“A nearly impenetrable thicket of geekitude…”

Always HTTPS

Posted on February 9, 2018 at 07:45

This site is going all-HTTPS, all the time. Read on for background and details.

[2018-03-11: HSTS implemented with max-age=1800, i.e., 30 minutes.]

[2018-04-16: HSTS implemented with max-age=31536000, i.e., one year.]

There has been a push towards “encrypting the web”, with all browser connections protected by some form of transport security, for some years. It’s common to refer to connections using the https:// scheme as “secure” regardless of any other considerations.

That terminology is annoyingly imprecise, but in a world where ISPs frequently inject advertising material into unprotected HTTP connections, and where advertising networks carry malware such as cryptocurrency miners, the additional protection seems like a no-brainer. I don’t run advertising here, but the two issues together make it an issue I’m concerned with on your behalf.

The arrival of the Let’s Encrypt certificate authority and its integration by my hosting provider made it easy to set this up in early 2016, but the majority of my traffic has continued to come through http:// rather than https:// connections.

My intention has always been to to migrate fully to HTTPS. Now that the conversion to Nanoc is complete, and with Google’s confirmation of their earlier plans to start labelling non-HTTPS connections as “insecure” starting in July 2018, I took the next step in that direction yesterday (on 2018-02-08) by redirecting all http:// accesses to https://.

Simply redirecting everything doesn’t completely protect visitors because it’s still possible for a “man in the middle” such as an ISP to inject material to prevent the redirection or to perform an SSL stripping attack. I’m therefore planning to deploy the HSTS (HTTP Strict Transport Security) mechanism here over the next few months.

The idea of HSTS is that if you once visit a site through HTTPS, the site itself is in a position to tell you that you should always visit it that way. The notification includes a time during which the browser should regard that policy as being in force, so it is possible to revert it if necessary, but with a significant delay. In a month or so, after the initial redirect scheme has settled down, I will initiate HSTS with a short max-age for some period before finally settling on a long-term configuration.

Tags: