SSL Best Practices
March 15, 2018 11:01 AM Subscribe
Is it best to force all browsers to https or allow the client to decide? Any other considerations I should take into account when moving my domains to SSL is welcome.
I like simplification. I've been using an htaccess file for over a decade to redirect traffic from http://www.example.com to http://example.com. My hosting company (pair.com if it matters) is now offering "Let's Encrypt" certificates. I've enabled this on a couple of my sandbox or hobby domains, but I want to make sure I don't screw anything up on my primary websites.
Other than turning it on, is there anything I need to worry about? Are there browsers in use that don't support SSL (and should I care if so?). I try to insure my sites are as responsive and as accessible as possible. I don't want to alienate anyone.
None of my sites have user based accounts, so I'm the only one that accesses the backends.
I primarily use Grav, or ExpressionEngine, but I also have a Drupal install, and a Statamic site.
I'm trying to get back into playing with web-based projects (after about a decade hiatus). All my sites are personal sites, and I am a one-man show, so I would still put my understanding of web-tech at an intermediate level at best.
I like simplification. I've been using an htaccess file for over a decade to redirect traffic from http://www.example.com to http://example.com. My hosting company (pair.com if it matters) is now offering "Let's Encrypt" certificates. I've enabled this on a couple of my sandbox or hobby domains, but I want to make sure I don't screw anything up on my primary websites.
Other than turning it on, is there anything I need to worry about? Are there browsers in use that don't support SSL (and should I care if so?). I try to insure my sites are as responsive and as accessible as possible. I don't want to alienate anyone.
None of my sites have user based accounts, so I'm the only one that accesses the backends.
I primarily use Grav, or ExpressionEngine, but I also have a Drupal install, and a Statamic site.
I'm trying to get back into playing with web-based projects (after about a decade hiatus). All my sites are personal sites, and I am a one-man show, so I would still put my understanding of web-tech at an intermediate level at best.
Best answer: After LetsEncrypt arrived on the scene I started redirecting all of my sites from http to https, and there's really no reason not to always force https. All current browsers can handle https.
posted by rhizome at 11:35 AM on March 15, 2018 [1 favorite]
posted by rhizome at 11:35 AM on March 15, 2018 [1 favorite]
Best answer: You should force an HTTPS connection. Firefox has already made (and Chrome will soon make) UI changes to highlight HTTP's non-security to users. And even though users don't log in to your sites, HTTPS ensures that your website is unmodified in any way from how it exists in your server (i.e. prevents an attacker / ISP from injecting malicious code or changing the content of your site). Also, presumably you log in to your own CMS?
Also, you should not care about browsers that don't support it (if IE7 supports a thing, you're probably safe...).
I just did a similar host-provided encryption solution (I have Bluehost). Except for some mixed content errors it all went smoothly (for example, I had some old blog posts that loaded images with HTTP absolute urls. A quick find/replace solved that).
posted by mustardayonnaise at 11:42 AM on March 15, 2018
Also, you should not care about browsers that don't support it (if IE7 supports a thing, you're probably safe...).
I just did a similar host-provided encryption solution (I have Bluehost). Except for some mixed content errors it all went smoothly (for example, I had some old blog posts that loaded images with HTTP absolute urls. A quick find/replace solved that).
posted by mustardayonnaise at 11:42 AM on March 15, 2018
Response by poster: Thanks for all the reassurances and answers.
Grav and Statamic are flatfile CMSes, so I generally don't log into the backend. I manage everything through text files and SSH. EE and Drupal I do log into the the backend. I was partially afraid my current overrides would be harmed by going https only or that some browsers would fail. Sounds like as long as I use relative linking internally, I should be good to go.
posted by cjorgensen at 12:17 PM on March 15, 2018
Grav and Statamic are flatfile CMSes, so I generally don't log into the backend. I manage everything through text files and SSH. EE and Drupal I do log into the the backend. I was partially afraid my current overrides would be harmed by going https only or that some browsers would fail. Sounds like as long as I use relative linking internally, I should be good to go.
posted by cjorgensen at 12:17 PM on March 15, 2018
The SSL generator tool is your friend: (use the "Modern" settings)
https://mozilla.github.io/server-side-tls/ssl-config-generator/
Best practices:
-TLSv1.2 and higher only.
-Use HSTS
-Use SHA256 not SHA based ciphers.
-do NOT use DES or 3DES based ciphers.
-use PFS when possible.
posted by evilmonk at 3:31 PM on March 15, 2018
https://mozilla.github.io/server-side-tls/ssl-config-generator/
Best practices:
-TLSv1.2 and higher only.
-Use HSTS
-Use SHA256 not SHA based ciphers.
-do NOT use DES or 3DES based ciphers.
-use PFS when possible.
posted by evilmonk at 3:31 PM on March 15, 2018
Nthing force SSL. It's better for SEO , obviously more secure and browsers are going to start flagging unencrypted sites. There's no downside here.
posted by cnc at 2:05 PM on March 16, 2018
posted by cnc at 2:05 PM on March 16, 2018
This thread is closed to new comments.
What I do is I bounce all http://website.com/(.*) traffic to https://website.com/(.*) traffic with a 301 redirect in htaccess or IIS. All modern web browsers support https, and if the browsers don't it's sorta their fault for disabling or defeating https, encryption is there for a reason.
Https is part of the negotiation between the webserver and the web browser; what kind of website you have or website framework won't matter. All it's doing is encrypting the website's output so the browser can decrypt it, everything else your website does should be transparent to the user.
And, I believe, Google and other search engines give extra points for having an all-https website, so there's really no downside as long as you have the capability to get it set up properly (which it sounds like your host is happy to do.)
posted by AzraelBrown at 11:35 AM on March 15, 2018