Posts Tagged ‘tls’

HSTS enabled!

Friday, June 19th, 2015

Hey everyone!

As noted in my previous post, I’ve finally switched my domain to HTTPS. I was reluctant to enable HSTS (HTTP Strict Transport Security) at first but after looking at this talk, I’ve decided to just go with the flow and enable it on CloudFlare:

hsts

Basically it means that, as of right now, you’ll always use HTTPS when visiting my website, even if you try and visit the old HTTP URL. This will occur not only because my Apache server is configured to automatically redirect you to the HTTPS version, but because your browser will automatically go to the HTTPS URL. Why will it do that? Because my site is now sending the HSTS HTTP header:

strict-transport-security:max-age=15552000; includeSubDomains; preload

Basically that header tells your browser: This is an HTTPS enabled website, always use HTTPS if you come back here. Please do this for this domain and all sub-domains for the next six months..

For now, as my site isn’t in the browsers HSTS preload list yet (I’ve just submitted it), you may visit this site once more using plain HTTP but as soon as your browser will see the HSTS HTTP header it’ll remember to always switch to HTTPS.

Why does HSTS matter? Because it will protect YOU against man-in-the-middle attacks.. not that this Website is sensitive in any way, but as a good Web citizen I have to do what I can, right? ;-)

I was hesitant to enable this because I’ve just signed up with CloudFlare and if they decide to drop their free subscription plan then it means that I’ll be forced to find either another similar solution or buy a certificate that I can install on my web host; in my case OVH doesn’t allow importing third party certificates and they charge about 50€ per year for that (which is wayyyyyyyy too much for a personal website).

The bet that I’m making by enabling HSTS now is simply that the free subscription model of CloudFlare will remain available for at least 2-3 years (hopefully much longer) and that in the meantime, given how Mozilla, Google major players and others are pushing for HTTPS everywhere, the overall accessibility/affordability of HTTPS for personal websites will have improved. If I’m wrong well then I’ll either pay if you show me enough love or shut this thing down ;-)


HTTPS everywhere

Thursday, June 18th, 2015

TL;DR CloudFlare is awesome, but don’t underestimate the effort required to fully switch your site to HTTPS

About time… That’s what I keep telling myself; my site won’t be considered insecure by default :)

I’ve finally switched this site to HTTPS and I must say that CloudFlare has made this extremely easy, straightforward and fast.

Now I’ll be able to have fun with Service Workers and other modern Web goodies that require HTTPS.

Here’s what I had to do in order to get the holy green padlock.

First I had to create a (FREE) account on CloudFlare. Once my account was created I entered the domain that I wanted to add and CloudFlare went about finding all the DNS zone entries it could find. That took about a minute and the result was correct.

Next, I had to modify my domain’s DNS zone name servers to replace the OVH ones by those of CloudFlare. It didn’t take long for the switch to actually take place. DNS replication ain’t the fastest of things.

And bam done.. or almost.


As I like tweaking stuff, I had to check out all the features provided by CloudFlare, and the least I can say is that the feature list included in the free tier is just plain impressive!

Here’s what I’ve enabled:

  • SSL w/ SPDY: SSL between clients and CloudFlare as well as between CloudFlare and OVH (although the certificate presented by OVH isn’t trusted it’s still better than nothing)
  • IP firewall: basic but nice given the price :p
  • Automatic minification of JS/CSS/HTML assets
  • Caching
  • Always online: awesome, they’ll continue to serve my static content even if the site goes down
  • A few other nice things

They also provide ways to purge their cached data and to enable a Dev mode that allows to access up-to-date resources, etc

In the future, if I’m convinced that I can keep my site HTTPS-enabled for long, then I’ll also enable HSTS.

I might also give their Rocket Loader feature a try…


Enabling HTTPS for my site is only the first part of the story; there were other changes I needed to make in order to get the almighty green padlock (TM).

I first needed to make sure that my visitors (you guys) visited the site using HTTPS, so I’ve updated my .htaccess file accordingly:

...

RewriteEngine On

# 2015-06-18 - Automatic redirection to https now that CloudFlare is enabled
RewriteCond %{HTTPS} off
# rewrite to HTTPS
RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
# rewrite any request to the wrong domain to use www.
RewriteCond %{HTTP_HOST} !^www\.
RewriteRule .* https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

...

With this, I have an automatic http to https redirection. Of course that isn’t going to protect you from MITM attacks but I’m not ready to enable HSTS just yet.


Next I had to update my WordPress configuration to ensure that all generated links use HTTPS (WordPress address & Site address URL).

This fixed a few issues with mixed content but not all of them. I had to go through all my template’s files to ensure that I was using https everywhere; namely I had hardcoded the URL of my FeedBurner RSS feed.


I also noticed that I was still getting errors in the console about mixed content and indeed my site was retrieving some resources using plain HTTP from other domains.

In order to fix this, I had to

  • use my very rusted SQL-fu to replace http by https at all the places it made sense in my posts (e.g., links to Google Photo images, links to my own site, etc)
  • modify one of my WordPress extensions to retrieve its scripts from Google’s CDN using HTTPS
  • get rid of an extension that was using iframes, swf objects and displayed warnings if Flash was missing (oh god..) =)

I also took the opportunity to configure CORS, also through my .htaccess:

...

RewriteEngine On
Header set Access-Control-Allow-Origin "*"
Header set Access-Control-Allow-Methods: "GET,POST,OPTIONS,DELETE,PUT"
...

...

And now, just look at this beauty:

Green beauty