Tags: https

Dissecting an SSL certificate [↗]

Hello! In my networking zine (which everyone will be able to see soon), there is a page about TLS/SSL (basically this tweet). But as happens when you write 200 words about a thing on a page, there is a lot more interesting stuff to say. So in this post we will dissect an SSL certificates and try to understand it!

A good break down of TLS/SSL certificates and how they work.

Communicating the Dangers of Non-Secure HTTP [↗]

In order to clearly highlight risk to the user, starting this month in Firefox 51 web pages which collect passwords but don’t use HTTPS will display a grey lock icon with a red strike-through in the address bar.

This is a good move, but I wonder if the visual indicator should be stronger?

Distrusting New WoSign and StartCom Certificates [↗]

Mozilla has discovered that a Certificate Authority (CA) called WoSign has had a number of technical and management failures. Most seriously, we discovered they were backdating SSL certificates in order to get around the deadline that CAs stop issuing SHA-1 SSL certificates by January 1, 2016. Additionally, Mozilla discovered that WoSign had acquired full ownership of another CA called StartCom and failed to disclose this, as required by Mozilla policy. The representatives of WoSign and StartCom denied and continued to deny both of these allegations until sufficient data was collected to demonstrate that both allegations were correct. The levels of deception demonstrated by representatives of the combined company have led to Mozilla’s decision to distrust future certificates chaining up to the currently-included WoSign and StartCom root certificates.

Oh, that’s not good. I use StartCom services for a number of domains and so this is a worry. I should probably look at completely switching to Let’s Encrypt.

How to use LetsEncrypt with Multiple Domains on Nginx and Ubuntu [↗]

There are many reasons to set up SSL hosting for your domain, top of all would be that Google is now giving SEO priority to sites that utilize SSL. Regardless of the benefits, it can be a bit intimidating to set up SSL, not to mention expensive. LetsEncrypt is a service that provides free SSL certificates to everyone so we’re going to cover the very basics of how to do this. Don’t worry, it’s pretty painless.

A good step-by-step guide to get up-and-running with Let’s Encrypt on Ubuntu with Nginx.

Let’s Encrypt – Defending Our Brand [↗]

Some months ago, it came to our attention that Comodo Group, Inc., is attempting to register at least three trademarks for the term “Let’s Encrypt,” for a variety of CA-related services. These trademark applications were filed long after the Internet Security Research Group (ISRG) started using the name Let’s Encrypt publicly in November of 2014, and despite the fact Comodo’s “intent to use” trademark filings acknowledge that it has never used “Let’s Encrypt” as a brand.

Comodo Group, Inc. is a business and like all businesses, they exist to make money. That said, I think their behaviour is pretty shitty. I guess they’re worried that they cannot compete with Let’s Encrypt and so have chosen dirty tactics as a form of defense/attack. Seems idiotic to me.

Anyhow, I hope Let’s Encrypt are successful, they’re doing great work and deserve support.

Let’s Encrypt — Leaving Beta [↗]

Since our beta began in September 2015 we’ve issued more than 1.7 million certificates for more than 3.8 million websites. We’ve gained tremendous operational experience and confidence in our systems. The beta label is simply not necessary any more.

This is great news. I’ve been using a number of certificates from this service and while I have no doubt that the service is here to stay, it’s always nice to know that a service provider has enough confidence in their systems to remove the “beta” label.

Automattic Partners with Let’s Encrypt to Enable HTTPS on All WordPress.com Websites [↗]

WordPress.com announced today that it has turned on encryption for custom domains. The network’s subdomains have been HTTPS-enabled since 2014 as part of the Reset the Net campaign against mass surveillance. Today Automattic expanded HTTPS coverage to more than one million custom domains hosted on the network.

This is great news for WordPress.com users. Nice work Automattic :)

All things HTTP/2 and HTTPS [↗]

Joe and Brian talk about HTTPS and HTTP/2, including what they are, what it means, and how they affect WordPress.

This is the first Post Status Draft podcast that I have listened to. I enjoyed it a lot and the hosts did a good job discussing the benefits of both HTTPS and HTTP/2.

Subscribed.

Login Forms over HTTPS, Please [↗]

In Firefox 46 Developer Edition, we display a prominent warning to developers about this risk.  When a page with a password field is not delivered securely, Firefox displays a lock with a red strikethrough in the address bar.

Seems like a waste to restrict this to the Developer Edition, I think Mozilla should follow Google’s lead and highlight all non HTTPS enabled sites.

◀ Older