Some of you were waiting for it, others don’t know yet what it’s all about!
HTTPS is the way to encrypt communications between your web browser and the website you visit. Your Piwigo for instance. It is mainly useful for the log in form and administration pages. Your password is no longer sent in “plain text” through internet nodes, like your internet provider or Piwigo.com servers.
How to use it?
For now, Piwigo doesn’t automatically use HTTPS. You have to switch manually if you want HTTPS. Just add “s” after “http” in the address bar of your web browser.
In the next few days or weeks, Piwigo will automatically switch to HTTPS on the login form and the pages you open afterwards.
Why wasn’t HTTPS already available?
Piwigo.com was born 6 years ago and HTTPS already existed at that time. Here are the 3 main reasons for the wait:
- Piwigo is a photo management software, not a bank. Such a level of security level was not considered as a priority, compared to other features.
- the Piwigo application and its related project, without considering Piwigo.com hosting, have needed some code changes to work flawlessly with HTTPS. Today we’re proud to say Piwigo works great with multiple addresses, with or without HTTPS. Piwigo automatically uses the appropriate web address. If you have worked with other web application, you certainly know how much Piwigo makes your life easy when dealing with URLs.
- the multiple servers infrastructure on Piwigo.com, with multiple sub-domains *.piwigo.com have made the whole encryption system a bit complex. Without going into details, and for those of you interested, we use a wildcard SSL certificate from Gandi. Nginx reverse proxy on frontend server runs on it. So does Nginx on backend servers. All communication between Piwigo.com servers is encrypted when you use HTTPS.
What about custom domain names?
11.5% of Piwigo.com accounts are using a custom domain name. They have more than a *.piwigo.com web address.
Each SSL certificate, which is the “key” for encryption, is dedicated to a domain name. In this case, our SSL certificate is only “trusted” for *.piwigo.com.
You can try to use your domain name with HTTPS, but your web browser will display a huge security warning. If you say to your web browser “it’s OK, I understand the risk”, then you can use our certificate combined to your domain name.
The obvious solution is to use Let’s Encrypt, recently released. It will let us generate custom certificates, perfectly compliant with web browser requirements. We will work on it.