As many followers know, I run a workshop titled Hack Yourself First where I spend a couple of days with folks running through all sorts of common security issues and, of course, how to fix them. I must have run it 50 times by now so it's a pretty well-known quantity, but there's one module more than any other that changes at a fierce rate - HTTPS.
I was thinking about it just now when considering how to approach this post launching the new course because let's face it, I've got a lot of material focusing on the topic already. But then I started thinking about the rate of change; just since the beginning of last year, here's a bunch of really major HTTPS stuff that's happened (and this is just the ones that spring immediately to mind):
- Apr 2016: Let's Encrypt officially launched
- Oct 2016: WoSign and StartCom certs started being distrusted (looks like StartCom finally died just this month)
- Oct 2016: We passed the halfway mark with more than 50% of page loads occurring over HTTPS according to Mozilla
- Jan 2017: Chrome removes support for SHA-1 certificates
- Jan 2017: Chrome and Firefox started showing warnings when logins forms were loaded over HTTP
- Oct 2017: Chrome started showing warnings when anything was entered into an input field loaded over HTTP
- Nov 2017: Some sites got desperate to suppress browser security warnings about a lack of HTTPS
- Dec 2017: Let's Encrypt became the largest issuing CA in the Alexa Top 1 million
There's plenty of other stuff coming too, for example Chrome's certificate transparency requirement hitting in April next year and I suspect in the not too distant future, a change to the way DV and EV certs are indicated in the browser (this is actually an enormously contentious issue, read more). Anyway, the point is that things are rapidly changing and there's always new things to talk about.
So that's what we've done - Lars Klint and I teamed up again and recorded another Pluralsight "Play by Play", so this is where we both have an on-camera discussion that's complemented with screen recordings. It's not a deep discussion and it's perfect for consumption by people at all levels of technical competency that have an interest in delivering secure applications via the web. We talk a lot about the changes (some of which I mentioned above), new approaches to easing the burden of HTTPS adoption and how many people think the padlock icon is really a handbag. True story.
This course actually went out a few weeks ago but as some of you know, I've been kinda busy. But that's given me a bit of time to see how it's performed and it's done surprisingly well. I actually have a more formal HTTPS course that goes deep titled What Every Developer Must Know About HTTPS and that's been enormously popular this year (also rating 4.9 stars ?), but over December, the new Play by Play has actually outdone that one to become my third most popular course in the library! Apparently, a bunch of people really do think HTTPS is worth paying some attention to.
Play by Play: What You Need to Know About HTTPS Today is now live on Pluralsight!