Redirect https Request

Hi,

Like most eCommerce services, a global SSL certificate is used across all customers, e.g. *.worldsecuresystems.com. This approach means that all customers automatically get an SSL certificate without having to pay for it every year. To ensure security an SSL certificate always shows the owners details.

The mismatch error you are getting is due to the same reason, the SSL certificate is attached with your *.worldsecuresystems.com, not with your custom domain.

That's what Gaurav was saying. It's not broken. BC has an ssl for worldsecuresystems.com, and does not allow SSLs on the individual domains. The advantage is that it allows people to have SSL without having to pay for it. The disadvantage is that they can't stay on the same domain. This is a system architecture choice, not a bug.

That would be nice.

I totally agree with Phorden that the https version of a domain should be redirected to either the worldsecuresystem or even without 's' to just http at least that way the customer will not get the error like they do on the Business Catalyst site: https://www.businesscatalyst.com/

We have customers who we bring in from different platforms where they are use to using the https, and/or Google has indexed the pages, and once transitioned to BC, they are getting these errors, and there is no re-direction we can place on them within BC. BC needs to do something about this issue.

Having same issue! Please BC do something about this redirect issue https to regular sites!

It is NOT an issue, it is a choice and a core element of the system and service guys.

- This is a .net system, there is no htaccess

- There is no system in place to support https on your custom domain

- Search the forums for lots of discussion and information on this topic

Actually it is an issue, or rather a design flaw. Shopify does the same thing, the problem is that people using BC to host their sites dont want to publish their sites using the mysite.businesscatalyst.com they want to use their own FQDN that they branded for. They certainly dont want to use mysite.worldsecuresystems.com (who even knew they where part of this, sounds like some .suffix scam to me). They want to use www.mysite.com or mysite.com or worst case https://mysite.com and https://www.mysite.com

Any end user who mistakenly stumbles on the site or like Phorden says decides they like the integrity and implied security of using https in their browser gets a Cert name mismatch error which is offputting and misleading at best.

Either

1) Allow users/domain managers to remove the HTTPs cert completely.
2) Allow users/domain managers to deploy their own Valid SSL Cert... I could care less i get a free useless one with my hosting, I can buy a rapidssl one for $50 a year.

3) allow admins to rewrite their incoming to the *.worldsecure version of the URL, and yes its not an apache system its .net whatever, is it running on iis? if it is then its doable just as easily as via apache's .htaccess

this is ill conceived, badly thought out and though its great for people that just want to have their own mysite.myspace.com url it does not work for attracting and Retaining corporate entities.

regards

It is different and does not have some of the advantages of a https version of a site - This is true, but in terms of not making sales etc. This is untrue. There are many big eCommerce sites built by a number of people, including us at Pretty running on BC making very large sales and very happy clients.

mysite.businesscatalyst.com is the development domain if you do not have a full partner branded account. It is NOT the live domain. You purchase your domain and set that up and have a full work domain with your live BC sites http://www.mysite.com. Knowing how things work as a business, explaining it to your client is all part of scoping and quoting and the relationship with your clients.

How you design, structure and inform your users with good UX design is key. The url itself is actually observed by very little of a browser user base. If you look at safari for example - By default it does not show the actual domain of a page any more, it just shows the name. Chrome has this as an option to enable and may be as standard soon. I believe Opera is like this and of course IOS is like this already.

They actual key factors that someone observes when looking to make payment are things like..

- Known payment method

- The lock system

- Someone may click the lock certification option on their browser and read that it is a valid payment certificate

- Well made, viable site, looks trust worthy, reviews, known users, valid information about privacy etc - Actual contact methods etc.

These are the facts, You can not argue me on this as while I do not have the time I can post over 20 articles without any issue on taking payments on sites and the things people look for, along with actual user experience data in that regard.

A modern site as some do now may go all in https. This has its own issues and troubles though as a note that a site developer or company need to account for. Lots of 3rd party access, some popular font resources etc will not be able to be used (as they do not provide https references) and so on.

Further to this, as I have shown in other threads. You know the big hacking issues of late have been through and via SSL and HTTPS vulnerabilities, even HTTPS 2 has a lot of issues. Does HTTPS mean your secure - Very much NO

Shellshock BASH, Heartbleed to name but two off the top of my head.

In terms of having https and own certificate option in BC. Anyone wanting this is not wrong - it would be nice feature!

But as people like myself have pointed out involves a MASSIVE change to the platform. There will be a big development change, a lot of how BC handles logins and eCommerce would have to be completely redeveloped for a start. Further to that, there is extra cost and retro actively changing existing sites will not just be a task for BC but for developers will require a number of changes their end to accomplish.

This would also be, for a company something they then need to start tracking because they need to be upkeep or renewed, or if BC did it they would have to have a notification system to go to partners to then inform their clients, like with the billing of the sites.

Again, I think I also do see BC at some point building this, but not any time soon that is for sure. With the work and cost to it, right now, considering all the sites running successfully through this method, number of BC sites and the number of people complaining about it.. It is not viable to delve into this yet. This has been as it is since the birth of the platform, and as you even pointed out this is not the only service that does this either.

If you are not happy with this right now then BC is probably not the platform for you and I would recommend looking at others, but in terms of this and of features and developments the cost I would be pretty sure on for those projects would be more costly.