Skip to main content
  1. Dispatches/

Mandatory HTTPS for everyone

·310 words·2 mins
Articles Meta Encryption Networking Security Privacy
Daniel Andrlik
Author
Daniel Andrlik
Daniel Andrlik lives in the suburbs of Philadelphia. By day he manages product teams. The rest of the time he is a podcast host and producer, writer of speculative fiction, a rabid reader, and a programmer.

These days, encryption is more important than ever. You don’t need to look any farther than the national news for reasons why. Even small sites that don’t provide user accounts should consider it. I was reminded of this recently when I came across a post by Jeff Atwood from last November.

But post Snowden, and particularly after the result of the last election here in the US, it’s clear that everything on the web should be encrypted by default.

Jeff Atwood, Let’s Encrypt Everything

I have to agree with Atwood here. There is zero reason not to use SSL everywhere. As he points out later in the article, the old concerns that encryption adds too much overhead are no longer valid in modern hardware, and the risks are greater than ever. It’s also relatively easy to set up on the server, and it is even possible to get free certificates from Let’s Encrypt. There isn’t a technical or financial reason not to do so.

This site has always supported HTTPS as an option, and even required it for certain pages, such as the details of my PGP encryption key. As of now it will also force and reroute all traffic to SSL encrypted connections. Some may argue that that is overkill for a blog, but the way I see it, you need to have a good reason to maintain an unencrypted connection, and not the other way around.

Of course, SSL is not the end-all and be-all of security. You could still be vulnerable to MITM attacks if you are unknowingly accessing the internet through a malicious server or through an unencrypted wifi connection. As a result, I’d highly recommend you consider getting a VPN account for use whenever you are away from your trusted networks. Especially if you’re connecting to hotel wifi. Seriously, it’s not worth the risk.

Related

Doctorow on Talking to Children About Surveillance
·180 words·1 min
Articles Politics Nsa Surveillance Privacy Security
Great article from Cory Doctorow on the conversations he’s had with his six year old daughter about mass surveillance. What’s particularly revealing is which concepts she intuitively grasps from her own experience with technology, and how that aligns with research done on the online habits of children.
Feds to Let Citizens Log In With Yahoo, Google, Paypal Accounts (via OpenID)
·127 words·1 min
Articles Government Openid Privacy Security
This is an enormous win for OpenID, but it is also a huge risk if anything goes wrong with such a high-profile project. Obviously, it will all depend on the implementation, and if all goes well it will give OpenID the push it needs to increase the number of consumers as opposed to providers, which is a ratio that is sorely lopsided at the moment.
Lest We Remember: Cold Boot Attacks on Encryption Keys
·41 words·1 min
Articles Encryption Security
Via Boing Boing: This is definitely not good. Don’t leave your encrypted laptop in on/suspended in public kids! Also, if you aren’t at least encrypting your /home directory (or wherever you keep your personal files), congrats on earning the EPIC FAIL.