Good evening, can you tell me when SSL on your site will be supported. I understand from the documentation that it currently is not.  I wanted to see if that had changed.

   We have received several emails from people, not wanting to join because there is no SSL connect when they are entering their personal information.  I explained that SSL is enabled for the credit card transaction, however they would like the entire members site to be ssl.  I wanted to get your thoughts.  Frankly I like the idea of the member area being ssl also.  I am concerned  about the members user name and password passing in clear text to the web server.

If there is a work around, I would be happy to give it a try.

Thanks for your time and consideration.

---

David

David,

This is definitely something we are considering - though I can not provide a timeline yet. We still have to figure out how to deal with the issue of custom domains - it is not feasible for us to ask every client using custom domain to obtain their own SSL certificate and then have us install it. It's a simpler issue for people using our free domains as we can get one or a handlful SSL certs ourselves.

---

Dmitry Buterin, Chief Apricot

I agree.  Ability to use my own SSL certificate would help build my customer's confidence and make me more sales.

I appreciate your reply.  I would be happy to purchase the SSL certificate.  I am getting asked this question more and more.  I use godaddy and they are offering a pretty affordable SSL cert.  Would this be something that you could work out with them?

 Alot of people are concerned about their user name and password being passed between them and your service in clear text.

 Thanks again,

 David

---

David

I too would be happy to pay the extra to have SSL.  Members are reluctant to put any personal details on the system without using a secure site.

The sooner this is available, the better.

Everything else about WildApricot is brilliant!

Alex.

I would also be willing to pay extra for this.

We just joined (as a Group site) and a BIG issue for us will be the SSL certificate.  We have one now for our "old" website and having one for us is critical.

We will be willing to pay for the certificate since we already have one that we renew each year.

The sooner the better!

Moving this to roadmap.

---

Dmitry Buterin, Chief Apricot

Outstanding!  I hope that means we'll see SSL support soon.

 Thank you.

I really do appreciate you moving this onto your road map.  Wild Apricot is really a great service. 

 

David

---

David

We are very concerned about the same thing.  There are two issues with SSL for us.

1.  We would like to have the site go to SSL when someone is signing up for membership.  From my prospective there is NO requirement to use our own SSL certificate.  I would just like to flip their application over to the memberlodge site when people are entering their address, telephone number and such on the member page.
   
2. We would like to have option on entering the user ID and password on an SSL encrypted page.  The problem is administering anyone wild apricot website from a cybercafe.  In this case the password and user ID is transmitted completely in the clear.  Anyone on the wire can read this data.  This means that it would not be possible for anyone to tell if the real administrator or someone else used their password.  I'm not so worried about the regular accounts, but I am very concerned about the admin area, where there is access to my payment information.  Again there is NO requirement to use our own SSL certificate.  I would just like to flip this login over to the memberlodge site when people are entering their admin and password.

thanks

 

---

David

I just wanted to check on the status of this.  It was almost 1 year ago that this was discussed.

---

David

We have been doing research and analysis and currently are finishing the technical details and will proceed to estimating the work involved. Depending on the estimate, we plan to schedule it within the next few releases (4.1-4.3)

---

Dmitry Buterin, Chief Apricot

Thanks for the update, I am looking forward to the SSL feature.

 

with kind regards,

David

---

David

I think this would be very valuable to my group too.  We would not necessarily need our own certificate.

Dmitry, could you give an update on when this might be available? 

 

I think this is a critical feature and may actually be a deal-breaker for us, as we are looking to build a community of security professionals! With the number of data breaches and information loss that are happening (see http://datalossdb.org/) everything you can do to protect your customer (and our users') data should be done. 

 

I think it's reasonable to ask your customers to purchase their own SSL certificates (through you or not) if they care about this. Or a 'free' option could be to bounce registration/login through a generic WA domain. 

 

This is a critical feature, in my option.

 

Thanks! 

