I’ve just made the Brawer Software site run on the HTTPS protocol. The uBar purchase checkout is by Paddle, so that was always over HTTPS. But the main site was running on HTTP.
To be clear, there is no particular pressing reason to be using https on normal sites with no sensitive information.
But as they tend to do, Apple is showing the way forward. uBar 3.0.4 was the first version to be compiled with Xcode 7 back when El Capitan came out. Unfortunately, Apple had blocked all HTTP requests by default, which bricked the Sparkle update mechanism. So I had to rush a 3.0.4 hotfix and then a 3.0.5 update to fix it, hoping not too many customers had downloaded 3.0.4. Here is the required addition to Info.plist:
<key>NSAppTransportSecurity</key> <dict> <key>NSAllowsArbitraryLoads</key> <true/> </dict>
That said, making the Brawer Software site run on HTTPS throughout is entirely prophylactic.
The reason I got the actual SSL certificate is that I have been checking out Zendesk to setup a support sub-site, and the only way to get it to use support.brawersoftware.com was to get a certificate.
I opted for a 5 SAN certificate from GoDaddy, covering a bunch of domains.
As for actually getting the site to rewrite all URLs to HTTPS, I used the following in the .htaccess:
#Redirect HTTP to HTTPS
RewriteCond %{HTTP_HOST} !^brawersoftware.com$ [NC]
RewriteRule ^(.*)$ https://brawersoftware.com/$1 [L,R=301]
RewriteCond %{HTTPS} !on
RewriteRule ^(.*)$ https://brawersoftware.com/$1 [R,L]
I’d like to get the whole Brawer Timepieces site running on HTTPS, but Shopify only allows HTTPS on the checkout (checkout.shopify.com). It would be nice if they made this possible. A quick Google search reveals that people have been requesting it for years (along with multi-language stores and multiple currencies).
Get on it, Shopify!
Update: As of February 2nd 2016, Shopify added SSL support. Well done.