization Validation (OV), Extended Validation (EV), or wildcard certificates, as those cannot be automatically issued.

Let’s Encrypt SSL certificates do not include any warranty and should not be used for encrypting information sent to or received from your website, such as accepting credit card payments from website visitors. If your website’s security is hacked and customer information is compromised, you would be directly liable for that breach and not covered by any warranty.

Although PCI (payment card industry) standards currently accept DV certificates, PCI rules are subject to continuous change, and at some point Let’s Encrypt certificates will not pass PCI compliance rules.

For these reasons, we do not recommend the certificates be used in place of paid certificates offered by Canvas Host, which include a warranty, are known to pass PCI compliance, and are supported by Canvas Host.

More information on Let’s Encrypt may be found on their website, at: https://letsencrypt.org/


Canvas Host Acquires Portland-based Host Pond

FOR IMMEDIATE RELEASE

March 23, 2017

Portland, Oregon – Canvas Host, a Portland web hosting provider, acquired Host Pond on March 23, 2017. Financial details were not disclosed. With more than 700 customers comprising 1600 domain names, the acquisition is the largest ever for Canvas Host.

Richard Powell, owner of Host Pond, said in a release to his company’s customers this morning, “I’m thrilled to announce that Portland-local Canvas Host has agreed to assist in a seamless transition of our customers into their virtually identical hosting environment. After an exhaustive and careful search and all the possible ways I could have envisioned this transition going, I’m confident that this was the best possible outcome.”

David Anderson, Owner of Canvas Host, added, “When two companies join forces, there is an opportunity to create something better than what they separately were before. Though technically an acquisition, philosophically we think of this as a merger, as there are many great things the two companies have each done with their service lines and how they care for customers. Together, our two companies’ energies are a perfect match, and we’re excited to see our collective offerings evolve and improve. In the end, it will mean happier customers that will receive ever better support.”

About Canvas Host

A sustainable web hosting provider based in Portland, Oregon, Canvas Host provides comprehensive web hosting, domain registration, email, e-commerce and dedicated hosting services. An Oregon Benefit Company and certified B Corporation, the company operates on triple bottom line principles of people, planet, and then profit, giving back to the community through partnerships with local non-profits and organizations, organizing monthly educational networking with Green Drinks, planting trees through Friends of Trees, and offsetting not only its energy consumption, but also 15 Portland-area homes with clean, renewable wind energy through Bonneville Environmental Foundation.

For information on Canvas Host’s services, please contact the Sales team at sales@canvashost.com, or by calling 503.914.1118 x1.

***


On Making Tax Returns Great Again

b-corporation transparentTo anyone that doesn’t own a business, here’s a primer about personal and business tax returns, the difference between traditional corporations and benefit companies, and why transparency is so flipping important in today’s business and political world.

In America, the 1040 tax return reports your personal taxes owed from all income sources, including business(es). It is not a Schedule C form, which shows income you earned from a business, or a K-1 (form 1065), which shows income earned from a partnership. It is also not the same as a 1120, which is the tax return for the business itself, or an 1120-S in the case of a multi-owner partnership. The 1040 has very little to do with any business aspect of your tax situation, as business and personal taxes are treated separately by the IRS.

Although shareholders or owners personally pay taxes based on profit a company may have earned, a business’ tax liability is documented and reported separately. There are other factors, but this is in some way how businesses “are treated like people” in American business, because the two are taxed separately. A business, in the eyes of the IRS, is subject to very different rules of tax reporting.

For example, if your business files a net loss for a given year, it doesn’t receive a refund following your tax filing.  You simply owe no taxes for the business’ operations in that year, and you can carry that loss forward to offset any future profits the business may earn in later years. Schedule C and form 1120 show this clearly. And yet, you may have a 1040 return indicating you personally owe taxes, such as from earnings on capital gains (from stocks), or passive income on earned interest, unrelated to your business(es).

There are companies out there, and I could name several of the largest competitors in my industry, each of which have more than $1 billion in carried-forward debt for more than a dozen years, which means they can earn as much as they want, and yet, until that debt is fully “balanced out” with reported profits, neither those mega corporations, nor their owners, pay a single dime in taxes. For the entirety of one company’s operations, for example, one that used naked women to sell domains to NASCAR fans, that company has never once reported a profit, in the 18+ years of its existence. So no taxes have ever been paid on its revenue, ever.

Business tax returns can show many “interesting” details that you don’t find on personal returns: Side businesses and assumed business names commonly involved in umbrella companies and schemes, additional shareholders no one would otherwise know about, foreign subsidiaries and tax shelters that are fully legal in the eyes of the IRS, and retained earnings and distributions paid out tax-free as they are a release of assets, to name but a few. A business tax return can tell you immediately whether the company you’ve publicly come to know about, is truly the same company the IRS privately knows about.

The concern many have about our current President’s reluctance to share his tax returns are based on 1) He promised to release them and yet refuses; 2) It’s a simple act of transparency and addresses the point that if you have nothing to hide, then prove it; 3) No, it’s not enough, when you have established a long list of lies you have openly admitted to telling, for us to take you at your word that your taxes are above board; And 4) Those of us who regularly file our business tax returns understand just how telling it is about us as owners, how we run our business, and whether we are honest, versus pulling the wool over the eyes of everyone we do business dealings with, including our government.

Anyone who has maintained a business of many years should know the importance of an accurate and honest tax filing. Though the IRS only cares about the past seven years of a person’s or business’ returns, a lot can happen in those years. So with only a partial return, say… something from 2005, it’s not enforceable or audit-able, it’s meaningless in the present history of that company’s operations, and it says nothing about what current or carried-forward debts that company may hold and which it is in fact hiding from its non-ownership shareholders.

