David A. Wheeler's Blog

Wed, 11 Mar 2015

Plans for HTTPS (SSL/TLS) on this site

Currently this website uses only HTTP, and does not support HTTPS. That means that users cannot trivially authenticate what they receive, and that in some cases users reveal to others what they are viewing on the site. (Technical note: HTTPS is implemented by a lower-level protocol; the current protocol versions of this protocol are named TLS, and the older ones are named SSL, but a lot of people use the term SSL to include TLS.) I would like to use HTTPS, but this website is entirely self-funded. I do have a plan, though.

My current plan is that I am waiting for Let’s encrypt to stand up and be ready. Once that gets going, I intend to use it to add support for HTTPS. I’d like to eventually only support HTTPS, since that prevents downgrade attacks, but I need to make sure that the TLS certificates and configuration works well. Also, I pay others to maintain the server; since I am not made of money, I necessarily use low-end cheap services. That will limit what I can do in terms of HTTPS configuration hardening. On the other hand, it should be better than the current situation.

The software I develop is generally available on SourceForge or GitHub, and they already provide HTTPS, so you don’t need to wait for that. Currently you have to log into SourceForge to get HTTPS, but that is expected to change, and for now just log in.

Anyway, I thought some of you might like to know that there is a plan.

path: /website | Current Weblog | permanent link to this entry