Keeping Your School Secure With SSL

SSL ensures that any data on your site is encrypted and your students won’t have to worry about the security of their information. This article goes over some basic information on SSL and how it works to secure your Teachable school.

NOTE: On 10/25/17, SSL will automatically be enabled for all Teachable schools. Any school created before 10/25/17 will have the option to disable SSL. Any school created after 10/25/17 will have SSL enabled by default.

What is SSL?

Secure Sockets Layer (or SSL) is a standard security protocol that encrypts any data shared between a web browser and web server. A secure connection ensures that any data taken from a site is confidential.

In order to create an SSL connection, an SSL certificate is needed. This allows the web browser to establish a secure connection to the web server. For the majority of schools, Teachable will create an SSL certificate on your behalf. Schools created before 10/25/17 will have the option to enable/disable SSL on their school.  

Once the process is completed, a secure connection is indicated by the website's URL being prefixed with "https" instead of "http", and by a visual indicator on the web browser's address bar (usually a padlock). The screenshot below is an example of how Google Chrome indicates a secure connection:

chrome_https_example.png

Why Is SSL Important for my School?

In the past, Teachable has always included free SSL on the pages where critical information is being transmitted. These pages included the Checkout page, Signup page, and Login page.

  • Checkout page
  • Signup page
  • Login page

However, we understand that the security of users is important on every page, not just the ones with confidential information. By offering free SSL on all pages within a school (for both Teachable and custom domains), we’re giving you the following benefits:

  • Security - If you have a site that is not HTTPS-enabled, students may be greeted with a warning from their browser that the site they are trying to access is insecure. Once SSL is enabled and you secure your site, your students can rest assured that they are free to participate in your course's without the fear of having their information stolen.
  • SEO - Google has announced that they will take site security into account when ranking websites on a search engine. When your school has SSL enabled on every page, it will rank higher on search engine results and be seen by more people.

How do I Enable SSL?

NOTE: On 10/25/17, SSL will automatically be enabled for all Teachable schools. Any school created before 10/25/17 will have the option to disable SSL. Any school created after 10/25/17 will have SSL enabled by default.

To enable SSL on your Teachable school:

  1. Log into your Teachable school.
  2. Go to your school's Admin area.
  3. Click Settings.
    admin_settings.png
  4. Scroll down to the SSL Security section.
  5. Click Enable SSL.
    settings_SSL.png
  6. In the popup window, click OK to confirm your decision and enable SSL. 

Mixed Content (HTTP vs. HTTPS) and Potential Issues

Once you've enabled SSL on your school, your URL will be prefixed with "https" to indicate that the connection is secure. For most schools, everything will continue to operate as usual. However, in some cases you may notice browser warnings when visiting your site, or some of your content may not display properly. The usual reason for this is “mixed content”—in other words, your site is trying to load both HTTPS and HTTP content. For instance, you may have embedded an image or video from a non-SSL-enabled webpage.

To better understand mixed content, see this blurb from Google's support documentation on mixed content

Mixed content occurs when initial HTML is loaded over a secure HTTPS connection, but other resources (such as images, videos, stylesheets, scripts) are loaded over an insecure HTTP connection. This is called mixed content because both HTTP and HTTPS content are being loaded to display the same page, and the initial request was secure over HTTPS. Modern browsers display warnings about this type of content to indicate to the user that this page contains insecure resources. 

If you've used HTML code to embed content within your school, it's possible that some of your pages have mixed content. If your site is secure (HTTPS), but your content is insecure (HTTP), there will be a conflict between the two.

NOTE: Some areas where mixed content could occur include the Power Editor, Code Snippets, and custom HTML blocks. To see where mixed content may exist within your school, use this tool created by JitBit to go through your HTTPS site and search for any insecure content. However, please note that this tool may not catch all instances of mixed content in your school.

For example, if you've embedded an image into your secure (HTTPS) sales page by adding the following HTML code:

<img src="http://imageexample.com/puppy.jpg">

Your web browser will warn you that the page is not secure. This is because the image is taken from an insecure URL (as indicated by the HTTP). Your web browser cannot declare the page secure, because the browser is trying to load insecure data (the image) over a secure connection (the HTTPS-enabled sales page).

To fix this, ensure that all content on a secure page is using an HTTPS URL. If you have content that it is using an HTTP URL, you'll have to get a new HTTPS URL for the content and use that instead. Another option is to directly upload the content through Teachable, as this will ensure the content is secure (if you have SSL enabled).

Learn more about handling mixed content on your website:

Previewing Your Site With SSL Enabled

If you'd like to preview a secure version of your site to see whether or not mixed content will be an issue, click Preview SSL on School.  This will open up a window that previews your site with SSL enabled.

mixed_content_preview.png

Finding Mixed Content in My School

To see whether or not you have mixed content in your school, click the Export CSV of Mixed Content button.

mixed_content_CSV.png

This will send an email, to the email address associated with your school, that includes a spreadsheet of the URL paths and areas where insecure content is located within your school. Please note that this process may take several minutes to complete.

If no instance of mixed content are found within your school, you'll receive an email to notify you as such.

What If I Already Have an SSL Certificate?

What If I've Already Created an SSL Certificate and Want to Keep Using It?

If you've already created an SSL certificate for your school through a third party, you'll still be able to use it on your Teachable school. However, keep in mind that on 10/25/17 11AM EST, Teachable's native SSL certificates will be enabled for all schools. To continue using your third-party certificate, you'll have to disable the Teachable-created SSL certificate.

NOTE: If you have created an SSL certificate using Cloudflare, and would like to continue using it, there are a few extra steps to take—more information below.

What If I Have an SSL Certificate but Want to Switch to Teachable's?

Before switching from a third-party to Teachable's native SSL functionality, be sure to disable the third party's SSL certificate before enabling Teachable's SSL certificate. If the old SSL certificate is running at the same time as the Teachable-created SSL certificate, there may be conflicts between the two that could result in redirect loops or browser warnings.

What If I've Already Created an SSL Certificate Through Cloudflare and Want to Keep Using It?

If you already have an SSL Certificate from Cloudflare, and would like to continue using it, there are a few steps you'll have to take to ensure it is compatible with your Teachable school:

  1. Log into your Cloudflare account.
  2. In the navigation bar, click Crypto.
    cloudflare_crypto.png
  3. In the SSL section, use the dropdown menu to select Flexible or Off. If SSL is set to Full or Full (Strict) there will be a conflict between Cloudflare and your Teachable school.
    cloudflare_SSL.png

FAQ

Why Am I Getting a Warning from My Browser Saying I Have Too Many Redirects?

There are 3 situations in which this warning may appear:

  1. Your custom domain has a 301 redirect that is redirecting your URL from HTTPS to HTTP - To fix this, you'll have to disable the redirect in your domain registrar.
  2. You are using an SSL certificate from Cloudflare that is not configured to be compatible with Teachable - To fix this, you'll have to change some settings in Cloudflare—more information here.
  3. You have a third-party SSL certificate enabled at the same time as your Teachable-created SSL certificate - To fix this, you'll have to either disable your third-party SSL certificate or disable your Teachable-created SSL certificate. Both cannot be enabled at the same time.
thanks_illustration

Can't find what you're looking for?

Contact us
thanks_illustration