Techdirt Is Now 100% SSL

from the it's-about-time dept

Back in December, the Washington Post had an article about how news sites could go full SSL, encrypting all connections, but probably wouldn't, because most of the major ad networks simply aren't set up to handle it -- meaning that doing so, while it would protect their users, would likely harm revenue. Chris Soghoian, famed security researcher and technologist at the ACLU even claimed he was offering up two bottles of whiskey to any news site that would turn on SSL.

This actually hit home for us, because we had actually started exploring the very possibility of going full on SSL about a month earlier, and realized that we'd be giving up ad revenue to do it -- but, after thinking about it, we decided to do so anyway. Over the last few months, we've actually ended partnerships with a few ad providers who were unprepared and unwilling to support full SSL, and set ourselves up to make the full switch. In fact, we've quietly made sure that most of the site was fully SSL-capable for quite some time now. And, today, in conjunction with the Reset the Net campaign in honor of the first anniversary of the very first Ed Snowden revelation, we've officially flipped the switch to make the site fully SSL. While we've been quietly testing it for a while now, and it's been working fine, it's possible that some of you will come across errors or issues along the way -- so please let us know if you come across any problems.

I also believe that a number of other sites, including, potentially, some media sites, are making the leap as well, so we're not alone in this -- and I hope that Soghoian is busy sending out whiskey bottles (though, no need to send any here, thanks!). Either way, we believe that this is important in protecting your privacy and security, even if it means less ad revenue for us, and it's great to see websites across the internet doing a variety of things to make users more secure, whether it's better encrypting email, or adding more protection for their own users. It's a huge testament to how much Snowden has made the world aware of the importance of greater encryption.

While we still have some ads on the site -- from providers who were actually willing to support SSL -- we are still taking a cut in revenue in doing this. As such, if you'd like to help keep this site going strong, we'd like to remind you of the other ways you can support us via the Insider Shop, where you can become an Insider, and get access to our Insider Chat or the Crystal Ball to get access to stories before anyone else. Or you can go all in with the Behind the Curtain offering, giving you access not just to the Insider Chat and the Crystal Ball, but the special "Crystal Ball Plus" that shows you many more stories before everyone else. See stories we're working on days or even months ahead of time -- and talk about them with us as well. We also have opportunities to get lunch with me or, even, spend a whole day with us (this has been a lot of fun for the folks who have done it). We also have a bunch of merchandise, including our popular "seized" t-shirt. If you don't want to do any of that, then just keep on doing what you've already been doing, coming here every day, reading, sharing, commenting and discussing. Just know that you're doing it in a way that protects your privacy.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: privacy, reset the net, security, ssl


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. icon
    UriGagarin (profile), 5 Jun 2014 @ 12:53am

    Whisky

    Ask for Talisker - the whisky of Tech Journo's.

    Failing that Tobermory do a very nice 19 yo single cask bottling.

    link to this | view in thread ]

  2. identicon
    Anonymous Coward, 5 Jun 2014 @ 1:00am

    Yup, I'm connecting with AES-128bit encryption. Cheers!

    link to this | view in thread ]

  3. icon
    Christopher Smith (profile), 5 Jun 2014 @ 1:11am

    Not 100% yet

    The ads are still being served with non-protocol-relative URLs, giving a mixed-content warning. And Firefox doesn't like your certificate, though not enough to give me a red page.

    link to this | view in thread ]

  4. icon
    M. Alan Thomas II (profile), 5 Jun 2014 @ 1:25am

    Re: Not 100% yet

    I'm only kinda technical; what's the risk with unsecure ads in this context? What information does that expose? (I'm not terribly worried about someone knowing what ads the ad vendors serve me; what information they have on me already is more important.)

    link to this | view in thread ]

  5. identicon
    David, 5 Jun 2014 @ 1:34am

    One detriment:

    One detriment to making large sites https is network congestion as the internet provider loses all means to do compression or caching.

