SOAR

Over the coming months, your SOAR website will experience some changes. These are being brought on initially by changes in Google Chrome, and eventually other browsers. While the changes on our end are easy to implement, it will require understanding of some technical details on your part so you can explain what is happening to your leaders and members. We’ve created this thorough (and unfortunately long) announcement to let you know what is happening. We encourage you to print it out, read it fully, and share it with your leaders.

Background

“The Internet” was created by the combination of two pieces of software – the web “server” and the web “browser”. You are familiar with browsers; you use them every day - Google Chrome, Internet Explorer, Safari, Firefox/Mozilla, etc. SOAR provides the web server for your Unit Website. The web browsers and severs talk with each other via the HyperText Transfer Protocol (HTTP) – the end result is your browser displaying a web page.

HTTP should look familiar to you. When you see your website domain displayed in the browser’s address bar at the top, often you will see http:// at the front of the domain name.

As the Internet grew there was a need for security. To support eCommerce, the communication between the browser and server needed to be encrypted to protect sensitive information like credit cards. A new protocol was created to support this – Secure HTTP, also called HTTPS.

This may also look familiar to you. Anytime you purchase something online, the site is almost always using HTTPS and you will see https:// at the front of the domain name.

Domain Names

Every SOAR website has one or more Domain Names associated with it. A domain name is what you type into the browser window to access your website. It’s how people find your website on the Internet and is the part immediately after the http:// or https://. It is also used for the Email features on your SOAR website. You are using one of two types of domain names with your SOAR website.
1. SOAR Provided Domain Name – this is the domain name you received when you purchased your SOAR website and looks like city123.mytroop.us or town456.mypack.us. We will refer to these as “SOAR Domains”.
2. Customer purchased domain name – this is a domain name someone in your unit purchased from an Internet Registration outside of soar. These look like www.pack123.com or www.troop456.org. We will refer to these as “Vanity Domains”. Even though your members see that domain names primarily, the SOAR Domain you received at purchase still works.

You can see the domain names you are using at Admin/Control Panel/Domains on your SOAR website.

SSL Certificates

For HTTPS to work, each domain name must have an SSL Certificate to prove its identity and verify who it is. The SSL Certificate is loaded on our web server and attached to the domain name for the website.

An SSL Certificate is purchased from an Internet Registrar, like a Vanity Domain, and costs $60+ per year.

SOAR purchases and maintains SSL Certificates for all SOAR Domains. You can see this in action by typing https:// before your SOAR Domain in a web browser. i.e. https://city123.mytroop.us or https://town456.mypack.us.

Note: With a SOAR Domain you cannot use the “www” prefix in the domain name with HTTPS. That is because the SSL Certificate only covers *.mytroop.us and *.mypack.us. This is called the first level subdomain. An SSL Certificate for second level subdomains (i.e. *.*.mytroop.us and *.*.mypack.us) that would cover the “www” does not exist.

HTTPS will not work on your existing Vanity Domain, because an SSL Certificate has not been purchased for that domain name. Given the $60+ annual cost of an SSL Certificate it is cost prohibitive for most customers to purchase one for their Vanity Domain.

Non Secure HTTPS

If you try to access a website through HTTPS that does not have an SSL Certificate, has an invalid/expired/fake certificate, or has an error in the certificate the browser will let you know. It will label the site as “Non Secure” with an icon, will display a page with lots of warnings, and will not let you continue. An example is shown to the right.

This is important because you don’t want to use a site like this to purchase anything. The browser is preventing you from accidentally putting your financial information at risk.

99% of SOAR customers have never had to understand or worry about any of this because they don’t have their SOAR websites setup to use HTTPS.

When your members used the Online Payments feature of your SOAR website, they were directed via HTTPS to PayPal, who does have a a valid SSL certificate, to process credit cards. Financial information is protected during the transaction.

A Change is a Coming

Google Chrome has a new release (v56) coming out in the next few weeks that changes the above behavior and WILL impact all SOAR customers.

Previously the indicators for secure/non-secure only applied to websites using HTTPS, and only in relation to the SSL Certificate for the site. The new Chrome release includes an additional definition for not secure – any website using HTTP that has login pages (i.e. passwords). Well… that is every SOAR customer !

At launch, the Chrome browser will not display the same Non Secure message as shown in the previous section. Instead it will display a “softer” info icon and possibly the words “Not Secure”. If you click on the icon it will display the message to the right.

This will be confusing for many people as they are used to what the existing definition of “Not Secure” is and could become concerned about using your unit website.

Over time, the Chrome browser will increase the severity of this message to be closer to a Non Secure HTTPS message. It is expected that other Browsers will also follow suit with the same warning.

What is SOAR doing about this?

We will be making a number of changes to the SOAR service to address this.
1. Removal of “www” prefix from SOAR domain names
   For customers that are using SOAR Domain,s we are phasing out the “www” at the beginning of the domain name. If anyone tries to access a SOAR Domain with a “www” at the beginning, we will redirect them to the SOAR domain without the “www”.

   This is necessary to support Step #2 below.

   Note: Email features on your SOAR website will continue to work like normal. Email does not use the “www” prefix in the domain name.

   This will start the week of January 30th.

2. Redirecting SOAR Domains names to HTTPS
   The only way to make sure your members don’t get a Non Secure message, of any type, on your SOAR website is to move all SOAR websites to HTTPS.

   Since we already purchase and maintain SSL Certificates for these domains, this will be simple. We will redirect all requests using HTTP for SOAR Domains to use HTTPS. This way, browsers will show the “Secure” message for your SOAR website. This includes the “www” redirect from Step #1.

