DNN Community Blog

The Community Blog is a personal opinion of community members and by no means the official standpoint of DNN Corp or DNN Platform. This is a place to express personal thoughts about DNNPlatform, the community and its ecosystem. Do you have useful information that you would like to share with the DNN Community in a featured article or blog? If so, please contact .

The use of the Community Blog is covered by our Community Blog Guidelines - please read before commenting or posting.


How to secure a whole Dnn site with an SSL certificate

Why get an SSL certificate

Just to clarify a small technical semantics issue, SSL (Secure Socket Layer) is the old standard of transmitting secure data and was deprecated, what is used now is actually TLS (Transport Layer Security). Basically, the encryption in the new standard is on another layer of the OSI model, but that is not important for our usage and for this blog post. We keep seeing and hearing the term SSL to represent both, so it this blog post SSL means one or the other.

It is also important to understand that SSL is only effective at securing the transport of data, it does nothing as far a securing the website, if you have other security issues, ssl will not resolve them by magic. It is crucial to not get a false sense of security just by installing SSL on a site.

More and more sites now use SSL not just on some pages, but on the whole website. SSL usage has more than doubled in the last 4 years as shown in this chart form the Mozilla Telemetry SSL Ratios:
SSL Usage

Why all sites should use SSL in 2018

  • SSL is required if you take credit cards online in order to be PCI compliant, so if you take payments online, it is not even an option.
  • It provides a sense of trust for your visitors because they will see a green lock next to your website address.
  • It removes a sense of danger, modern browsers such as Chrome will actually add an Not Secure icon on the left of the website address as soon as you enter into a form. This can be any form, even just the search field. This alone may scare users away from your site.
  • It may be beneficial for SEO. Although search algorithms are very well guarded secrets, many SEO experts have noted a small preference when all else is equal towards sites that use SSL, so it may be part of the formula that search engines use to rank websites.
  • Best of all reasons: it's now free ! So why not.

Types of SSL certificates

On the technical aspect of securing the transmission of data, the only technical specification is the length of the key, the longer the key, the more time it takes to crack it (remember that everything can be cracked, it just takes a lot of time). As computing power increases, you need longer keys because they can be cracked quicker. A 2048 bits key is pretty much standard now and it would take at least 1200 years to crack a specific key. Of course that may change very quickly with Quantum Computers. The point is any of these types will do the same job on a strictly technical point of view, what changes is how users see your certificate.

  • DV (Domain Validation) certificates only verify that the person who requested the certificate has control over the domain name of the website. These certificates are available for free or a very small fee. They are usually obtained in minutes or hours and only requires you to prove (by uploading a small file or modifying the dns record or using automated tools) that you can control the domain name. This will in most browsers show a green lock next to the website url.
  • OV (Organization Validation) certificates also verify the organization (company) behind the website. The verification is made by verifying public governmental records for the company address and contact information. These certificates cost some money. They are usually obtained in a few days and your company needs to be registered for the certificate issuer to be able to verify it. In most browsers, it will show a green lock and in the certificate details it will show the organization address and contact information.
  • EV (Extended Validation) certifications go one step further and the issuer will do a small audit of the company and it's owners. They cost the most money. In most browsers, it will show a green address bar or a larger lock badge with the company name next to the lock.

How to obtain an SSL certificate

Obtaining and installing an SSL certificate will vary depending if you have desktop access to the windows hosting your site or if you use a shared hosting account. If you are hosting your website somewhere, just follow their instructions. If you are self hosting your site and have direct or remote desktop access to your server, then I recommend using https://certifytheweb.com/, their software is free for small operations and very inexpensive if you grow and need more sites. This is good to obtain one or multiple https://letsencrypt.org/ certificates. Those are free DV (Domain Validated) certificates that are perfect for public facing websites that have no Ecommerce or very high security standards to maintain. Visit their website for details but basically you select the site, request a certificate and the software takes care of configuring everything for you in IIS. If you need an OV or EV certificate, the issuer will provide you with instructions for installing it in IIS.

Enabling SSL in DotNetNuke

Once you got your certificate, you need to make DotNetNuke aware of that by going to Settings -> Security -> More and enabling SSL
Dnn settings security
Dnn enable SSL

Unless you have different URLs for http and https or have some special needs, everything else may be left blank. You can now access your website either with http:// or https:// . On each page, you can now enable the Secure option and the page will always only show with https: but that would take a lot of time to go edit each page one by one. Unfortunately, I do not know of any Dnn feature that will force SSL for the whole website. But IIS can do that for us:

Forcing SSL for the whole website

This technique uses IIS rewrite rules to create a 301 redirect for any ressource accessed by http to be fetched by https. A 301 redirect will notify search engine indexers that the resource has moved permanently to https, which will help with your SEO efforts. Here goes the step by step instructions:

