13 Sep 2016 benad   » (Apprentice)

HTTPS, the New Standard

The “web” used to be simple. A simple plain-text protocol (HTTP) and a simple plain-text markup format (HTML). Sadly, after 20 years, things are not as simple anymore.

Nowadays, it is commonplace for ISPs to inject either “customer communications” or downright advertisement into unencrypted HTTP communications. Using web sites from an unencrypted or “open” WiFi is often a vector for a malicious user to inject viruses into any web page, let alone steal passwords and login tokens from popular web sites. On a larger scale, governments now have the capability to do deep packet inspection to systematically either censor or keep a record of all web traffic.

So, indirectly, my simple, unencrypted web site can become dangerous.

Buying an SSL certificate (actually TLS) used to be something both expensive and difficult to set up. Now with the help of “Let’s Encrypt”, any web site can be set up to use HTTPS, for free. Sure, the certificate merely says that HTTPS traffic came from the real web site, but that’s good enough. And for a personal web site, there is limited value in buying one of those expensive “Extended Validation” certificates.

This is why my web site is now using HTTPS. In fact, HTTPS only, though by doing so I’ve had to cut off browsers like Internet Explorer 6, since they do not support secure cryptographic algorithms anymore. It breaks my rule of graceful degradation, but ultimately the security of people that visit my web site is more important than supporting their 15-year old web browser.

What is sad with this though is that as older cryptographic algorithms become obsolete, so too are machines too old to support the new algorithms, let alone those “Internet appliances” that aren’t supported anymore. This means that, unlike the original idea of simple, plain-text protocols, web browsers have to be at most a decade old to be usable.

And still, HTTP with TLS 1.2 is merely “good enough”. There are simply too many root certificates installed in our systems, with many from states that could hijack secure connections to popular site by maliciously create their own certificates for them. HTTP/2 is a nice update, but pales to modern techniques used in QUIC. Considering that even today only a fraction of the Internet is using IPv6, it may take another decade before QUIC becomes commonplace, let alone HTTP/2.

For now, enjoy the green lock displayed on my web site!

Implementation Notes

The site Cipherli.st is an excellent starting point to configure your web server for maximum security. I also used the Qualys SSL Labs SSL test service to verify that my server has the highest security grade (A+).

I was also tempted to move from Apache to Caddy, as Caddy supports HTTP/2, QUIC and even Hugo (what I use for the blog section of this site), but then I remembered that I specifically chose Apache on Debian for its long-term, worry-free security updates, compared to a bleeding edge web server.

Syndicated 2016-09-13 01:15:00 from Benad's Blog

Latest blog entries     Older blog entries

New Advogato Features

New HTML Parser: The long-awaited libxml2 based HTML parser code is live. It needs further work but already handles most markup better than the original parser.

Keep up with the latest Advogato features by reading the Advogato status blog.

If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!