    Granted: with the current proliferation of "customized" content and cookies, it's a minority of web sites anyway that does not have to get generated and delivered individually.

    link to this | view in thread ]

  6. identicon
    Anonymous Coward, 5 Jun 2014 @ 1:39am

    I use adblock so no loss revenue from me. But I am sending you a couple of bucks right now as you definitely deserve it.

    link to this | view in thread ]

  7. identicon
    ender, 5 Jun 2014 @ 1:58am

    Hostname mismatch warning

    I've been getting hostname mismatch warning for edge.quantserv.com on every page for the last few days on Techdirt (seems to have an akamai certificate).

    link to this | view in thread ]

  8. identicon
    Lurker Keith, 5 Jun 2014 @ 2:39am

    Re: Re: Not 100% yet

    My AV suggests hackers could manipulate the page. Also, an unsecure ad could be hacked to include a virus or other malware. Or the ad company could be hacked. Or, if of poor quality (probably doesn't affect the ones TD uses, but you never know), the ad company could regularly ascribe to shady ads.

    On top of that, the NSA could probably peek at the page through an unsecure ad, revealing what you're reading (which, lately, has been a lot of pro-Snowden/ anti-NSA/ pro-Constitution stuff).

    link to this | view in thread ]

  9. identicon
    Lurker Keith, 5 Jun 2014 @ 2:59am

    Re: One detriment:

    I adjusted my settings long ago to seek the page every visit & routinely delete the cookies (both automated by the browser & manually, since that doesn't catch everything), at least after I close the browser, if not while it's still open (depending on length of session, what sites I visited, etc.). I prefer getting the most up-to-date page available on every load or refresh. My connection is so fast, allowing caching is actually detrimental (been on systems where a normal refresh didn't load important details newly added), as well as a security issue (especially now that we know the NSA is sniffing around EVERYONE).

    Even before I started reading Techdirt (during the SOPA Blackout), I didn't care for customized pages. I cold tell that they would be grabbing way more info than I would like to generate them.

    Also, all those cookies can bog down a system (seen systems slowed to a crawl due to multiple THOUSANDS of cookies in the permanently hidden Content.ie5 folder (why does a folder have a file extension!?!), when friends asked me to find out why their used-to-be-fast computers were running so slow). Many, if not most, sites don't properly maintain their cookies, or outright misprogram some parameters so they never expire (seen a few sites where a new cookie's expiration date was days or the year before, if it even has one).

    link to this | view in thread ]

  10. identicon
    Lurker Keith, 5 Jun 2014 @ 3:02am

    Re: Re: One detriment:

    could*

    link to this | view in thread ]

  11. identicon
    Anonymous Coward, 5 Jun 2014 @ 3:21am

    Please Allow Anonymous BTC Contributions

    Your "Friend of Techdirt" variable-amount item in the Insider Shop should be a great way to offer a "tip jar" for somebody who wants to contribute towards Techdirt but is not looking for anything in return.

    However, all forms of contribution require an email address and physical address. BTC, in particular, should require none of those.

    As a site that prides itself on allowing anonymous contributions in the form of prose, one would think that you would be interested in anonymous BTC contributions as well.

    You don't need a Web shopping cart for such a BTC tip jar -- just publish a BTC address.

    link to this | view in thread ]

  12. identicon
    Anonymous Coward, 5 Jun 2014 @ 4:09am

    "Techdirt Is Now 100% SSL"

    I don't really care either way.

    link to this | view in thread ]

  13. identicon
    Anonymous Coward, 5 Jun 2014 @ 4:11am

    Now kill the Javascript

    This page attempts to load Javascript from 17 sources, including some horribly anti-privacy, anti-security ones like Facebook. It's time to excise as much of that as possible in order to avoid subjecting TD readers to the risks those impose. (And yes, I have NoScript running, which is how I counted those.)

    link to this | view in thread ]

  14. icon
    Christopher Smith (profile), 5 Jun 2014 @ 4:17am

    Re: Re: Not 100% yet

    There's no significant harm or risk in this case, but referer headers and the like can leak information, and so browsers warn about mixed page loads, and they generally won't accept JavaScript for a secure page over an unsecure connection.

    link to this | view in thread ]

  15. identicon
    Anonymous Coward, 5 Jun 2014 @ 5:13am

    I can't believe you would delay something like enabling SSL for a full year because you place personal, monetary gain above the privacy and security of your site's readers.

    All kidding aside, you've spent the past year posting so many link to stories about companies that have still not implemented SSL—as recently as the story yesterday about how outbound emails from Google's servers to Comcast's servers are rarely ever encrypted using TLS—yet you have taken a full year implement SSL on your site (keep in mind, SSL 3.0 was released in 1996).

