We are encouraging people to shift websites to 'https' as best practice. The major browsers have been advocating this for some time. For example, Google’s first step in this direction in 2017 was to introduce a security warning in Chrome for any web pages containing input fields set for password or credit card, if that page is not served as https. Then in 2018, Google introduced the words 'Not secure' in the address bar for every page that is not served as https, regardless of whether the page handles private information or not.
This support article is intended to provide a non-technical explanation of website security and also explain our current policy regarding https.
Installing a security certificate allows a domain (website URL) to present as https which causes web browser software such as Google Chrome and Microsoft Edge to display a padlock or other symbol in the address bar to indicate that the site is 'Secure'. It also allows the website to avoid the ‘Not secure’ warning shown above.
Https introduces the benefit of encryption of data between the web browser software on your computer and the web server hosting the web page. It also means that the web page you are viewing does indeed belong to the domain name that is displayed in the browser address bar.
What is the risk? This largely relates to what is known as man-in-the-middle vulnerability. This is where someone is able to 'sniff' and log traffic within your local Wifi network, or someone may have access to log traffic upstream between your Wifi router and the web server of a site you're visiting. Almost all Wifi networks now have their own inbuilt security such as WPA2 which provides unique encryption for each wireless device you connect to it, so https is not as relevant for this leg. However, there is still a possibility that an employee of your internet service provider (or of other ISPs between your ISP and the web server) could log unencrypted traffic and then search it for login credentials or personal information to exploit.
In relation to the Sporty platform, we automatically use TLS (Transport Layer Security) which is the latest https protocol that superseded SSL (Secure Sockets Layer) to encrypt all data being passed under the Sporty domain (ie sporty.com.au and sporty.co.nz) between your browser all the way to our web servers. We also use https for all back-end pages and databases where you are logged in as an administrator.
If you have your own custom domain name (web address URL) that you wish to serve securely via https, then a security certificate will need to be installed specifically for that domain name. Normally if you were to purchase a security certificate from a provider such as DigiCert.com or Thawte.com the cost is over US$200 per year plus the cost of a web developer to install the certificate on the server.
We offer https for custom domain names as a service for $150 + GST per year (not US dollars) per domain name, all inclusive. This may be discounted further if you have multiple domains connected to the same website. To order this service for your own domain name, please complete this order form.
Note: We do not currently support people procuring or installing their own TLS certificates. The cost incurred by Sporty does not typically relate to the certificates themselves. It relates to the development and ongoing maintenance of the platform backend server infrastructure as well as the installation and renewal of each TLS certificate. For example, some TLS certificates are free but only have a 90 day lifetime before they must be renewed/reinstalled. Although tools to automate this are improving, they are not quite there yet. We understand the desire to minimise costs and we are proud of the number of services we provide without charge. In the future, we expect to include TLS certificates as yet another free service. However, we must balance the cost of providing free services with the revenue that is necessary to make them possible.