HTTPS encryption


#1

Source:-

A secure web is here to stay

coothead


#2

A good thing, no?


#3

@coothead,
Any particular reason your site is not using HTTPS?


#4

That depends. It's a good thing if it warns folk they're about to enter details on a non-secure page. If a site is purely static - no contact form, nothing interactive - then showing it as "not secure" may lead potential visitors to conclude it's a dodgy site and leave.


#5

Yeah, I appreciate that, but I would argue that it is a necessary evil to force an upgrade to https across the board. Most hosting providers offer a free SSL certificate nowadays, so it is usually a matter of just switching it on.


#6

That is a very good question and one that I would expect
to answer given the fullness of time. :winky:

At present I am not sure If my host provides SSL certificates.

I would like to point out, though, that my site should really
be considered as more of a repository than a site. :wonky:

coothead


#7

I have no strong feelings either way, you should just consider me
to be the messenger boy as far as this thread is concerned. :winky:

coothead


#8

I use the free https service and it works quite well

Edit:

If you do not have access to the Apache command prompt, try asking your service provider to set it up.


#9

When cpanel was updated late last year all my sites had an https address added automatically.

I am not that happy that Google are forcing people into https but it just means I have another URL option to reach my site!


#10

This is a welcome change to be honest. There's no reason not to use SSL these days. With let's encrypt it's easy and you just set it up once and leave it going. It's not like you even have to renew it and manually update the certificate each year any more.

There is one downside to SSL, it gives the illusion of security. People will be on a malicious site which uses HTTPS, see the padlock and assume it's legit. However, that's a small trade-off compared with the benefits.


#11

And not necessarily malicious ones, there are enough innocent but naive coders out there who unknowingly leave security holes wide open.

I'm interested to know how easy it is now. When I last looked at it I recall getting quite confused by it and shelving the idea. It's probably like many things: it's easy when you know how.


#12

I had a few issues with the software when I set it up on my website over a year ago. It was due to my customised nginx configuration. However, I recently set it up on another website with a more conventional configuration and it just worked.

It was literally install the packages then ran certbot --nginx and it did it all for me. Generated the certificates, validated my domain and even updated the nginx configuration. I had to manually set up the systemd unit to make it auto-renew. It's odd this isn't included as part of the package but it's only a matter of pasting some text into the unit file.


#13

You have to be aware of "mixed content". For instance on one site I was using Google maps and Google ads. This caused an error but it was just a matter of changing the links from http to https.

Some other sites you may be linking to may not have an https version of their site/code.


#14

I just wish they wouldn't confuse encryption with authenticity.

If the higher ups want web connections to be secure, why not just bake in basic encryption into HTTP? Granted this would provide no authenticity, but it would provide encryption. Think self-signed certificates without the scary warning.

I'm all for securing things and providing security. But I just don't know if this certificate and certification validation requirement is the right path.


closed #17

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.