 

Let me share some of details on current version plans: 

We were planning SSL support for 4.3 release (Q3 of 2011) but now we're not sure if we'll able to fit it there. The problem is that in 4.2 (to be release in mid May 2011) have started quite a huge change of internal architecture for Content Management System and we need a lot of resources to complete the change in next 4.3 version. This means that we might not been able to put SLL into 4.3 scope.

Yet we haven't planned 4.3 in details so this will be clear later - in the end of May.

---

Evgeny
Product Design Team

Greetings,

It is disappointing that this issue was raised 2 years ago and has yet to be resolved.  Today it has become extremely important to protect personal data as identity theft is becoming more and more common.  If we look at current events we do not want another issue like Sony or Epsilon have experienced.

I too would like SSL encryption across the internet from my browser - this is not the same as SSL encryption the entire way through the connection, as once the data is within your datacenter environment I class it as being semi-secure.

From a purely technical perspective it should be possible to terminate the SSL traffic on your load balancers and then pass the traffic from the load balancers to the web servers unencrypted.  From the end-user perspective the entire connection would be encrypted however once the SSL connection is terminated at the load balancer then the normal reverse proxy'ing and URL redirection can take place to your webservers.

Whilst this is not an idea solution (as there would still be a component of the connection running unencrypted) it should require minimal reprogramming on your part and would achieve the goal of having the data encrypted over the internet.  As far as I can imagine you would need to write an api or web-page for us (the customers) to upload the SSL certificates to the load balancers.

This is easily possible with most load balancers I have worked with from Cisco, Foundry (now Brocade) and F5.

This post is not meant to be condescending, on the contrary I am hoping you have not considered this path and will now considering it - and hopefully get the SSL encryption to the administrator and membership areas online sooner.

Hope this helps and look forward to seeing SSL implemented soon.

  

Thanks for the suggestion, I will pass it on to my technical team. I do believe we have considered this path and this is the direction we are working toward - but it does involve quite a bit of work, given such factors as use of custom domains, white-labeled accounts, use of content delivery network etc. etc.

---

Dmitry Buterin, Chief Apricot

Thanks for the update, every new release I am holding my breath that SSL will be included.  As a professional association of security professionals, not having SSL has created quite a bit of discussion.  I am really looking forward to the day when SSL will be included.

---

David

I hope to see this soon too.  Many prospective members have raised this issue on the membership application.

Is there a current update on scheduling for SSL encryption?  Did it make it into 4.3, or has it been pushed to 4.4, or beyond?

I've gone through the trial of Wild Apricot and it's an INCREDIBLE service with a great user interface - Exactly what I need as membership director of my group.  EXCEPT that data is not secure until it gets into your very secure servers.  Given that our membership application and member profiles contain a good bit of highly personal information, I cannot in good conscience propose Wild Apricot to my board, or to our membership knowing that this information could be intercepted simply by using a connection in a public place.  Worse yet both User ID and password can be intercepted, and potentially used to access all directory-enabled data on OTHER members.

Very frankly, both I and my board would be laughed out of the room is we told members we were asking them to input personal information without the security of a secure connection.

Please, please, PLEASE fast track this and let us know when we can expect it to happen.  Wild Apricot is such a huge leap from the current hodge-podge I'm using I'm willing to wait, but having a target date would make it much easier to justify doing so!

Thanks!

Unfortunately, it's been pushed further to 4.4 or beyond.  

---

Evgeny
Product Design Team

Just to set the record straight:

https is not part of 4.3 scope (release ~Oct 2011) 

It is a candidate for the next release - 5.0 (~Jan-Feb 2012), though it is not yet clear if it will go there in full, partially (for free wa domains only) - or will be pushed to a later release, it is still in analysis/design. 

---

Dmitry Buterin, Chief Apricot

Thanks for the update.  Not happy to hear it's not going to be sooner, but appreciate at least the target.

 

This really is an important feature for us and apparently for many, and several of my techie friends have indicated it's becoming more so with privacy/identity theft laws that are not far from taking effect.

Please expedite this implementation as much as possible.

 

Thanks!