Https by default

As from now on, uses https by default. If you used to browse via http, you now get redirected to the https version. In December 2012 Tim Bray announced the switch on his personal blog and others followed shortly. This time, I join the club.

The main reason is that privacy by itself should not only be respected when privacy is at stake. Or as Tim Bray puts it:

This blog isn’t terribly controversial. But if only the “controversial” stuff is private, then privacy is itself suspicious. Thus, privacy should be on by default.

Furthermore, the cost of certificates and encryption is almost zero nowadays. This certificate is signed by GeoTrust / RapidSSL. The price for such certificate is now €10 a year (€30 for three years, as I did, or €12 a year). The encryption is mainly intensive for a computer’s processor but the current processors are so fast the impact on the total request/response cycle is minimal as well.

It used to be much more of a hassle, especially as SSL sites had to run on their own ip address. Nowadays with SNI you can just import the certificate and it works. The response from RapidSSL is within 10 minutes and the setup for nginx is minimal as well. Ergo, if you run your own site, buy your own certificate and switch to https!

If you do not want to buy a certificate, StartSSL signs certificates for free. So it doesn’t cost you any money at all! (but mind not all browsers support the StartSSL certificates).

Nowadays there is much more attention for SSL and TLS, fortunately. If you setup the web server correctly, you can enable Perfect forward secrecy as well. In laymans terms, from Wikipedia:

“[This] ensures that a session key […] will not be compromised if one of the […] keys is compromised in the future.”

PFS is also a requirement for getting an A requirement from Qualys in their SSL lab. And of course, has an A grade, which means the encryption level of this server is PCI compliant. If you are also interested in optimizing your ssl configuration without sacrificing too much performance, check out some useful resources I listed below:

  1. Overclocking SSL (June 2010)
  2. Nginx does not suck at ssl (July 2010)
  3. SSL session caching in nginx (July 2010)
  4. Nginx SSL ciphers and PCI compliance (March 2012)
  5. Hardening Your Web Server’s SSL Ciphers (February 2013)
  6. Setting up Perfect Forward Secrecy for nginx (June 2013)
  7. Nginx performance tuning for SSL (August 2013) and the comments on Hacker news