Moving to https

Unless something has gone horribly wrong, you’re reading this on a secure ‘https’ (SSL) connection — the content of the website is encrypted on its way to (and from) your PC.

Until even a couple of years ago, moving from an insecure ‘http’ to an ‘https’ connection would have involved considerable difficulty and at least some expense given I’m on a shared hosting platform (HostPresto). But today, it took me about fifteen minutes.

The bulk of the work revolves around the creation of a private key and certificate pair. I did this through a site called ZeroSSL, which provides a convenient (and free) wrapper around a service called certbot. Certbot is itself the centrepiece of Let’s Encrypt, a revolutionary attempt to provide free certificates to anyone that wants one. Despite being on shared hosting, I was able to verify I owned harryburt.co.uk by uploading two very small text files, and install the resulting key-certificate pair straight-forwardly using the SSL/TLS screen:

The only downside of this free approach is that, for a couple of good reasons, the certificate is only valid for 90 days. So I’ll have to keep repeating the above process every 11-12 weeks, or until my host enables the autossl cPanel extension, which would allow me to take advantage of certbot’s automatic renewal feature. Unfortunately, webhosts have historically profited from being a trusted intermediary on certificate purchases, so their incentive to assist in free auto-renewed system is pretty minimal. But in any case, with the help of zerossl, it’s not too much of a faff to do manually.

The resulting setup results in a solid A- rating from SSLLabs, though, as that test highlights, it does mean that some older browsers (primarily those reliant on Windows XP, or old smartphones) are now unable to visit. To be clear, the A- rating isn’t because of long-winded tinkering, the default settings baked into Let’s Encrypt are just very well chosen.

Finally, I ensured all links within the site were protocol-relative, and redirected visitors to the https:// version of the site with the following .htaccess snippet:

Note that a Let’s Encrypt certificate doesn’t guarantee that I am who I say I am, which would be important if, for example, I operated a webstore. This kind of guarantee requires organisation verification (or the even more involved process of extended verification), and because doing that requires actual paperwork and manual review, it’s not generally provided as a free service. Something for the future, perhaps.

UPDATE: I originally forgot to change my historic links, including image embeds, or to change my WordPress settings. Ironically this page therefore showed as insecure. Oops.

UPDATE 2: It turns out that DNS validation, required for certbot’s relatively new wildcard support, is also a breeze on cPanel, using the zone editor.

UPDATE 3: SSLLabs now rates this domain as ‘B’ level. This is not due to it being less secure, but rather their decision to start requiring perfect-forward-secrecy for all ‘A’ grades.

Leave a Reply

Your email address will not be published. Required fields are marked *