    You've lambasted NIST and various telecoms for accepting millions of dollars from the NSA for access to their networks and data, yet you were reluctant to enable encryption on your own site for fear of losing ad revenue, and advertisers are certainly known for tracking people's website visits and building profiles about their browsing habbits, i.e., engaging in surveillance.

    Regardless, you did the right thing by enabling it, because as sarcastic as you might think this sounds, I genuinely believe that it is better to be late than never. Decisions are rarely, if ever, black or white.

    But you're not off the hook. I'm going to send this article to the folks over at TechDirt and see what they have to say about it!

    link to this | view in thread ]

  16. icon
    Mike Masnick (profile), 5 Jun 2014 @ 5:24am

    Re:

    All kidding aside, you've spent the past year posting so many link to stories about companies that have still not implemented SSL—as recently as the story yesterday about how outbound emails from Google's servers to Comcast's servers are rarely ever encrypted using TLS—yet you have taken a full year implement SSL on your site (keep in mind, SSL 3.0 was released in 1996).

    No, we've had SSL on the site for many, many years -- including on login, meaning that all logged in users were mostly seeing SSL anyway. The switch here was to go full SSL even for non-logged in users. Generally speaking, it's less important to do SSL for non-logged in users, because they're usually not sharing information. However, to be that much more secure, we've now made that step as well.

    You've lambasted NIST and various telecoms for accepting millions of dollars from the NSA for access to their networks and data, yet you were reluctant to enable encryption on your own site for fear of losing ad revenue

    I may not have been entirely clear. We weren't reluctant to enable it because of ad revenue. We decided to enable it across the board (rather than just for logged in users) -- and then realized it wasn't quite that easy because of partners who weren't enabled to do that. So we had to figure out ways to deal with it.

    Also, there is a MASSIVE difference between compromising a key encryption technique and/or not doing TLS on communications and leaving *non* logged in readers non-encrypted.

    link to this | view in thread ]

  17. icon
    Mike Masnick (profile), 5 Jun 2014 @ 5:25am

    Re: Not 100% yet

    The ads are still being served with non-protocol-relative URLs, giving a mixed-content warning. And Firefox doesn't like your certificate, though not enough to give me a red page.

    That's not supposed to be happening... Looking into it...

    link to this | view in thread ]

  18. icon
    Andrew Cook (profile), 5 Jun 2014 @ 5:43am

    The Imgur link in a certain news story released today, about the lack of foresight of some high school pranksters, is also not HTTPS, triggering a mixed content warning there as well. Everything has to be HTTPS, including frivolities like that, before the mixed content warning goes away.

    link to this | view in thread ]

  19. icon
    The Wanderer (profile), 5 Jun 2014 @ 5:44am

    I've been using HTTPS Everywhere (which I highly recommend, by the way), combined with a local ruleset for Techdirt, to force SSL here for a while now. I'd excluded the Insider Shop (rtb.techdirt.com) because it had produced a certificate mismatch error, but checking now, it appears that that has been fixed.

    I've now turned that ruleset off, in the hopes that it will indeed be unnecessary for the future. If I encounter any issues, what would be the appropriate way to report them?

    link to this | view in thread ]

  20. icon
    Mike Masnick (profile), 5 Jun 2014 @ 5:53am

    Re:

    The Imgur link in a certain news story released today, about the lack of foresight of some high school pranksters, is also not HTTPS, triggering a mixed content warning there as well. Everything has to be HTTPS, including frivolities like that, before the mixed content warning goes away.

    Yup. We're trying to catch those, and our internal system now alerts us... but that story was actually written a few days ago before we turned that on. I'd thought we'd gone back and caught most of those, but looks like we missed that one... Will go fix now

    link to this | view in thread ]

  21. identicon
    Anonymous Coward, 5 Jun 2014 @ 6:12am

    Re: Re:

    (I'm the original commenter)

    Thanks for the clarification. I guess I can learn too that things are never black and white. :)

    link to this | view in thread ]

  22. identicon
    Anonymous Coward, 5 Jun 2014 @ 6:21am

    Thanks for the switch; I appreciate it. Hopefully having relatively high traffic sites like TD forcing SSL will begin to make a difference.

    For debugging purposes: it doesn't appear to have entirely taken yet. According to HTTPS Everywhere, Quantcast and Vimeo are not over ssl and Floor64 is partial. In case it matters for your debugging, I'm running Firefox in private mode, ABP and HTTPS Everywhere.

    link to this | view in thread ]

  23. icon
    Dark Helmet (profile), 5 Jun 2014 @ 6:56am

    You son of a bitch....

