User blog:DaNASCAT/FANDOM Increasing HTTPS Support To Improve Security

Today we’d like to provide an update on two important FANDOM-related security topics, explaining a message users will see on Google Chrome and how FANDOM will be rolling out improved HTTPS support in the near future

Understanding Google Chrome's New Messaging
Many web browsers are taking the lead in making users more aware of security concerns, most notably Google Chrome. Users of Chrome will notice in upcoming weeks that a "Not secure" message will appear on the address bar while filling in a number of forms around the FANDOM network, including when editing. FANDOM has made plans to fully secure these tools in upcoming engineering cycles, but in the interim these forms do not transmit any personal data or private information and you will not be at risk using our tools. As always, we encourage you to never post private information on our communities with any users - be it your email address, password, age or location. If it’s information you wouldn’t want a hacker stealing, you certainly shouldn’t be posting it for everyone to see publicly!

The simple reason you will see these messages is because these forms still use the HTTP protocol as opposed to HTTPS. The difference between these two protocols is simple: HTTP transmits data in plaintext, HTTPS encrypts the same data. This means if some hacker was somehow able to intercept the transmission between you and a website, they would be able to see exactly what you were communicating with the website in HTTP, but unable to read it in HTTPS.

Tools on our network that transmit personal data - such as user registration or login - already use HTTPS and have for quite some time.

FANDOM and HTTPS Rollout
FANDOM has long been at work, planning how to make all elements of our site use HTTPS. Most of the changes have been behind the scenes, from rolling out the Helios login service last year to switching our user avatar services to use HTTPS earlier this month.

The next step of this process is procuring SSL certificates. A website needs an SSL certificate to verify that the site is who it claims it is so that the TLS encryption can begin and the data can be transmitted. FANDOM already has an SSL certificate for *.wikia.com, which has allowed us to have all our global tools - like the login or avatar services - already use HTTPS.

The tricky part is getting the SSL certificates for all of our wikis. FANDOM has over 385,000 wikis, many of which can not be served under the *.wikia.com certificate (for example: wikis with language identifiers in their URL). Getting certificates for such a high number of wikis is difficult. This may mean we will have to make some minor URL structure tweaks. If and how this will be done is yet to be decided - we should have more information in the coming months and will certainly communicate any changes well in advance. Even if the URL structure does change slightly, previous URLs will remain as redirects, so there should be no negative direct visit or SEO impact to your community.

As the internet is always changing, it’s certainly possible we’ll be tackling new and surprising cybersecurity concerns in the future. But hopefully this brings you up to speed where FANDOM is as we close out 2017!