It’s never too late to start a tradition. I haven’t been writing blogs lately. 1. Let’s Encrypt In the ideal world, everyone should be able to do anything without the fear of eavesdropping. 10 years ago, it would be very hard to do this. Personal Computers were not very strong and Internet was slow, therefore HTTPS is reasonably slower than HTTP. Things have been changed. Computers are faster now. Internet speed has been increased exponentially. The only thing that hold HTTPS back is the cost to obtain a server SSL certificate. In my opinion, it should be free because once you have an intermediate certificate that is signed by a root certificate, generating a server certificate is just a piece of cake. Honestly it costs money to obtain an intermediate certificate and maintain supporting infrastructure, and companies usually offset the cost to customers who want to purchase a server certificate. Actually server certificates have been issued for free for over two years by StartSSL, but the process is not simple. You need to sign up an account, verify your email address, verify your domain, generate a certificate signing part on your server, create a request with StartSSL and wait for your certificate to be signed. The whole process could take up to a day, YMMV. And once it’s expired, you need to go over the whole thing again, except maybe verify your email address. With the introduction of Let’s Encrypt, things are getting much better. With a simple git clone command, and another command to run the letsencrypt-auto toolkit, once can easily obtain a server certificate in a blink of an eye (no, actually it takes about a minute). And renewing a certificate could be done using the same procedures. Simple and sweet. Instruction to obtain a certificate. 2. Change
In my opinion, SSL should be enabled everywhere. HTTP was designed without security in mind. It was 1989, when Tim Berners-Lee first proposed the “WorldWideWeb” project. At that time, the most important thing is to deliver web content to internet users. Things has changed significantly in the last 10 years. Sniffing plain HTTP content is easier than ever. People care more and more about privacy, especially when Non Such Agency use complicated monitoring infrastructure to spy their own citizens. Google, Facebook, Twitter, banks and other important websites already switched to HTTPS completely. And few days ago, Google announced that they will take into account whether websites support HTTPS. In short, HTTPS will give you (slightly) advantage over plain HTTP. SSL certificate has been free to acquire for more than a year by StartSSL. And by mid-October, CloudFlare will also support SSL for free. Therefore, by mid-October, all my self-hosted sites will be completely SSL. Why not?