Mastodon

SSL

A 49-post collection

HTTPS Is Easy!

HTTPS is easy! In fact, it's so easy I decided to create 4 short videos around 5 minutes each to show people how to enable HTTPS on their site and get all traffic redirecting securely, optimise their HTTPS configuration to get it rating higher than most banks, fix any insecure references in a few clicks and finally, secure all the traffic all the way back to their website. I built a little demo site and embedded all the videos in it over at HTTPSIsEasy.com [https://httpsiseasy.com/]. Let me beg...

I'm Sorry You Feel This Way NatWest, but HTTPS on Your Landing Page Is Important

Occasionally, I feel like I'm just handing an organisation more shovels - "here, keep digging, I'm sure this'll work out just fine..." The latest such event was with NatWest [http://personal.natwest.com] (a bank in the UK), and it culminated with this tweet from them: > I'm sorry you feel this way. I can certainly pass on your concerns and feed this back to the tech team for you Troy? DC — NatWest (@NatWest_Help) December 12, 2017 [https://twitter.com/NatWest_Help/status/940672376127270912?ref...

New Pluralsight Play by Play: What You Need to Know About HTTPS Today

As many followers know, I run a workshop titled Hack Yourself First [https://www.troyhunt.com/workshops/] where I spend a couple of days with folks running through all sorts of common security issues and, of course, how to fix them. I must have run it 50 times by now so it's a pretty well-known quantity, but there's one module more than any other that changes at a fierce rate - HTTPS. I was thinking about it just now when considering how to approach this post launching the new course because le...

Bypassing Browser Security Warnings with Pseudo Password Fields

It seems that there is no limit to human ingenuity when it comes to working around limitations within one's environment. For example, imagine you genuinely wanted to run a device requiring mains power in the centre of your inflatable pool - you're flat out of luck, right? Wrong! Or imagine there's a fire somewhere but the hydrant is on the other side of train tracks and you really want to put that fire out but trains have still gotta run too - what options are you left with? None? Wrong again...

The 6-Step "Happy Path" to HTTPS

It's finally time: it's time the pendulum swings further towards the "secure by default" end of the scale than what it ever has before. At least insofar as securing web traffic goes because as of this week's Chrome 62's launch, any website with an input box is now doing this when served over an insecure connection: It's not doing it immediately for everyone [https://textslashplain.com/2017/10/18/chrome-field-trials/], but don't worry, it's coming very soon even if it hasn't yet arrived for yo...

Don't Take Security Advice from SEO Experts or Psychics

As best I understand it, one of the most effective SEO things you can do is to repeat all the important words on your site down the bottom of the page. To save it from looking weird, you make the text the same colour as the background so people can't actually see it, but the search engines pick it up. Job done, profit! I think this is the way we did it in 1999. I don't know, I can't recall exactly, but I know I don't know and I'll happily admit to being consciously incompetent in the ways of SE...

On The (Perceived) Value of EV Certs, Commercial CAs, Phishing and Let's Encrypt

Last week I wrote about how Life Is About to Get a Whole Lot Harder for Websites Without HTTPS [https://www.troyhunt.com/life-is-about-to-get-harder-for-websites-without-https/]. Somewhere in the comments there, the discussion went off on a tangent about commercial CAs, the threat Let's Encrypt poses to them and subsequently, the value (or lack thereof) posed by extended validation (EV) certificates. That discussion boiled over onto Twitter with many vocal opinions from different camps. This pos...

Life Is About to Get a Whole Lot Harder for Websites Without HTTPS

In case you haven't noticed, we're on a rapid march towards a "secure by default" web when it comes to protecting traffic. For example, back in Feb this year, 20% of the Alexa Top 1 Million sites were forcing the secure scheme: These figures are from Scott Helme's biannual report [https://scotthelme.co.uk/alexa-top-1-million-analysis-feb-2017/] and we're looking at a 5-month-old number here. I had a quiet chat with him while writing this piece and apparently that number is now at 28% of the T...

All your websites using StartCom certificates are about to break

A Twitterer sent me this a few days ago: > .@troyhunt [https://twitter.com/troyhunt] you've got SSL issues in Chrome 58+ on @ASafaWeb [https://twitter.com/ASafaWeb] pic.twitter.com/qtUiMxV9tW [https://t.co/qtUiMxV9tW] — Jonathan (@Eonasdan) April 13, 2017 [https://twitter.com/Eonasdan/status/852523365076267008] Now normally when I get a report about an SSL thing not working (by which we mean TLS, but we say SSL anyway), I jump on over to SSL Labs (see?!) and run a report I can then direct peo...

New Pluralsight Course: What Every Developer Must Know About HTTPS

It's a great time for HTTPS. Actually, there's never been a better time and as each day goes by, we see constant reminders of how important it is. Someone sent me a great example of this just the other day by virtue of a bug that had been lodged with Mozilla [https://bugzilla.mozilla.org/show_bug.cgi?id=1348902]: > Your notice of insecure password and/or log-in automatically appearing on the log-in for my website, Oil and Gas International is not wanted and was put there without our permission....