Having that little green/grey padlock means jack shit. The https protocol is a joke. Websites MUST use Secure Sockets Layer (SSL) because otherwise potential visitors get warnings to stay away: “This site is insecure! Go back to safety before the world ends!”

When secure is not security

You’ll definitely need help with this. The point of SSL is to encrypt the connection and the data sent between your webserver and the person reading it. This is no longer optional. I’m not kidding about the scare tactics and warnings to your potential site visitors.

This particular warning below was because I intentionally included an image in the page using the http protocol instead of https. The “s” is important! The “s” stands for “stoopid security”

Would you continue browsing a website after seeing this?

Your visitors will get scarier warnings if:

  • the issuing company becomes untrusted
  • someone forgets to renew the certificate
  • the SSL certificate isn’t set up correctly

Google search results also prioritise https sites over http sites. Bastards.

If you really have no idea where to start, you can pay GoDaddy $110/yr for a green padlock. The price has dropped from thousands of dollars because the padlock means next to nothing anymore.

To save a few bucks, you should instead acquire a free certificate, using Let’s Encrypt

The Writers of the Far South Coast uses a certbot script to setup and renew free SSL certificates for sites on the WFSC webservers.

SSL + DNS

Domain Name Servers do more than act like the yellow pages. A lot more. DNS can add an “optional” CAA record (Certification Authority Authorization) to say which company is allowed to issue a certificate for the domain. This screenshot is from GoDaddy:

SSL varieties money can buy

  1. Domain Validated (DV) Certificate verifies your ownership of the domain – This is what Let’s Encrypt does for free
  2. Organization Validated (OV) Certificate proves that you own the domain and that your organization is legitimate. This is reassuring to your site visitors, as a fraudulent website could never pass these checks *scoff*
  3. Extended Validated (EV) SSL offers the highest level of assurance to your customers – EV SSL applicants must pass an extensive vetting process. (See figure below) – plus it costs a lot of money

Configure Apache

Redirect www to non-www and redirect everything to https

<IfModule mod_rewrite.c> 
RewriteEngine On

    RewriteCond %{HTTPS} off
    RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
    RewriteRule ^ https://%1%{REQUEST_URI} [L,R=301]

    RewriteCond %{HTTPS} off
    RewriteCond %{HTTP_HOST} ^(.+)$ [NC]
    RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</IfModule>

Need to tell apache where to find the certificates

SSLEngine on
SSLCertificateFile "/opt/bitnami/apps/wordpress/conf/certs/server.crt"
SSLCertificateKeyFile "/opt/bitnami/apps/wordpress/conf/certs/server.key"

An SSL Certificate does not make your webserver secure.

Some advanced nerd information gathering sites:

Leave a Reply

Your email address will not be published. Required fields are marked *