Moar HTTPS!

About 13 months ago we bought an SSL certificate for harmsboone.org. Recently we upgraded our SSL configuration for harmsboone.org and all our subdomains (except wedding.harmsboone.org, we’ll get there). Now you can browse Greg and Danielle’s blogs,and Danielle’s new writing project, 1000 Wednesdays, with confidence that nobody, not the government, not your internet service provider, not your crazy neighbor with a WiFi Pineapple is interfering with the words and photos your see on these pages.

We upgraded the base three, this site and the two blogs a couple months ago with certificates from SSLMate. You can get some sense of how I did it from my friend and colleague Eric Mill’s blog where he has posted an excellent walkthrough. You can also check our work at SSL Labs where we get an A+.

1000 Wednesdays I did this weekend, the same day we registered the domain. It was fully encrypted before we put any content on it at all. It, too, gets an A+,. We also snagged a cert for International Underground, with an A+ configuration, while we were at it.

Both of these last two sites are extra hip for being encrypted with a free certificate from Let’s Encrypt, a new non-profit, open Certificate Authority run by the Internet Research Security Group (ISRG). Their goal is to lower the barriers to entry for enabling encryption on web servers so that everybody can be serving content safely to everybody using the Internet. That means, even sites that are more or less dormant like International Underground can ensure that whoever happens upon it is getting content they can trust.

Things that were tricky about converting these sites over:

  • We migrated from a shared hosting environment to a virtual server on NGINX. Let’s Encrypt does not officially support NGINX yet, so we had to install them manually.
  • We had to solve some pretty big mixed content problems. For the most part they were ameliorated by changing the protocol in our various config files.
  • For International Underground, we had to patch a plugin that served a remote file over http. This may have broken the content (it’s a Flash video and I didn’t bother checking to see if it worked.
  • I missed the memo that Let’s Encrypt certificates don’t support the www subdomain by default and we (temporarily) lost www on International Underground and haven’t configured it for 1000 Wednesdays. I’m tempted to leave it that way, especially the latter never responded to www, but the redirect isn’t hard to set if you have the cert to cover it.

Overall, even though it took a few steps more than SSLMate, I was pretty impressed with Let’s Encrypt. For a public beta it is a great service that’s only going to get better. I hope to move all our sites to LE eventually but I’m going to get my money’s worth on the certs I paid for first.

It’s HTTPS, Dang it!

Inspired by some of the work I’m doing at my new gig where we are an all https shop, I took the $15 plunge and bought a ssl certificate this morning for HarmsBoone.org.

Honestly, given how easy it is these days on top of security concerns, Google giving preferential treatment to HTTPS sites, and the NY Times issuing a challenge to all news sites to go HTTPS by 2015, it only makes sense.

Now, whenever you browse this site you can do so with the comfort of knowing that all the communication between you and this site is private, secure, and authentic. I’ll be doing the same for the other HarmsBoone sites, and for International Underground in the coming weeks, but decided to get the flagship, the oldest and, honestly, most trafficked of our sites locked down and secure first. The next step will be going through the site and making sure that all images and script files linked on our blog posts are also done with https so you know that those are coming through uncontaminated, too.

And that’s about it.

The biggest thing you can do as a user is remember to type https when linking to any website. The worst case scenario is the site hasn’t configured it and you fall back to an insecure connection. For the most part, though, you’ll be sending your friends and family to secure, trustworthy locations on the Internet.