Secure protocols: now available for small fry
Eagle-eyed readers of my Spanish-language blog will have noticed that, like Medium, my own website now has a little green padlock up in the top left hand corner, followed by the letters HTTPS, meaning it is a secure protocol for data transfer.
I have been giving a lot of thought to encrypting my since I attended a talk at the Google I/O in 2014 called HTTPS Everywhere given by Pierre Far and Ilya Grigorik, two Google engineers. Here’s a link to the video. It will take 45 minutes out of your life, but I believe it will be time well spent, particularly if you manage a web page.
Using secure encrypted protocols for all connections and pages, even those that have nothing to do with financial transaction or credit card details, not only makes a great deal of sense, but could be particularly important now that Google has started to use HTTPS as a ranking signal. This has been explained on a number of places, but what it shows in the case of people like me is that aside from protecting the information on my page (in which users introduce just name, email address, a web address, a comment and pretty much nothing else), it’s not a bad idea to be tight with Google over what I am sure is increasingly important.
There’s another reason for going down the encryption road: the transition to HTTP/2. Although in theory the standard doesn’t require encryption, Firefox, Chrome, Safari, Opera, Internet Explorer and Edge, for example, have said they will only support HTTP/2 via encrypted protocols, which means that the move to HTTPS is, to all intents and purposes, obligatory for those of us who want to reap the benefits of the new standard.
Until recently, the problem minor league sites like mine had if they wanted to convert to HTTPS was the cost and the complications involved: it required taking a series a relatively complex steps, along with giving money to a certificate authority, a market controlled by four main players: Comodo, Symantec, GoDaddy and GlobalSign.
But the arrival of a new actor, Let’s Encrypt, has changed things: a certification authority still in beta mode created by the Internet Security Research Group, a not-for-profit organization created by the Electronic Frontier Foundation (EFF), the Mozilla Foundation, Cisco, Akamai, along with Stanford and Michigan universities, that aims to make secure connections the norm by making them easier to use and providing free certificates. Let’s Encrypt is one of those interesting initiatives that can create disruption throughout the industries, a topic I usually cover in my page.
As a certificate authority, Let’s Encrypt only offers domain validation, not extended validation certificates, or for organizations (those require checking the company’s articles of incorporation) and it is becoming a genuine move toward the democratization of SSL certificates, something really radical: the activity statistics are insane, to the point that between September 2015 and March 2016, some 900,000 certificates were issued.
This has even prompted rivals like GoDaddy and NameCheap to try to discredit Let’s Encrypt with FUD tactics aimed at bamboozling the public. From a practical point of view, using Let’s Encrypt is a pleasure: simple, automated, with two ways of checking domain rights, and it can automatically renew certificates every 90 days. If anything is going to help spur the development of HTTPS it is this kind initiative.
Obviously, if a page has the HTTPS padlock on it, all this means is that traffic with readers takes place via a cyphered channel. It doesn’t stop anybody from trying to create a bogus page to capture information, or to use their certificate to trick the unwary, or to request information that although it has been transmitted in an encrypted format could be used maliciously, or to gain access to a page’s directory and then generate a valid certificate for another domain that could then be used for criminal activity.
My friends at Blogestudio here in Spain who help me with the design and maintenance of my page in Spanish, set up the process of moving to HTTPS, something that will obviously require a few adjustments to things like SEO and web analysis. I apologize to my Spanish readers if you have experienced any problems trying to access my page. Somebody commented about it on Twitter, and we’re looking into it: it seems that the security certificates have some problems in Windows XP when using browsers other than Firefox, a difficult issue considering that Windows XP support is being discontinued for most products (right now, just a 2% of my readers use Windows XP, probably most of them forced by archaic corporate software directives), but that seems to be pretty much it. Besides that, all the validations seem to be working, but if anybody has a problem, I would be very grateful for detailed feedback.
(En español, aquí)