    "and I hope that Soghoian is busy sending out whiskey bottles (though, no need to send any here, thanks!)."

    This is how you know your boss hates you: he refuses for free the thing you value most in this world....

    link to this | view in thread ]

  24. icon
    mcherm (profile), 5 Jun 2014 @ 7:02am

    Thanks

    Just wanted to say, "Thank you" for doing this. I just signed up for "Techdirt Crystal Ball" ($15/year subscription) as a direct result of this choice.

    link to this | view in thread ]

  25. identicon
    Anonymous Coward, 5 Jun 2014 @ 7:03am

    If only SSL was secure

    We'd like to think it is, but it isn't. Not at all.

    link to this | view in thread ]

  26. identicon
    Michael, 5 Jun 2014 @ 7:06am

    Re: You son of a bitch....

    Mike is blocking your porn?

    link to this | view in thread ]

  27. identicon
    Anonymous Coward, 5 Jun 2014 @ 7:25am

    Re: If only SSL was secure

    It is more secure than plaintext, that's for sure. And decrypting traffic uses processing power and if more and more traffic gets encrypted the less it becomes feasible to decrypt all of it.

    It is not not to completely prevent surveilance, that is likely impossible, but to make it as hard as possible.

    link to this | view in thread ]

  28. icon
    Michael Donnelly (profile), 5 Jun 2014 @ 7:26am

    It's not just about encryption and user privacy.

    It's also about making the NSA work a little harder when they man-in-the-middle techdirt.com as part of some enormous sweep of malcontents and ne'er-do-gooders. It's always fun to make their guys go and hack pieces of Chrome to kill the cert-pinning trick Google came up with.

    You gotta get that DMCA shirt back in stock, though. ;)

    link to this | view in thread ]

  29. icon
    Ehud Gavron (profile), 5 Jun 2014 @ 7:40am

    Whiskey vs Whisky

    Matching-Prize:

    I'd like to send you guys two bottles of Whisky. Please advise flavor and address where an over-21-year-old can sign.

    Congratulations on being 100% unencrypted free!

    Ehud
    Tucson AZ

    link to this | view in thread ]

  30. icon
    John Fenderson (profile), 5 Jun 2014 @ 8:09am

    Re: If only SSL was secure

    Nothing is "secure" as an absolute. But some things are more secure than others. Using SSL is more secure than not.

    link to this | view in thread ]

  31. icon
    who cares (profile), 5 Jun 2014 @ 8:20am

    Re: Re: Not 100% yet

    Firefox shows a grey warning sign. Means that some content that is classed as passive, that is no scripts, is not sent over SSL.
    So some object containing an image. video or audio.
    Also despite white listing your site in Ghostery there are 2 advertisement slots that do not show adds.

    link to this | view in thread ]

  32. icon
    Easily Amused (profile), 5 Jun 2014 @ 8:24am

    Re: Re: You son of a bitch....

    damnit michael you beat me to it...

    link to this | view in thread ]

  33. identicon
    Anonymous Coward, 5 Jun 2014 @ 8:35am

    Thanks!

    Thank you Mr. Masnick! Any decision to forego/delay income to "do the right thing" is call for praise. ...and thanks for supporting Reset the Net.

    Please consider accepting gift cards from other businesses as an alternative (or in addition to bitcoin). Many gift cards can be purchased with cash and there's no learning curve disincentive as there is with bitcoin (for some).

    link to this | view in thread ]

  34. identicon
    Anonymous Coward, 5 Jun 2014 @ 8:51am

    Re: Re: Re:

    Just like in computers...

    Everything is black and white... its just that the big picture contains loads of Zeros and Ones to form what is a big ole gray looking picture... but when you get right down do it... its all just yes/no, on/off, black/white.

    This is why humans suck so much. Everyone says... look at the bigger picture... guess what... we all spend so damn much time looking at the forest that we didn't see the first tree that started rotting and infecting the rest.

    link to this | view in thread ]

  35. identicon
    Anonymous Coward, 5 Jun 2014 @ 8:57am

    Thanks for your efforts. Lately techdirt lite no longer working on iPhones instead full desktop version is displayed. Any connection to the SSL implemention?

    link to this | view in thread ]

  36. identicon
    Anonymous Coward, 5 Jun 2014 @ 8:59am

    If anyone's interested in a convenient way to evaluate the quality of each site's SSL, check out the FF extension SSleuth. It adds a small 1.0 - 10 rating icon in front of the browser's URL and a left-click brings a drop down with a bunch of other relevant cipher-info. I highly recommend this for anyone interested in such things.

    link to this | view in thread ]

  37. identicon
    Anonymous Coward, 5 Jun 2014 @ 9:12am

    RSS feed still not secure

    The RSS feed is still not available over SSL, so "100%" seems like an overstatement.

