Blog now using HTTPS/TLS secure web by default
Boring administrative announcement: In a move long overdue for me, access to this blog and my other large sites will now be exclusively through "https" (ie. encrypted web.)
I set up this, of course, using the great tool Let's Encrypt which was created with support from the EFF. This project and the tools around it take a big step towards making the internet encrypted by default. Let me know if you experience any problems. But then I guess you aren't reading this if you are. Oh well!
- For decades, it was painful and expensive to get the certificates needed to secure connections to a site. You typically had to pay a small set of companies, usually every year. Now a trusted certificate can be created automatically and for free.
- While you could in the past use self-signed certificates, a serious error was made in browser design, causing the browser to complain far more loudly about the use of a self-signed certificate than about connecting completely insecurely. Because of this, few people used it.
- It's also been a lot of work to configure web servers and e-mail tools to use TLS, and in fact today it's still too hard, but tools like certbot have automated a fair bit of that process.
- In the very earliest days, encryption was considered legally a munition that needed a licence to export. So most web tools were built without it, or using a useless insecure form of it. In the end, it made people decide it was just too much work. The EFF and others fought to get this encryption requirement removed, but the damage had been done, and the web would remain unencrypted for decades.
Technically, we worked out how to have an encrypted web in the 1990s. Due to the factors above, we are just starting to get a decent fraction of the web secure from prying eyes. Amazing when so many of us use the internet over insecure or public wifi connections and other such links. Even today a lot of the web is still in the clear.
Just not my sites. Nor, I hope, yours, after you read this and you go to get the tools. Because the protocols are so old, all browsers now support it, and places like Google even encourage it. Do it.