Now you have no reason not to make your website(s) secure!
Troy Hunt is Microsoft Regional Director and MVP for Developer Security. Online security, technology and “The Cloud”. And he made have I been pwned, an online database/API allowing you to find out if your data has been compromised. Basically he knows his stuff. And he has made ‘HTTPS is easy’.
HTTPSisEasy is a short course showing how to setup https on your website for free. You can do it without the command line, using a free Cloudflare account.
I’ve long been advocating Cloudflare. I currently use it on 6 different sites to provide an extra layer of security and speed, yet I still learnt some new things I could do to improve the security further – specifically regarding HSTS, and HSTS preloading.
I suspect there’s a lot of site owners that don’t see any value in making their site secure. It may well be something you hear from clients. Afterall, if you don’t have a store, or do have any user input, then why should it matter? Here’s 3 reasons why.
- Google use https as a search ranking factor (which likely means other search engines do as well).
- Chrome, is going to start marking http sites as insecure. Again, I imagine other browsers will be doing similar in the future.
- IT PROTECTS YOUR SITE VISITORS AND CONTENT.
I should probably have placed number 3 first. I’ll be honest, it took me a while to understand how my site visitors were at risk since I don’t sell things from my site or accept user data; turns out it’s really obvious. Essentially, https is two way. It protects both the data that users sends to the server (email addresses, and credit card info), and it protects the data that the server sends to the user ensuring it displays as intended.
This recent article from the Tor project looks at a censorship campaign that happened in Egypt last year where 21 sites were ordered to be blocked. The interesting part is towards the bottom of the article:
“Back in 2016, OONI uncovered that state-owned Telecom Egypt was using DPI (or similar networking equipment) to hijack users’ unencrypted HTTP connections and inject redirects to revenue-generating content, such as affiliate ads”
They were hijacking unencrypted websites and changing the content so that they would benefit from it. The only way to ensure the website arrives as intended is to send it as https. When data is sent via http it is susceptible to interception, manipulation, and impersonation. HTTPS guarantees the integrity of the connection between two systems.
So why Cloudflare? Why not something like Let’s Encypt? I’m reasonably technical. I can do some programming, and I use Git, but I am not super comfortable with managing servers, or using the command line. I know enough to get by – but if there’s something easier I can use then I will. Troy has a blog post where he introduces HTTPSisEasy and he explains who he was targeting with the website.
Troy wanted to make his short course accessible to as many people as possible. If you can setup a website on your own hosting, and add a custom domain name, then you can do everything in these videos.
HTTPSisEasy has 4 videos, each around 4:30 long. And the most important one is the first. I watched them on 2x speed, so got through them in about 10 minutes.
However you do it, making your site secure can only be a positive thing. So if you haven’t already – please watch these videos and help make the web better for everyone. While I’m at it – use a VPN as well.