    The link in the page header points to https://www.techdirt.com/techdirt_rss.xml , which gives a 302 redirect to the unencrypted http://feeds.feedburner.com/techdirt/feed . Each article link in the RSS feed then points to pages under (the unencrypted) http://feedproxy.google.com/ , which redirect to pages under (the still unencrypted) http://techdirt.feedsportal.com/ , which finally redirect to the actual articles (which, to be fair, are served over HTTPS).

    link to this | view in thread ]

  38. icon
    Stuart (profile), 5 Jun 2014 @ 9:21am

    Stuart

    Well done Mike. I am sure you will be working out the kinks with this for a while. Because of this decision I did the $15/mo sign up. Keep up the good work.

    link to this | view in thread ]

  39. identicon
    Michael, 5 Jun 2014 @ 9:25am

    Can you give us some numbers on the increase in direct support you end up receiving today and in the next few days directly through the store?

    I would be curious to see how much this offsets the ad revenue you end up losing.

    link to this | view in thread ]

  40. icon
    Kalvan (profile), 5 Jun 2014 @ 10:05am

    Should I? Does it matter?

    This is almost certainly off-topic, and for that I apologize. If someone can refer me to a good resource in lieu of answering my question, I'd appreciate that.

    Here's my quandry - the sites I run do not collect information on site visitors, and all financial transactions are passed off to PayPal. PayPal handles record keeping as well. No credit card numbers on my site, no personal info.

    The question is, would it help my site visitors if I started running SSL, HSTS & PFS and all the other stuff the reset the net folks suggest? I'm willing to dive down the rabbit hole, just not all that damn eager.

    All the sources I've seen say that in my position, there's no real need. Thoughts?

    link to this | view in thread ]

  41. icon
    John Fenderson (profile), 5 Jun 2014 @ 10:21am

    Re: Should I? Does it matter?

    "would it help my site visitors if I started running SSL, HSTS & PFS and all the other stuff the reset the net folks suggest?"

    Yes, it would, for a whole host of reasons. It helps to prevent spoofing, it helps to make the practice standard behavior for all websites, and most importantly: in this age of Big Data, even stuff that used to be innocuous, such as which specific pages are being viewed, the text of comments (even if they don't contain obvious identifiers), etc., is sensitive information that deserves protection.

    link to this | view in thread ]

  42. identicon
    tomczerniawski, 5 Jun 2014 @ 10:45am

    Uh... hate to rain on the parade, but...

    link to this | view in thread ]

  43. icon
    ltlw0lf (profile), 5 Jun 2014 @ 11:02am

    Re: Re: Re: Not 100% yet

    Firefox shows a grey warning sign.

    With ABP (AdBlock+) turned on, everything is working fine. With ABP off, I am also getting errors on passive ads. Thought I turned ABP off for Techdirt, but apparently it was still running.

    Non-encrypted address appears to be http://www.assoc-amazon.com/[..].

    link to this | view in thread ]

  44. identicon
    Anonymous Coward, 5 Jun 2014 @ 11:21am

    Huh, glad to see it. Bold move.

    link to this | view in thread ]

  45. identicon
    Anonymous Coward, 5 Jun 2014 @ 12:24pm

    Re:

    And i dont really care that you dont really care

    link to this | view in thread ]

  46. identicon
    Anonymous Coward, 5 Jun 2014 @ 12:28pm

    Re: Re: Re: Not 100% yet

    Chrome is showing a warning as well. Shows a yellow triangle over the padlock icon in the address bar. When you click it, the dropdown syas that "Your connection to www.techdirt.com is encrypte with 128-bit encryption. However, this page includes other resources which are not secure. blah blah blah".

    link to this | view in thread ]

  47. identicon
    Anonymous Coward, 5 Jun 2014 @ 12:34pm

    As someone who posts from work...

