SSL All the Sites!

The Why

Back in the day, most websites were served over HTTP web protocol. HTTPS, which adds a secure layer on top of HTTP, was generally only used for sites where you logged in, managed money, or anything else that would necessitate a secure, encrypted connection between the server and the client. In the last few years several technology companies have started campaigning to encrypt all the things. One of the steps outlined is to abandon HTTP in favor of HTTPS.

This is not without reason. The web has changed and it is not only “hackers” who take advantage of unencrypted traffic. Amongst other concerns, companies like Verizon have started injecting tracking headers into unencrypted traffic so that they can sell your data. Governing bodies around the world, too, have taken advantage of insecure web traffic for surveillance.

Furthermore, browsers are holding non-secure sites more accountable. Google Chrome now flags any non-secure pages with a form as “Not Secure” and Firefox flags them with a lock with a red slash through it. Eventually, the Chrome team plans to flag all pages served over HTTP as not secure.

The How

SSL/TSL certificates, which allow secure communications between the server and client, have traditionally cost extra money in addition to hosting. With the launch of Let’s Encrypt in 2016 you can now serve your site over HTTPS for no additional cost. How to set this up is based on where your site is hosted. We’ll run through two hosting scenarios that we use here at VIA: WordPress Engine and manually adding to Rackspace.

Adding Let’s Encrypt to WP Engine

Adding Let’s Encrypt to WP Engine is as simple as a few button clicks. Navigate to the install in your WP Engine management page and click on ‘SSL.’ Click the button that says “Add Certificates” and then “Get Let’s Encrypt.” Select the domains that you want and then request the certificate. It’s that simple!

Adding Let’s Encrypt Manually

While WordPress Engine has simplified the Let’s Encrypt certificate install process, there may come a time where you have to do it manually on your own server. Luckily, the Certbot from the EFF makes this very easy.

There are instructions for using Certbot with a number of different web servers on most major Linux distros, but we’re going to focus on Ubuntu + Apache since it’s one of the more common ones. Ubuntu 16.0.x has packages available so you just need to do sudo apt-get install python-certbot-apache.

Ubuntu <= 14.0.x doesn’t have packages but you can download the certbot-auto script which handles everything for you.

wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto

You’ll need to have your Apache VirtualHosts organized properly for Certbot to do its magic. That means one VirtualHost per config file and the config file should be named according to the VirtualHost domain.

For example, if you have a site called example.com. You need to put your > directive by itself in a file called example.com.conf. Put that file in /etc/apache2/sites-available and run sudo a2ensite example.com && sudo apache2 reload. This will allow Certbot to automatically detect the site.

Once certbot (or certbot-auto) is installed, just run certbot --apache or ./certbot-auto. It will bring up a list of available sites to install certificates on. Simply select the sites you wish to encrypt and Certbot will do the rest.

Renewals are just as easy. Simply run certbot renew or ./certbot-auto renew.

The Roadblocks

Occasionally your site will depend on assets that you’re requesting from other places on the web, sometimes they’re being requested over HTTP. These will cause mixed content errors on your newly secured site and might cause some issues with its functionality. If the assets are coming from your code, simply switch where the assets are being requested from. If they’re coming from a third party plugin or library I would recommend contacting the plugin’s author and request that they call their assets either over HTTPS or without a protocol. This looks like this:

<img src="http://website.com/wrong.jpg" />

<img src="//betterwebsite.com/right.jpg" />

Additionally, you can use a Content Security Policy on your site to block all insecure requests, or (in some browsers) update the requests automatically to HTTPS. There’s even an option to receive reports when an insecure request is made.

Go forth, be secure

Now that’s it’s free and easy to encrypt, there’s no reason not to do it!

Your Google ranking will improve and your users will appreciate the extra privacy.

Go forth and encrypt!