   Note: Email features on your SOAR website will continue to work like normal. Email does not use HTTPS/SSL like your domain name does.

   This will start the week of February 13th.

3. Redirecting Vanity Domains to use HTTPS
   Vanity Domains that you purchased outside of SOAR do not have an existing SSL Certificate. We are also pretty sure most do not want to pay an additional $60+ year to get an SSL Certificate. Therefore we will take all traffic (HTTP and HTTPS) going to your Vanity Domain and redirect it to the HTTPS version of your SOAR Domain. This will ensure your members see the Secure message in their browser.

   You can still use your Vanity Domain in links, marketing, etc. It will simply redirect automatically when people use it in their browser.

   Q: Is there any way to still display my Vanity Domain in the address bar of the browser once this occurs?
   A: Unfortunately, not without purchasing an SSL Certificate annualy.

   Note: Email features on your SOAR website will continue to work like normal. Email does not use HTTPS/SSL like your domain name does.

   This will start the week of February 13th.

4. Updating search engines
   When search engines query your website, they ask for a Sitemap that will give them the set of website pages for your site that should be indexed and how they should be indexed.

   We will be updating these Sitemaps in the following way:

   • Removing “www” prefix from any SOAR Domains
   • Using HTTPS instead of HTTP

What will my members see?

or	This is perfect. The SSL Certificate is valid. All the content on the page is using HTTPS. Ideally, this is what you are shooting for.
or	This is OK. The browser is not blocking the site. The browser is notifying the user that not all communication with the site is encrypted OR there is content on the site that is not pulled from HTTPS sites. See #3 and #4 below to resolve this.
or or	This is a problem The browser is blocking the user from continuing on to your website. See the section at the end for troubleshooting.

What should I do?

1. Educate your members
   Set expectations with your members. See the previous section.

   The only real issue is if a member gets the “red triangle” notice.

2. For SOAR Domains, remove the “www”
   If you are using a SOAR Domain, you should remove the “www” from the beginning of your domain name in any marketing materials you have created, member/recruiting communications, references on your website, etc.

   As noted previously, the “www” version will redirect to the non “www” version. You should still standardize reference to your unit website with the “www” moving forward.

   Many programs will automatically create a website link when you type in a domain name like www.troop123.com. To get that same effect with your SOAR Domain just use the format https://city123.mytroop.us or https://town456.mypack.us. The https:// at the beginning will trigger the same effect.

3. Use Relative URLs within your site
   URLs (or web addresses) come in two different forms:

   Absolute URL

   • Example: https://town456.mypack.us/node/123

   • These include a protocol (HTTP or HTTPS), the domain name, and the page on the site.

   Relative URL

   • Example: /node/123
   • These are just the “page” part of the URL

    

   Your SOAR website already uses Relative URLs for core features like Photo Albums, Graphics Library, etc. You don’t need to worry about those.

   If you are linking to other content within your SOAR website you should be using Relative URLs. This will insure the browser uses the existing protocol (HTTP/HTTPS) and domain name already in use. Here is an example of an Announcement that would need to be updated.

   Anytime you use the “Insert Link” feature in the Rich Text Editor and are linking to content already on your SOAR website, you should use a Relative URL.

   You should review the existing content on your SOAR website to update to Relative URLs.

4. Use HTTPS for external pictures/images
   If you are using external images/graphics in content on your website, you should use HTTPS in your link to those images. An example would be https://www.boyscoutcamp/content/trailmap.jpg.

   If HTTPS is not available for the website hosting the content, follow the directions at Admin/Online Help/How Tos/Graphics to download the image and upload it to your SOAR website.

   You can use the website www.whynopadlock.com to look for external images on your SOAR website. Make sure to use the https:// prefix with your SOAR Domain for this tool. Note: this tool only works on public pages of your website. It will give you an idea of what to look for though.

   You should review the existing content on your SOAR website to update to HTTPS external images.

Troubleshooting

If you have a member that is not able to access your website because the browser is blocking your site as “Non Secure” follow these steps with this member.
1. For customers with SOAR Domains, make sure they are not using the “www” prefix for your domain name. This WILL cause this problem.
2. For customers with Vanity Domains, make sure they are getting redirected to the HTTPS version of your SOAR Domain. If they are using HTTPS and seeing your Vanity Domain in the address bar – this is the problem. You do not have an SSL Certificate for that domain which is causing the error.
3. Make sure they are using https:// at the beginning of the domain name, and not http://
4. Have them clear the cache in their browser to remove any potential redirects that are causing the issue.

    

   Google Chrome Click “More” icon on upper right of browser. From “More Tools” select “Clear Browsing Data”. Uncheck everything except “Cached Images and files”. Change “Obliterate the following items” to “the beginning of time”. Click “Clear Browsing Data” button.	Internet Explorer Click the “gear wheel” in the upper right of the browser. From “Safety” select “Delete browsing history”. Uncheck everything except “Temporary Internet files and website files”. Click the “delete” button.
   Safari Select “Preferences” from the “Safari” menu Click “Advanced” Select “Show Develop menu item in menu bar” Close popup window Select “Empty Caches” from the “Develop” menu Select “Preferences” from the “Safari” menu Click “Advanced” Deselect “Show Develop menu item in menu bar”	Firefox Click the Menu button in upper right of browser Click “Options” Click “Privacy” on the left Click “Clear your recent history” Select “Everything” from “Time range to clear” Uncheck everything except “Cache” Click the “Clear Now” button.

5. If all else fails, have them find the “continue to insecure” website link in the page. You should not get to this point, but this will provide an immediate fix to the issue.

SOAR Support