    ...I appreciate the change. I have always dreaded commenting here because my work could see it if they wanted to.

    link to this | view in thread ]

  48. icon
    Kalvan (profile), 5 Jun 2014 @ 1:04pm

    Re: Re: Should I? Does it matter?

    Thanks John. I think I was trying to avoid that conclusion. "OH NO - A LEARNING EXPERIENCE!"

    link to this | view in thread ]

  49. icon
    John Fenderson (profile), 5 Jun 2014 @ 1:23pm

    Re: Re: Re: Should I? Does it matter?

    Well, if it helps any, your site doesn't sound like the sort that requires some kind of emergency action. You could take your time to do it...

    link to this | view in thread ]

  50. icon
    ltlw0lf (profile), 5 Jun 2014 @ 4:30pm

    Re: As someone who posts from work...

    I have always dreaded commenting here because my work could see it if they wanted to.

    Chances are, they still know. Mine certainly does, but then again, they know everything anyway (and I really don't go out of my way to hide it from them.) It isn't like I can hide my Techdirt window whenever my boss comes in when he can just go to Techdirt himself and look up my profile and see everything. Little less of an issue for ACs.

    HTTPS doesn't hide the end-points, only the traffic. Piping it though a VPN or Proxy or via SSH-forwarding through an AWS/Hosting Service host might help as well, though it may raise questions and may be more trouble than it is worth. Depends on why you are hiding your comments from work.

    link to this | view in thread ]

  51. identicon
    Anonymous Coward, 5 Jun 2014 @ 6:07pm

    Re: As someone who posts from work...

    This interactive from EFF shows who can see what when you use https (and/or Tor).

    link to this | view in thread ]

  52. identicon
    Anonymous Coward, 5 Jun 2014 @ 10:07pm

    Great! :)

    link to this | view in thread ]

  53. identicon
    Anonymous Coward, 5 Jun 2014 @ 10:16pm

    Good job, but...

    ...but FYI, something about the new setup is absolutely destroying page load times for Chrome on iPad (with the Google magic compression setting on, that routes http through their cache/compression). We're talking worse than 20 seconds sometimes...

    No problems with Safari on the same device, so this should be a "it's a slow day, maybe I should look at that old problem" kind of thing... It's probably something for Google to fix...

    link to this | view in thread ]

  54. identicon
    Anonymous Coward, 6 Jun 2014 @ 1:59am

    Re: Re: Re: Re: Not 100% yet

    Confirmed here too, Firefox showing partially encrypted, only thing I can find that is causing that is a 1x1 image from http://www.assoc-amazon.com/e/ir?o=1&t=techdirtcom-20&l=wey

    link to this | view in thread ]

  55. identicon
    Anonymous Coward, 6 Jun 2014 @ 4:14am

    Re: Should I? Does it matter?

    One mistake many people seem to make is to think SSL is just encryption. It's not. It's also authentication.

    Look up "watering hole attacks". Even if your site is innocuous, it might be the target of an exploit injection attack. Making it HTTPS-only makes it harder to pull that kind of attack (they'd have to hack your server, which risks leaving traces, instead of doing a simpler MITM somewhere).

    So yeah, it's worth it. Start small - leave more complex things like HSTS for last.

    link to this | view in thread ]

  56. identicon
    Anonymous Coward, 6 Jun 2014 @ 4:18am

    Re: As someone who posts from work...

    Just make sure your work isn't doing MITM on the SSL connections (some places do it by installing a special trusted certificate on all of their machines).

    link to this | view in thread ]

  57. icon
    DaveK (profile), 6 Jun 2014 @ 5:37am

    Re: Hostname mismatch warning

    I'm seeing the same for postrelease.com content getting served up with an akamai cert. Would be nice if this could be fixed.

    link to this | view in thread ]

  58. icon
    TwelveBaud (profile), 2 Mar 2015 @ 7:56am

    SHA-1

    It's time to ask CloudFlare to rekey your SSL certificate. Your private key uses the SHA-1 algorithm which, though not insecure yet, is on a steep deprecation path. Last October Chrome started marking such sites with a yellow alert symbol (similar to that used when loading JS from an insecure site), and in February Firefox followed suit. The cert is set to expire on Oct 15, which -- even if it wasn't expiring -- is the last day Firefox, Chrome, Safari, or Opera would connect at all, with IE blocking access the following year.

    New certificates use SHA-2, which is based on a similar algorithm but uses much longer key fingerprints, and is therefore much harder to break.

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.