And that is why I feel our President isn’t offering up his current returns. It has nothing to do with us, the general public and our trust or distrust in him. It has much more to do with his sworn commitment to uphold profit motive for the shareholders that have invested billions in his enterprises, and whether he has breached his fiduciary duty to act in their interest first. Remember that phrase.

As bad as all the lawsuits may have been for the reported 41% of his failed businesses, can you imagine just how bad it would be for our current President for the shareholders of his businesses to learn that he didn’t act in their best interest? Tremendous power is given to shareholders of American businesses: Owners and officers can get sued and thrown in prison faster for lying to shareholders, than for committing violent crimes.

That is what is meant by the phrase, “fiduciary duty”. In a traditional corporation, the officers running the show are there to earn money for the company’s shareholders. If they don’t, they can be forcefully removed from that office, sued, and jailed. As much as it sounds nice to have investors who will front you capital for whatever plans you may have, they want their share to, and if they don’t get it, they are lawfully given the power to come after you personally for it. This is the primary reason many corporations push profit motive first and only, at all costs. It’s a way of keeping the investors happy and the officers out of jail. It’s also a way to wreck the planet, screw others in your industry out of business, and forcefully push droves of employees to the brink. Just think about a popular smartphone maker’s Chinese employees committing suicide at a giant manufacturing plant. That happens because profits are more important to its shareholders, than are its workers’ well-being.

This is one reason why in the current shifting tide of business, benefit companies and B Corporations are increasingly important and popular. They require a company’s officers to act not only in the interest of investors, but also to care for the environment, the community, and employees, which may come at a cost of profit to the shareholders. Benefit companies have in their operating agreement and articles of organization, language protecting officers’ rights to do just this. If you’re a shareholder in a benefit company, you cannot sue the officers for doing things that say, might help the environment but at a cost of less profit.

There are also mandates of being transparent and upholding business ethics. As an owner of a benefit company, I can be held accountable and even sued by a member of the public, if it is determined I acted on profit motive before considering the other requirements. My fiduciary duty goes far beyond profit motive. It forces a different type of conversation, you see. It promotes healthy business that yes, loves profit, but all the more cares about everything and everyone touched by that company’s operations.

Before you think I am complaining, I chose this path for my business. I couldn’t imagine it any other way. It’s something I believe in so strongly, that I willingly did this and have subjected my company to intense scrutiny in the name of accreditation as a B Corporation. It helps create trust with my customers, and I believe it makes for better business, period.

For me at least, it was an easy choice. And so, I put my money where my mouth is. My combined business and personal return, though small in comparison to large companies, still results in dozens of dense forms and pages. It’s quite a read. And yes, I have willingly opened my books to outside scrutiny as part of my company’s B Corporation certification. It’s a requirement, as a B, to permit third-party auditing. I believe so strongly in backing up my words, that I have had no hesitation to provide them this information.

In today’s world, it’s not enough to say something. You need to prove it. Third-party accreditation, such as the B Corporation seal you see all over this website and by our brand, are there to serve as a reminder that we stand by our commitment to honesty, integrity, and transparency. The B seal is a symbol of something you can trust in a business world full of uncertainty.


Creating an authentic space with customers

This late-night thought hit me.

Increasingly, consumers use social media to learn about and buy things. This results in less consumers going to actual stores, interacting with real people, and potentially missing out on a connection that is vital to the client/vendor model. At the same time, this inclination away from physical contact, and toward virtual communication, is creating a boon for companies like mine. Though we are more likely to only know a customer by phone or in text, we are finding it easier to “win” at customer service simply by:

  1. Being polite;
  2. Being patient; And
  3. Being authentic.

We care about every single customer we help, even those challenging situations in which a customer is rightfully upset about a mistake we made. It happens to every company, but even the most negative situation can become an opportunity: To validate the customer’s concerns and let them know they have been heard; And to learn from the situation, and reduce the chances it ever happens again.

I’d like to ask you to consider some recent customer service experiences that stood out to you for either the right or wrong reasons. Why do you remember them? Was there shared respect, or a sense of disrespect, in the exchange? Did you feel the person helping you was tuned into your tempo and not rushing you? Did you feel a sense of trust and honesty, or that you should run far, far away?

Where customer service is most needed, is when something has gone wrong. People are people, and most folks will be happy to chat with a friendly, non-pushy company rep about pretty much anything. The time you need that friendly face most, is when things have broken, you don’t know where to turn to, and you’re on the phone with a member of my staff.

My company is committed to doing the very best job it can at all times. Over the years, we have received increasing praise from customers simply for doing our jobs correctly. It’s gotten to the point that I wonder, how are our competitors (most of whom are much larger and have far more resources than us) so out of tune with this realization that to succeed, the customer must come first? After all, the phrase “customer service” begins with the word, “customer”…

Why are companies receiving accolades for showing up to their jobs and being nice to their customers? Why is the concept of being a decent human being, such a foreign concept for so many companies in technical industries? Is that the direction of business overall, in that customers are lowering their expectations due to their own distancing from the relationship with vendors?

What does this say about customer expectations of accuracy and quality? We have a commitment to providing and supporting our services to the highest degree possible — and with authenticity — but how many customers actually stop long enough to notice the difference between us and our competition?

I think it’s that word, “authenticity”, that speaks volumes about a company, builds trust with customers, and helps raise the bar for something better that both parties can set as a goal.

It’s definitely a lot to think about on this cool first morning of March 2017.