Site icon Mostly Harmless

Why not use SSL and be done with it?

On the Internet there has been talk about Google and SSL based web sites. Apparently you may get a small boost if you switch to https. I myself doubt that (I’m jaded that way) and the additional SSL math will slow down busy sites a little. But I don’t get enough traffic to care really and I do like to play. This seems easy enough to do.

I Like Server Based Solutions and I Cannot Lie

I use WordPress multisite and on my web server I have a valid SSL certificate installed. I’m already using Apache’s mod_substitute to modify https://blog.dembowski.net/ to https: before it get’s sent to the browser for my SSL site.

Why not switch to SSL and be done with it? I could have used a tool to change all the WordPress database references to https but I’m running multisite and I wanted to be a little more site specific so I added this to my .htaccess file above the WordPress part but below the “Get Lost, I don’t like you” part.


<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTP_HOST} blog.dembowski.net [NC]
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://blog.dembowski.net/$1 [R=301,L]
</IfModule>

So far it hasn’t broken anything and is limited to my this one and not the other sites. I’ll keep an eye on it but there’s no reason for me not to leave it that way. I like server based solutions but for other people a HTTPS plugin may be an easier way to go.

The only downside is that I will need to maintain my SSL certificate but I plan to do that anyway.

So this means I wear a tin foil hat?

Not really but it does mean in most cases people visiting my site will get the traffic encrypted between my site and their browsers.

*Adjusts Tin Foil Hat™ and skips conversation about  SSL transactions and man in the middle interception*

It’s more a concern that someone will have some key logger or other hack installed on their machine.

Sniffing unencrypted data on the Internet is easy. Doing so for encrypted SSL traffic is more difficult. It would require the Bad Guy or Spook to have access to the private certificate issued by the certificate authority. Or exploit a server bug and harvest the SSL private certificate from the web server. That would never happen right…?

If your interested in how it all works then start with this Wikipedia article on TLS. This Digicert article is good too and may be easier reading. In the meanwhile anyone coming to my site will get redirected to the SSL based version.

Exit mobile version