SSL

It was Jan last year that I suggested HTTPS adoption had passed the "tipping point", that is, it had passed the moment of critical mass and as I said at the time, "will very shortly become the norm". Since that time, the percentage of web pages loaded over a secure connection has rocketed from 52% to 71% whilst the proportion of the world's top 1 million websites redirecting people to HTTPS has gone from 20% to about half (projected). The rapid adoption has been driven by a combination of ever more visible browser warnings (it was Chrome and Firefox's changes which prompted the aforementioned tipping point post), more easily accessible certificates via both Let's Encrypt and...

HTTPS is easy! In fact, it's so easy I decided to create 4 short videos around 5 minutes each to show people how to enable HTTPS on their site and get all traffic redirecting securely, optimise their HTTPS configuration to get it rating higher than most banks, fix any insecure references in a few clicks and finally, secure all the traffic all the way back to their website. I built a little demo site and embedded all the videos in it over at HTTPSIsEasy.com. Let me begin by being clear about the demographic this is pitched at: I wanted to create a resource that had the broadest possible appeal regardless of technical competency. If someone has entry-level web dev...

Occasionally, I feel like I'm just handing an organisation more shovels - "here, keep digging, I'm sure this'll work out just fine..." The latest such event was with NatWest (a bank in the UK), and it culminated with this tweet from them: I'm sorry you feel this way. I can certainly pass on your concerns and feed this back to the tech team for you Troy? DC— NatWest (@NatWest_Help) December 12, 2017 This was after a concerned customer and then myself trying to explain to them that serving their home page over a non-secure connection wasn't such a good idea. The "I'm sorry you feel this way" tweet was in response to...

As many followers know, I run a workshop titled Hack Yourself First where I spend a couple of days with folks running through all sorts of common security issues and, of course, how to fix them. I must have run it 50 times by now so it's a pretty well-known quantity, but there's one module more than any other that changes at a fierce rate - HTTPS. I was thinking about it just now when considering how to approach this post launching the new course because let's face it, I've got a lot of material focusing on the topic already. But then I started thinking about the rate of change; just since the beginning of last year, here's a bunch...

It seems that there is no limit to human ingenuity when it comes to working around limitations within one's environment. For example, imagine you genuinely wanted to run a device requiring mains power in the centre of your inflatable pool - you're flat out of luck, right? Wrong! Or imagine there's a fire somewhere but the hydrant is on the other side of train tracks and you really want to put that fire out but trains have still gotta run too - what options are you left with? None? Wrong again! Seeing a theme here? Let's extend that into the digital world and we'll talk about HTTPS for a bit. You should use it. No really, if you're not HTTPS'ing...

It's finally time: it's time the pendulum swings further towards the "secure by default" end of the scale than what it ever has before. At least insofar as securing web traffic goes because as of this week's Chrome 62's launch, any website with an input box is now doing this when served over an insecure connection: It's not doing it immediately for everyone, but don't worry, it's coming very soon even if it hasn't yet arrived for you personally and it's going to take many people by surprise. It shouldn't though because we've known it's coming for quite a while now starting with Google's announcement back in April. That was then covered pretty extensively by the tech press...

As best I understand it, one of the most effective SEO things you can do is to repeat all the important words on your site down the bottom of the page. To save it from looking weird, you make the text the same colour as the background so people can't actually see it, but the search engines pick it up. Job done, profit! I think this is the way we did it in 1999. I don't know, I can't recall exactly, but I know I don't know and I'll happily admit to being consciously incompetent in the ways of SEO. But that's cool, I know the things I understand well and those I don't and when I get the latter...

Last week I wrote about how Life Is About to Get a Whole Lot Harder for Websites Without HTTPS. Somewhere in the comments there, the discussion went off on a tangent about commercial CAs, the threat Let's Encrypt poses to them and subsequently, the value (or lack thereof) posed by extended validation (EV) certificates. That discussion boiled over onto Twitter with many vocal opinions from different camps. This post attempts to lay the arguments out in a more cohesive fashion than Twitter permits. But firstly, let's get back to the original blog post which I made due to the fact that come October, Chrome 62 will begin doing this: There are two important things happening here: Any page including a...

In case you haven't noticed, we're on a rapid march towards a "secure by default" web when it comes to protecting traffic. For example, back in Feb this year, 20% of the Alexa Top 1 Million sites were forcing the secure scheme: These figures are from Scott Helme's biannual report and we're looking at a 5-month-old number here. I had a quiet chat with him while writing this piece and apparently that number is now at 28% of the Top 1 Million. Even more impressive is the rate at which it's changing - the chart above shows that it's up 45% in only 6 months! Perhaps even more impressive again is the near 60% of web requests Mozilla...

A Twitterer sent me this a few days ago: .@troyhunt you've got SSL issues in Chrome 58+ on @ASafaWeb pic.twitter.com/qtUiMxV9tW— Jonathan (@Eonasdan) April 13, 2017 Now normally when I get a report about an SSL thing not working (by which we mean TLS, but we say SSL anyway), I jump on over to SSL Labs (see?!) and run a report I can then direct people to. This usually provides emphatic proof that the SSL configuration is fine and they've just got an old client or some funky MitM stuff going on in their local network. However, this time was different: "Grade will be capped to T". Now I didn't immediately realise what...