Secure Your Site

Back in the dark ages of 2012, I posted about the benefits of encrypted web traffic, but https was a pain to implement for small websites and frankly, there was no incentive to be ahead of the curve when only 5% of websites were secure.

Times have changed, and a majority of websites are now using https. Google’s choice in 2016 to flag http-based websites as insecure in their popular Chrome browser had its intended effect. What started with sites containing password forms and credit cards has now become the status quo.

So what about small websites? Well, you can get a free SSL certificate from Let’s Encrypt and many hosts are installing them automatically. From there, it’s just a matter of enforcing https throughout the site, so even legacy links (e.g., my old theme pointed to its CSS file using an http link) are transformed to their secure equivalents. On WordPress, if you don’t want to touch your config files, you can get a plugin to do this for you.

There’s now no excuse to put your site’s visitors at risk. But some of the biggest sites in the world still do. If you use one of the 100 insecure sites listed at, you can first be appalled, then move your traffic elsewhere.



When you go to pay for something online, or put in your password, it’s a good idea to make sure you’re using encryption.  Most of us know to look for https at the beginning of a web address when entering sensitive information – regular unencrypted http connections are like a postcard that anyone can read.  But for most web surfing, it doesn’t matter… right?

We are already being profiled – mostly by advertisers, but increasingly by anyone who is interested – based on our participation on Facebook and our searches on Google.  Even if your name is hidden, you can be identified by your surfing behavior.  In this environment, even if you have nothing to hide, you might want to make your web traffic less easily accessible to prying eyes, and one way is using encryption.  (This article is about encrypting your traffic, not completely hiding it, which requires stronger measures like Tor.)

As Cory Doctorow so vividly illustrated in his novel Little Brother, if the only people using encryption are ‘troublemakers,’ then, even if the content of their traffic is unreadable, authorities can identify them by focusing scrutiny on those users who pass large amounts of encrypted data.  In some parts of the world, having your communications monitored can not only lose you a job prospect or a loan, but can land you in jail.  The more people use https, the less obvious it is who is a political dissident and who is just a reasonably cautious web surfer.

Internet liberty activist group EFF promote a browser plugin called HTTPS Everywhere that makes encrypted browsing easy.  If you use Chrome, try HTTPS Enforcer.   It’s as simple and sensible as sealing the envelope on a letter you’re mailing.  And the increased demand for fully encrypted versions of your favorite sites will drive them to support safer browsing for everyone.

The only current downside of using the https version of a site is that it will tend to load slightly slower than otherwise.  Part of the delay is that your browser checks whether the SSL certificate – the guarantee that an encrypted site is who it claims to be – is valid.  All the encryption in the world won’t keep your traffic safe if it is being directed to the wrong destination.  Unfortunately, the system in place to check the certificates isn’t secure.

SSL critics have long complained that the revocation checks are mostly useless. Attackers who have the ability to spoof the websites and certificates of Gmail and other trusted websites typically have the ability to replace warnings that the credential is no longer valid with a response that says the server is temporarily down.

So when the check is necessary, it’s useless, and when it’s unnecessary, it wastes time:  “The median time for a successful OCSP check is ~300ms and the mean is nearly a second.” [Imperial Violet]

As Ars reports, the Google Chrome team is removing this check and implementing its own list of bad SSL certificates.  This will go a long way to making https as convenient as http, and I hope other browser makers will follow suit.  Until then, you can consider the slightly longer loading times of secure sites your contribution to making the web more private for everyone.