HTTPS
Inspired by Google’s recent decision to boost the ranking of HTTPS sites, and because it’s something I’ve been meaning to do for a while (and also because it’s generally the right thing to do), I’ve just moved this blog to serve via HTTPS.
I pretty much just walked through this set of instructions from Eric Mill, using the SSL configuration from Mozilla’s OpSec team (seriously, don’t try to do this bit yourself: the folks at Mozilla know what they’re doing). All told, it only took a couple of hours.
Like Eric, I also got my free certificate from StartSSL; they seem reasonable enough at the moment, and I can always change later if I feel like it.
Other than needing to switch to a protocol-relative URL for Google Web Fonts, the site worked first time (though it helps that it’s fairly simple: all the odd stuff got left behind when I split the serving of this blog to a Google Compute Engine instance).
However, unlike Tim, I didn’t keep the HTTP version of the
site around: all http://
URLs now result in a 301 to the HTTPS
equivalent1. I haven’t yet enabled HSTS to pin the site to
HTTPS, but I’ll probably do so in a week or so, once I’ve checked to see if
any problems turn up.
I’m also not entirely concerned about backward-compatibility with old clients (I used the Non-Backward Compatible Ciphersuite list, for example). I was originally planning to only enable TLS 1.2, but it turns out that I do still care about some older clients (no, not Windows XP): GoogleBot and pre-KitKat versions of Android (presumably the Android browser rather than Chrome-on-Android), which only support TLS 1.02. In the end, I only ended up disabling SSL2 and SSL3.
Once I’d tested the site, the only thing I needed to do was to register the HTTPS URL in Google Webmaster Tools, and update a few incoming redirects to avoid long redirect chains.
I also found the following sites useful:
- Qualys SSL Server Test, an excellent resource for testing SSL installations.
- Is TLS Fast Yet?, a collection of some other useful tips for SSL/TLS.
In summary: for many sites, enabling HTTPS is pretty trivial. If you’re making a new site, consider making it HTTPS-only.
-
Except for
robots.txt
, which serves the content directly. I’m not sure if that’s actually important, but it seemed like robots might not want to follow redirects to fetchrobots.txt
, even if they would for the other content. ↩ -
In addition, the version of
curl
I have on my desktop only supports TLS 1.1, so I would have at least wanted to enable that. ↩