Securing all communications on the internet becomes increasingly important. We switched all our sites to HTTPS only years ago, but simply enabling HTTPS is not enough, of course. The configuration needs to be carefully fine-tuned in order to really be secure.
Qualys Labs SSL Server Test
A great way to check a website’s SSL/TLS configuration is the Qualys Labs SSL server test. With recent improvements and a brand-new certificate from Digicert we are very happy about the A+ rating for uberagent.com in that test.
In case you are interested in the webserver’s configuration: Helge explains how to setup and configure a secure webserver for WordPress in this blog post. The article includes detailed SSL/TLS configuration instructions. Some key points to remember:
- Disable SSLv2 and SSLv3: those protocols are old and have security issues. Every existing browser supports at least one variant of TLS, so there is no reason to keep SSL enabled.
- Use the optimal SSLCipherSuite string: many different encryption algorithms are available for HTTPS/TLS. While we want to make sure older devices are supported, too, we want to use the strongest possible encryption with every device. That is why not only the content but also the order of the cipher suites is important.
- Enable HTTP Strict Transport Security (HSTS): this tells the browser to only use encrypted connections for a website and never even try unencrytped HTTP.
- Set a content security policy: this configures where website content may be loaded from.
Free Certificates from Let’s Encrypt
Webserver certificates have been quite expensive traditionally. The associated cost is by far the most important reason why most sites’ admins did not bother offering HTTPS. However, people’s mindsets are changing and security is being considered more and more important. A very welcome recent development is the creation of Let’s Encrypt, a free, automated and open certificate authority.
There really isn’t any reason anymore not to switch your site to HTTPS only.