Higher Logic Now Supports HTTPS

By Mark Eichler posted Nov 24, 2014 05:00 PM

Higher Logic recently enhanced our platform by supporting HTTPS.  Clients who choose to register security certificates for their Connected Community domains can now configure them and provide enhanced security to their end users.  Similar enhancements have been made by Facebook and other industry leaders in the past year.   

When configured, this new functionality means that user browsers are told to communicate with Higher Logic’s servers using a secure connection.  This is made clear by the "HTTPS" rather than "HTTP" in the URL address bar of the browser.  Our HTTPS site architecture uses Transport Layer Security (TLS), formerly known as Secure Sockets Layer (SSL), enhancing the security between user browsers and Higher Logic’s cloud-based AWS servers.  

The HTTPS standard, in general, seeks to assure users that the website originating web communication is the source of the data received. Security is enhanced by addressing so-called “man in the middle” attacks.  Such an attack is attempted by a malicious third party intercepting web traffic, reading/saving the transmitted data, and then completing delivery without the user of the browser knowing of the third-party’s action. 

Clients who are interested in enhancing the security of their Connected Community should first review whether HTTPS is right for them.  Online resources, including Wikipedia’s HTTP Secure page, provide a good overview of the protections it affords.  Content hosted on Higher Logic websites should be reviewed to ensure that all iframe and other externally-based content meets the secure standard.  Embedded third-party content that does not use HTTPS security will be detected by the browser and the user informed of “unsecure content”.   Such notifications should be avoided because they give the user a sense that “unsecure” content may be malicious when it generally is harmless. 

A further consideration is page-load times.  Because HTTPS works by adding data “round trips” for the digital handshakes to occur the load time of pages may be impacted. 

If HTTPS configuration is desired the next step is securing security certificates.  Security certificates are based on the web domain and can generally be purchased from domain registrars.  When purchased the configuration is completed on the new Certificate Management page of the Connected Community Admin (CCAdmin) site.  Note that this functionality is only available for clients on the R2 (Bootstrap) code base.

Going forward we seek to enhance performance of HTTPS-secured content.  While the underlying security model of the Higher Logic platform is robust, these enhancements allow clients to augment user assurances of security.