And it's goodbye to HTTP from this website...

PadlockI wanted to do this months ago, but for reasons too longwinded to go into it was put on a backburner.

But last night, without much fanfare (hence I'm blowing a trumpet now), my site switched from HTTP to HTTPS.

If you look up in your browser bar, you may well see a little padlock denoting that the communication between your computer and the webserver this site runs on is encrypted, and should be warding off snoopers with a flea in their ear.

Of course, certain sections of the site (like the admin dashboard used to post articles) have always been secured with HTTPS to prevent bad guys from sniffing my passwords, but now every article should be similarly resistant to eavesdropping.

So, you can feel a little more private reading the articles I write now.

HTTPS on grahamcluley.com

Admittedly, this site isn't one where you can buy goods or that you log into, but increasingly it's important that better secured webpages become the norm rather than the exception.

Thanks to the managed WordPress-hosting gurus at WP Engine and the SSL certificate whizzkids at DigiCert for sorting this out for me.

Your normal viewing experience of the stories I write shouldn't be affected, but you will now be that little bit more private. Frankly, it's only a tiny change in the evolution of this site - hardly earthshattering, but I hope you appreciate it. And I'm happy to be putting my money where my mouth is.

Will the NSA give two hoots about me doing this? I don't think so one jot. And I doubt that GCHQ cares either, although they may feel miffed by the name of my email newsletter.

Please note that stories I write on third-party sites for other vendors may not have their webpages secured with HTTPS - you will have to take that up with those companies if that's a concern for you. In addition, it is inevitable that I will link to stories on webpages which aren't running HTTPS on a frequent basis.

Please let me know if you spot any hiccups with the site following this change, and I'll do my best to fix them.

Tags: ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

,

12 Responses

  1. Jamie

    March 4, 2015 at 6:10 pm #

    Hey Graham, this is fantastic. I think the more sites going https-only, the better. You may want to approach your host about modernizing their security configuration, though. The SSL Labs analyzer is currently giving you a B due to no TLS 1.2 support, and no support for Forward Secrecy ciphers.

    https://www.ssllabs.com/ssltest/analyze.html?d=grahamcluley.com

    • Graham Cluley in reply to Jamie.

      March 4, 2015 at 6:16 pm #

      You're reading my mind Jamie. :). Plan is to improve the setup over time.

      Unfortunately at the moment my hosting provider doesn’t offer TLS 1.1 and 1.2. Cheers!

      • Scott in reply to Graham Cluley.

        June 8, 2015 at 2:17 pm #

        I also host with WP Engine and have noticed them rolling out support for TLS 1.2 among other improvements. I ran your site and you are now (assessed 6/8/15) getting an A-.

        See the improvements here: https://scottontechnology.com/wp-engine-rolling-out-support-for-tls-1-2/

  2. Anon

    March 4, 2015 at 7:49 pm #

    Google Chrome (41.0.2272.76 m) considers that this site is "encrypted with obsolete technology" when you click on the padlock. It's part of the new 'feature' to allow users to find out if they're connected to a site using a deprecated cipher suite. Eventually it will flag this connection as insecure.

  3. Anon

    March 4, 2015 at 8:04 pm #

    Two more useful features that could be enabled when you get the time – HSTS and DNSSEC. The latter is particularly important I think to prevent cache poisoning: something that wouldn’t be good for a popular blog.

    Good effort for implementing HTTPS; it’s always good when a site get a security facelift.

  4. nat

    March 5, 2015 at 2:52 pm #

    Maybe I'm missign something … why would you want to use SSL for a site like this? Seems like overkill to me.

    • Anon in reply to nat.

      March 5, 2015 at 7:09 pm #

      By using SSL (properly speaking TLS) it enables you to visit the content as Graham intended (i.e. by making a man-in-the-middle attack more difficult). It also ensures that a user can determine the original content from any spoofed content providing you have a record of the original thumbprint.

      I now notice that he's using extended validation (full green bar in Internet Explorer) which is very good. It offers bank-grade security and PREVENTS (not just makes more difficult) the MiTM attack – the green bar would disappear. Excellent.

      • Petererer in reply to Anon.

        March 5, 2015 at 8:29 pm #

        So it's impossible for a MITM attacker to have access to keys which could be used to generate a fake EV certificate?

        • Anon in reply to Petererer.

          March 5, 2015 at 10:05 pm #

          With the key material that is not impossible. The way that EV certificates work mean that they can't be made to appear in the same way (by a MiTM) that a standard certificate can. They also prevent employers from snooping on the connection; even with a trusted root certificate: such as we saw with the Superfish debacle.

          Have a read of the following, he explains it well:

          https://www.grc.com/ssl/ev.htm
          https://www.grc.com/fingerprints.htm

          • Anon2 in reply to Anon.

            March 16, 2015 at 3:12 pm #

            Without going into too much technological detail, I can assure you 100% that employers can still 'snoop' on this website with a trusted root certificate. I know this because when I click the padlock and "view certificates", the cert is issued by my employer.

  5. David L

    March 6, 2015 at 3:56 am #

    Hi,

    Thank you for making this a more secure site. More and more,security bloggers are making this switch. If you need a new or better cert,then later this summer Mozilla,EFF,and others are going to help websites get free certs,and comprehensive instructions with real time support to get started.

    Also,if you other people are not using "https everywhere" on your browser,then just google it for more information.

Leave a Reply