HTTPS is easy
HTTPS is easy! In fact, it's so easy I decided to create 4 short videos around 5 minutes each to show people how to enable HTTPS on their site and get all traffic redirecting securely, optimise their HTTPS configuration to get it rating higher than most banks, fix any insecure references in a few clicks and finally, secure all the traffic all the way back to their website. I built a little demo site and embedded all the videos in it over at HTTPSIsEasy.com.
Let me begin by being clear about the demographic this is pitched at: I wanted to create a resource that had the broadest possible appeal regardless of technical competency. If someone has entry-level web dev skills and knows enough to get a site up and running but isn't a tech pro, I want this to be usable by them. I want to help take a big chunk out of the massive list of smaller sites that are still served over non-secure connections because the owners simply don't know where to start. I also wanted to keep each video to about 5 minutes so you'll see that there's plenty of stuff I don't embellish on, I just focus on making things work as expeditiously as possible. Having said that, everything in this video series is equally applicable to sites like this very blog and indeed that's pretty much how I have things configured today. If you are a tech pro and you want to go deeper on HTTPS, have a browse back through the dozens of posts on the SSL tag or go and watch 3 and a half hours of Pluralsight training on the subject.
Next, you'll see that this is all very Cloudflare-centric and you may be wondering "why not use Let's Encrypt instead?" I love Let's Encrypt and I love what they've done for the industry in terms of making certs free and automated. But that's only part of the journey to HTTPS and Let's Encrypt doesn't help people redirect to HTTPS, add HSTS, configure the versions of TLS they support or fix HTTP references in otherwise secure pages. All of this is really important for a robust HTTPS implementation and all of it's possible in Cloudflare with mere button clicks. To be honest, the significance of this really only became clear to me when recording these videos just yesterday; Cloudflare makes it so easy not just to get the site served over HTTPS, but to do all the other things you need to do for HTTPS to work properly.
In the final video, I secure the network segment between Cloudflare and the web server by loading one of their origin certificates into Azure. Because I know people will ask, go get yourself OpenSSL then the command I ran is as follows:
openssl pkcs12 -export -inkey httpsiseasy.key -in httpsiseasy.pem -name httpsiseasy -out httpsiseasy.pfx
Frankly, I can't see the demographic I've targeted this series at going down this path that often, in part because of the technical complexity (and yes, grabbing OpenSSL and running commands will be a bar too high for many) and also in part because many hosting providers still don't provide the ability to upload your own cert (such as Ghost Pro that this blog runs on). And before anyone loses their minds over the entire network not being encrypted or Cloudflare being able to MitM the traffic, have a read of CloudFlare, SSL and unhealthy security absolutism.
Finally, because some people will inevitably wonder, this isn't a commercial activity on my behalf; Cloudflare didn't engage me to create this and it'll come as a surprise to them the first time they see it. I created this on a whim after some Twitter discussions earlier this week and I simply wanted to create the most easily accessible resource possible for helping people get their websites served over HTTPS. So share this generously, point people who don't know where to start at HTTPSIsEasy.com and help drive a more "secure by default" web.