  1. Open IIS, navigate to your website and double-click on URL Rewrite

    IIS URl Rewrite
  2. Then click on Add Rule(s)... and in the new windows, select blank rule and OK.
    Add blank rule
  3. In the new rule window, enter the following in the Match URL section:
    1. Name: anything you want, I suggest https-redirect
    2. Requested URL: Matches the Pattern
    3. Using: Regular Expression
    4. Pattern: (.*)
    5. Ignore case: ticked
  4. In the Conditions section, click add and enter the following:
    1. Condition input: {HTTPS}
    2. Check if input string: Matches the Pattern
    3. Pattern: off
    4. Ignore case: checked
  5. In the action section enter the following:
    1. Action type: Redirect
    2. Redirect URL: https://{HTTP_HOST}/{R:1}
    3. Append query string: checked
    4. Redirect type: Permanent (301)
  6. Here is how it should look all together:
    Https redirect settings
  7. Click apply on the right and you are all set, just navigate to your website using http and you should be automatically redirected to the https version on every page or resource.

Comments

There are currently no comments, be the first to post one.

Comment Form

Only registered users may post comments.

NewsArchives


Aderson Oliveira (17)
Alec Whittington (11)
Alex Shirley (10)
Andrew Hoefling (2)
Andrew Nurse (30)
Andy Tryba (1)
Anthony Glenwright (5)
Antonio Chagoury (28)
Ash Prasad (35)
Ben Schmidt (1)
Benjamin Hermann (25)
Benoit Sarton (9)
Beth Firebaugh (12)
Bill Walker (36)
Bob Kruger (5)
Bogdan Litescu (1)
Brian Dukes (2)
Brice Snow (1)
Bruce Chapman (20)
Bryan Andrews (1)
cathal connolly (55)
Charles Nurse (163)
Chris Hammond (211)
Chris Paterra (55)
Clinton Patterson (67)
Cuong Dang (21)
Daniel Bartholomew (2)
Daniel Mettler (162)
Daniel Valadas (1)
Dave Buckner (2)
David Poindexter (8)
David Rodriguez (3)
Dennis Shiao (1)
Doug Howell (11)
Erik van Ballegoij (30)
Ernst Peter Tamminga (75)
Francisco Perez Andres (4)
Geoff Barlow (12)
George Alatrash (12)
Gifford Watkins (3)
Gilles Le Pigocher (3)
Ian Robinson (7)
Israel Martinez (17)
Jan Blomquist (2)
Jan Jonas (3)
Jaspreet Bhatia (1)
Jenni Merrifield (6)
Joe Brinkman (274)
John Mitchell (1)
Jon Henning (14)
Jonathan Sheely (4)
Jordan Coopersmith (1)
Joseph Craig (2)
Kan Ma (1)
Keivan Beigi (3)
Kelly Ford (3)
Ken Grierson (10)
Kevin Schreiner (6)
Leigh Pointer (31)
Lorraine Young (60)
Malik Khan (1)
Matthias Schlomann (15)
Mauricio Márquez (5)
Michael Doxsey (7)
Michael Tobisch (3)
Michael Washington (202)
Miguel Gatmaytan (3)
Mike Horton (19)
Mitchel Sellers (29)
Nathan Rover (3)
Navin V Nagiah (14)
Néstor Sánchez (31)
Nik Kalyani (14)
Peter Donker (54)
Philip Beadle (135)
Philipp Becker (4)
Richard Dumas (22)
Robert J Collins (5)
Roger Selwyn (8)
Ruben Lopez (1)
Ryan Martinez (1)
Sacha Trauwaen (1)
Salar Golestanian (4)
Sanjay Mehrotra (9)
Scott McCulloch (1)
Scott S (11)
Scott Wilkinson (3)
Scott Willhite (97)
Sebastian Leupold (80)
Shaun Walker (237)
Shawn Mehaffie (17)
Stefan Cullmann (12)
Stefan Kamphuis (12)
Steve Fabian (31)
Steven Fisher (1)
Timo Breumelhof (24)
Tony Henrich (3)
Torsten Weggen (2)
Vicenç Masanas (27)
Vincent Nguyen (3)
Vitaly Kozadayev (6)
Will Morgenweck (40)
Will Strohl (165)
William Severance (5)

Content Layout

Subscribe to DNN Digest

Subscribe to DNN Digest

DNN Digest is our monthly email newsletter. It highlights news and content from around the DNN ecosystem, such as new modules and themes, messages from leadership, blog posts and notable tweets. Keep your finger on the pulse of the ecosystem by subscribing.  


Copyright 2018 by DNN Corp Terms of Use Privacy
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out