Hello RTD World!

So, I'm perfectly aware that I'm about to open a can of worms here.
We discussed several times about the possibility of having RTD served as https, with main info discussed starting by this reply of me.

Everything mentioned in there is actually still valid: the biggest problem is not to make everything secured, is to guarantee that all old links works as well.

You know that, in order to have a page marked as secure, EVERYTHING in the page must be served securely as well.
While redirecting http to https calls at server level is possible, that would not help with anything that's not a pale URL: this includes mostly forms sending POST data.

Also, a lot of RTD users coded their own stuffs via directCSS and/or store editor (header and footer code): even anything links from those locations should be made secure.

NOW................

it is obviously impossible for the RTD to make your own custom coding links secure. But it can convert to secure calls everything that's internal.
If we'd have no legacy issues that would be easy: just pure SLL for everyone starting by day one.

But as this is not our case, if you want to switch to HTTPS abilities you should also have clear in mind which changes he needs to make on your side. We cannot offer support to fix something that's not main RTD code.

For this, I was working on a test that automates whatever it can. And to avoid testing issues, I enabled such test exclusively on a test RTD company of mine.
What I'm looking for now are volunteers to test it in the real world.

If you want to apply for it let me be extremely clear about some things:

• Do not apply if you're thinking "hey, it's https and I want it, let me apply even if I have no clue as in any case Alex will help me for my own benefit only", because Alex will NOT.
• This is not guaranteed to be safely used in production. If you will use it in production, you'll be doing that under your own responsibility. No complaints.
• I will NOT help you in altering your code. I expect you to understand that everything should be served securely and you know how to make this change on your custom codes by yourselves.
• Do not apply if you're white label using custom domain. For custom domains the things will be 100% different, so this test is only for users using regular RTD links
• Know and understand this test is to verify that everything works as expected in all phases of design/ordering/checkout process. Join it only if you know you're able to test everything properly.

That said, they way this will work is pretty easy, really.
Test enabled companies will have the system automatically applying SLL to everything it can if an initial SSL call will be detected.
So simply, if your original link is like http://designer.realtimedesigner.com/whatever, just calling it as https://designer.realtimedesigner.com/whatever instead will trigger the test

Of course, the test can have a strong cascade effect, as it alters a lot of parameters internally. That's why good understanding of what's going on is needed.

If you have any questions about this test you can reply here to let me know.
But please do so ONLY if questions are related to the TEST, not to things like "when will this be ready", "when can I use it on my website" and similar. This because the obvious answer will be "I have no idea, depends on the results of this test".

And so finally, If you want to apply for testing it, please open a support ticket from your admin panel main page (Get Help and Support Options => SUPPORT TICKET REQUEST FORM) by having "SSL testing request" as SUBJECT.

The test will not begin immediately: for now I'm looking for test candidates.
When that phase will be completed, I will reply to the ticket to announce the beginning, and I will post instructions on what to do right in the thread.
Idea is to have this thread, in future, becoming the "documentation" on what to do to have it work.

I think that's all I have for now.

Ready for fun!

WOW. #1 I missed this announcement because I wasn't logged in to forum. #2 I've been on vacation for 11 days. #3 I'm very excited to see this go forward and will start getting my ducks in a row to test. This is a significant advancement.

Hey! I was kinda surprised no one replied yet.

So this means you want to be part of the test, good!
I'll be away from tomorrow to Sunday June 17th, so for now I might just consider the test to be started with you, starting by next week.

Stay tuned for more info!

Of course I am also interested.

All set and ready to test.

Ok then. It's testing time!

Important note for readers:

This test REQUIRES activation on my end. What's described down here will NOT work for everyone yet, but only for the companies who applied for testing (2, so far).
So, do NOT try this if you're not part of the test. If you will it will not work, and I will become angry because you ignored my verbose alert


Now about testing instructions.
From your end things are kinda easy. In general, you can take any of your regular RTD links and just add the "s".
So, from this:
http://designer.realtimedesigner.com/companyname/yourlink
to this:
https://designer.realtimedesigner.com/companyname/yourlink

The test, for your companies only, will try to detect when an original SSL call had been made.
If detected, it will attempt to transcode every possible internal link to use SSL instead of the normal links.

