The carrot and the stick

Google pushes web towards more security

It isn’t really news any longer, Google is pushing to secure the web.  Just like any parent they have decided that the carrot isn’t working out quite as planned and now they are using the stick.

The only stick that really matters in the world of internet searches is the ranking your webpage is when other try and find you.  If your webpage is not using a https then chrome users will see warnings.

Too much technology

It isn’t that I wanted to have an insecure website but it wasn’t clear exactly how to setup my server to support this.  This is despite all the work of the LetsEncrypt project.  Their  goal is to provide digitial certificates to enable web sites to support HTTPS (SSL/TLS) without having to purchase expensive certificates.

My host 1blu.de actually does have support for LetsEncrypt but for some reason it did not work using this automated method.  I decided to give the manual install a try. I can only imagine that over the last six years a considerable amount of work has been done.  I downloaded the certbot-auto program for Debian and ran it.  It was just about as painless as it could be.

All necessary packages were installed, my (virtual) machine was queried and determined which domains were being hosted on it and I had the choice to getting a certificate for any of those domains.

Once the upgrade was finished they even provided me a link to test the certificate on my site.

https://www.ssllabs.com/ssltest/analyze.html?d=blog.paranoidprofessor.com

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/blog.paranoidprofessor.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/blog.paranoidprofessor.com/privkey.pem
   Your cert will expire on 2018-07-26. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again with the "certonly" option. To non-interactively renew *all*
   of your certificates, run "certbot-auto renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

I think that if I had installed linux on a computer and hooked it up to the internet the process probably would not have been so smooth but at this point I feel confident it has been considered and would work.

You can choose to enable https on your site for any number of reasons.

  • show off your technical skills
  • build trust that your site is who it says it is
  • to get better rankings with Google
  • make national security agencies work harder

Any of these are legitimate reasons depending on your view.  The last choice in the list is only interesting if you are worried that organizations are watching your web browsing.  Changing one site over to https won’t make much difference as which web site I am visiting will still be visible but what data is being transferred won’t be.  This will also prevent some over eager ISP from injecting advertisements into your pages.

No matter what your reasons, computing power is cheap enough that https is the smart option.

This entry was posted in security and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *