- HTTPS and certificate authorities
- Using Let’s Encrypt to generate and renew digital certificates
- Hardening default setups and avoiding known vulnerabilities
- I have HTTPS, now what?
- WordPress considerations
- A workflow to migrate from HTTP to HTTPS
- More cool things about Let’s Encrypt
If you’ve followed along the previous posts you will have noticed that I didn’t get into details when mentioning how to migrate–I just assumed that you knew how to do that and eventually your site would be serving HTTPS using a certificate from Let’s Encrypt.
But turns out that finding a good workflow to do this was one of the things that consumed most of my time initially! That, and the sheer fear of repetition.
In part 5, we looked at the great things you can do when your website is running over HTTPS, but we didn’t get into specifics of which type of website and the particular considerations you should have in mind.
There are so many types of websites that I am not going to start looking at all of them because that would probably end up being the work I do until the end of my days (exaggerating, me??). But I will look at a very popular type of website with which I have hands-on experience–WordPress!
In part 3, we looked at how to finally use Let’s Encrypt to issue and renew certificates for our domains. But I also finished with a terrifying cliffhanger: basic HTTPS setups can be vulnerable to attacks! Gasp…!
Let me start by clarifying that I am not a security expert and if someone breaks into your system I will take no responsibility whatsoever, lalalala…
This was a long overdue task, but I finally dared moving this blog to https. I thought it would be overly complicated but… it was just fine, barring a couple of minor configuration updates in WordPress.
As a faithful blog reader, you should not notice any functional difference. An automatic http to https redirection is in place so your bookmarks will still work, but I advise you update them to https because otherwise people watching your net traffic can tell which /path/in/my/blog you’re visiting (with https, they can only tell you’re visiting my blog, but not what are you looking at).
Also, when you send a comment, your email address won’t travel unencrypted over the network. In the future I might even want to look at enabling http2, which will only work over https as well, and you’ll get my blog faster!
But probably the most attractive bit for me is that now I can log into the admin area from seedy open hotel wifis all over the world and not be afraid that someone might steal my credentials. And I can be certain that nothing is modifying my blog before it reaches you (unless you’re using a browser plugin or similar). Integrity!
I used Let’s Encrypt as the certificate authority. They’re free, and the process is mostly painless and easy to setup… once you understand it. It took me a bit, but now I know.
Worry not, I will not be keeping the knowledge to myself! I will be writing about the move during this week, and also will be giving a talk at WordCamp London next Sunday: “Securing your self-hosted WordPress website using Let’s Encrypt”. Then a shorter version of the talk at WebProgressions in London too, later in May.
I wrote about http/https eight years ago. I concluded that people were not interested in encryption because it’s complicated, slower or hard to set up. I’m very glad that Let’s Encrypt can make this as easy as it can be, and I’m incredibly happy that we can all be finally using https!