The test, as you can imagine, is mostly about finding eventual slowdowns/bottlenecks, and malfunctioning trancodings.
In browsers this can normally be done by keeping an eye on the browser console. In the even of wrong calls you will probably see the "mixed contents" warning, which will also tell you what was not served securely as expected.

Obviously it is your duty to be sure non-rtd links of yours are SSL (for example, hardcoded urls in CSS or js codes).

Aside from being sure the designer itself works fine and at good speed, also some deep testing on the full flow is required.
When moving to/through the cart, or browsing templates, cliparts, FB images, fonts... all of those calls are different, and sometimes they are internal. Again, I need to know about issues happening during a full flow.
Main reason for this is session cookies: we need to verify that the session values will be correctly carried through the entire process.

Also, for this very same check, the test might affect your admin panel experience too.
If you will notice anything strange in there, please let me know ASAP.

You read my "rules" above, and by replying you already accepted them all.... so I think we're good to start!

Will be waiting to hear about your results.
And if anyone else would join the test under the same contitions, just let me know and I'll add your company to the list triggering the test.

Thanks!

Alex

Thought I would take a moment and report here about how extremely happy we are about this. Depending on your site size and how you get things done, it can take quite a bit of work to get everything set to https, but well worth the trouble as Alex has done a superior job at making everything as smooth as possible. We have been 100% https for over a month and haven't found any reason to go back.

THANK YOU ALEX!

Hey guys! Can't believe I completely missed this thread! Was coming to look for something like this and never saw this one.

So a couple thoughts - With browsers really making it known now that sites are not secure, are any of the other stores (or even on the RTD end of things) seeing a huge decline in sales through real time designer? My traffic is way down because my site is not mobile and not SSL and I am getting penalized for it, but I still am not getting the same ratio of sales to my low traffic. So was just wondering if people are turning away from ordering because of RTD not being secure and it is leading to less sales. Wondering if I am the only one, or if this is a trend we are seeing in our community.

So this leads me to what I want to do anyways. I have been wanting a new domain for mycustombandmerch.com for quite some time so I am going to take the plunge and change the domain, and then with that making my site responsive and adding an SSL certificate and redesigning the entire site. I've needed to do all of these things, but figured I could knock them all out at once.

I figure I need to do this with RTD as well. I was wondering, Alex, if you have done anymore testing with SSL on any of these sites and if it is running smooth. A couple of questions about it:

1. How long of a process does it take to switch my account to it? (is it just the click of a button on your end?)
I figured then I go in and change out all my css and linking out to images and stuff that is not secure.

2. This is not necessarily about the SSL change, but if I wanted to rename my account (or at least the username for the url), are you able to do that? The big question in that is - If you were able to do that, would users that have an e-mail for a product they designed that has an old link to the old username, redirect to the new link and username? Just trying to plan this all out in my head.

Let me know your thoughts on this anyone and how well the transition has gone. I feel like it is an absolute must at this point to have RTD SSL because now people are turning away because of warnings even if they checkout secure with something like PayPal.

Thanks!
Scott

Hi Scott!

To answer your question:

1. From my end it really is adding your company ID to a special file that "triggers" the function on. So, it's a superfast process.
In any case you can already modify your CSS: the HTTPS is already there for RTD in general, what this change does is to have alaos all internal links switched to https. So, if you want to just change to https your images and links you have in CSS, you can already do that.

2. yes, but of course you will be responsible for not invoking the old name from anywhere. Old users will still have their credentials valid, but of course the old link will not work. If I rename, it's not that I'm redirecting old name to new name: old name will simply be gone and will return a 404

As for experience, although some users already applied for the test, Cos is the main one providing feedbacks here.
One other kinda important thing, if you'll apply, is to get in touch in case you are making any use of the API. Even there some changes will be required to have it returning SSL links, if in use.