Mandatory HTTPS for everyone

Posted on Thu 25 May 2017 in Dispatches • 2 min read

These days, encryption is more important than ever. You don’t need to look any farther than the national news for reasons why. Even small sites that don’t provide user accounts should consider it. I was reminded of this recently when I came across a post by Jeff Atwood from last November.

But post Snowden, and particularly after the result of the last election here in the US, it’s clear that everything on the web should be encrypted by default.

Jeff Atwood, Let’s Encrypt Everything

I have to agree with Atwood here. There is zero reason not to use SSL everywhere. As he points out later in the article, the old concerns that encryption adds too much overhead are no longer valid in modern hardware, and the risks are greater than ever. It’s also relatively easy to set up on the server, and it is even possible to get free certificates from Let’s Encrypt. There isn’t a technical or financial reason not to do so.

This site has always supported HTTPS as an option, and even required it for certain pages, such as the details of my PGP encryption key. As of now it will also force and reroute all traffic to SSL encrypted connections. Some may argue that that is overkill for a blog, but the way I see it, you need to have a good reason to maintain an unencrypted connection, and not the other way around.

Of course, SSL is not the end-all and be-all of security. You could still be vulnerable to MITM attacks if you are unknowingly accessing the internet through a malicious server or through an unencrypted wifi connection. As a result, I’d highly recommend you consider getting a VPN account for use whenever you are away from your trusted networks. Especially if you’re connecting to hotel wifi. Seriously, it’s not worth the risk.