Ars Technica: HTTPS is not a magic bullet for Web security

Monday, 18 July 2016

A great overview for anyone interested in learning more about the nuance of HTTPS in how it is secure and how it can be misconstrued as secure. While there is some jargon in the article, it’s pretty easily parsible so there’s no reason to avoid reading it. Very much recommended for anyone using the web (despite the irony of Ars not offering blanket HTTPS connections).

My Experience Implementing HTTPS on SFFW link intact

Gilbertson, the author, makes it a point to share his personal traumas of trying to get HTTPS up and running on past projects he’s worked on. While I don’t dispute that, I do want to offer my own personal experience if you’re interested in implementing HTTPS on your own site(s) as I’m happy to report that it was quite the opposite for me. Late last year, Dreamhost announced that it would offer the one-click install of Let’s Encrypt SSL certificates that Gilbertson said might eventually arrive – which I took full advantage of back in February shortly after the beta program started. It’s basically a one-click install followed by a short wait for everything to get up and running, but definitely a stress-free experience requiring no sophisticated IT knowledge to implement.

Courtesy of this Dreamhost FAQ, a quick addition to my site’s .htaccess file:

            
              RewriteCond %{HTTPS} !=on
              RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
            
          

…and all HTTP connections to my server would be redirected to use HTTPS. With practically no effort of my own, SSL Labs’ security test rates my site an “A”.

HTTPS Everywhere link intact

I would be remiss if I didn’t put in a recommendation for EFF’s HTTPS Everywhere browser plugin (Android, Chrome, Firefox, and Opera only at the moment). Simply stated, whenever you browse to a site that also offers HTTPS but doesn’t do the aforementioned auto-redirection to it, the plugin will do it for them. Easy-peasy.