Saturday, 10 February 2018

Going SSL

Chrome have announced that, come  July 2018, which is only six months away, if the browser accesses a site using http instead of https, it will be flagged as "Not secure".

For most sites, it really doesn't matter much if a site is secure or not. After all, we've been just fine using http for decades now, and only insisted on https when using Paypal or your bank, that sort of thing.

What https gives you, is end-to-end encryption. So the content coming from the remote server to your computer, is encrypted before it leaves the server, and only decrypted when it reaches your computer. So the picture of a kitten that you're viewing, is safe from prying eyes in between.

There are obvious advantages in increasing internet security. Firefox are moving in this direction too. But this is going to have a big impact on some sites, because if you don't move from http to https, that "Not secure" flag in the browser URL bar, is going to worry some (maybe most) users, who won't really know the implications, except that "Not secure" sounds really bad.

So I've started to get ready for this.

First, I've recompiled and reinstalled Apache so that it includes support for https. But then, each site that I manage will need a certificate. That certificate will tell Apache how to do the encryption.

Usually, these certs aren't cheap - you might pay $50 per year, per site. But there's a way round it. Let's Encrypt offer free certs. These aren't as flexible as the certs that you pay for - my paid-for cert on my Secure Server (the one I use to collect money from people) not only drives the encryption, it also reassures the user that I am who I say I am (if they know how to look at the cert, and I doubt if anyone ever does).

So, last November, after I installed the https version of Apache, I applied for a few dozen certs. It was a bit tedious setting this up, but I soon had it pretty much sorted, and that gave me all the certs I need, for free. They only last three months, but updating them is also free, and it's a lot easier to update them that to get them in the first place. You do

getssl -a

And it takes a while, but after several minutes, I was all updated.

Next, I needed to change the Apache config files, to tell it two things. First, where the certs were. Second, that I wanted it to use port 443 (that's the https port) as well as 80. And thirdly, I told it that if any user asked for an http connection, then it should switch to an https connection. That means I won't have to change a humungous number of links, both on my web sites, and scattered all over the internet. To do this, I used redirect.

Redirect permanent /

This redirect is so permanent, that Firefox, once it's seen it, remembers it, like, forever (there is a way to clear Firefox's memory of that). That caused me immense problems, because I hadn't known this, and my first effort was slightly wrong, and when I fixed the mistake, Firefox was still going to the wrong place, and I spent a lot of anguish and elbow grease trying various things to fix a problem that I had already fixed, dammit, except that Firefox carried on redireccting to the wrong place, until I cleared it's mistaken redirect.

So, I've changed two web sites over to being all https. I'll wait and see if there's any unpleasant side effects, but I don't think there will be, and I'll change everything else to https.

If you have a web site, you should also change over before July 2018.

No comments:

Post a Comment