SSL yourself

Hey, you! Do you have a blog? Or a website? Now, tell me this: is it accessible over HTTPS? If you're like most people, your answer is going to be something along the lines of, "No, why should I bother? I have nothing security-critical on my site, and I'm certainly not accepting credit cards for people to enter." That's a perfectly valid response. But I ask you to be just a little more forward-looking. Wouldn't it be wonderful if you didn't have to worry about whether you're really accessing your bank's website and not that of some scammer? Or if the information you're entering at the local cafe is being intercepted by someone sitting two tables away?

These are not simple issues to solve, and serving your personal blog over SSL seems almost entirely unrelated. But it is indeed related: we want to get to a point where everything on the web is secure by default. That means, among other things, that everything is transferred securely without the ability to fall back to the old, insecure protocols from the 1980s and 1990s. And you can take a small, but significant, step in that direction by serving your website over SSL. If enough people do this, then perhaps someday HTTP without the S at the end of it can be deprecated and eventually removed. I know, it's quite a lofty goal. But it can be achieved with small steps taken by everyone together.

"All right, let's say I want to be part of this Utopian vision of yours," you say, "but I don't want to pay for a dedicated IP address or for an SSL certificate. It's still not worth it for me." Well, I have good news for you. Neither of those is required anymore - thanks to CloudFlare. If you don't have a dedicated IP address for your site or if you don't have a valid SSL certificate, you can still serve your website over SSL and have it work in the majority of browsers and operating systems. To overcome the IP address problem, CloudFlare has implemented SNI, and to overcome the valid SSL certificate problem they've started issuing their own SSL certificates for everyone who signs up - even those with free accounts! (The certificates are from Comodo, but CloudFlare has a sub-CA.)

"This is all very interesting, but I don't host my own blog. Someone else does it for me." In that case, I humbly ask that you become an activist. Don't worry, I don't want to start an "occupy the blogosphere" movement. But a single email or support ticket requesting SSL support can go a long way - especially if a whole bunch of people do it.

The World Wide Web is constantly evolving, and you can help it evolve in the right direction. Taking a small step towards being secure by default right now will allow for larger steps in the future, and maybe, just maybe, someday we won't have to be concerned so much with the security of our information, and we could focus on tackling more pertinent issues.

comments powered by Disqus