2017: The year of browser certificate warnings?

With the world rapidly moving towards a “HTTPS by default” approach, Mozilla reporting over 48% of webpages in Firefox being loaded via HTTPS and Google now serving 85% of their traffic over HTTPS the web is undoubtedly becoming more secure for transport (in one way and does not necessarily mean more secure overall), however it’s looking likely to be a rougher road to HTTPS than it’s been in the past.

Starting January 2017 (or whenever Chrome 56/Firefox 51 rolls): Part 1

Users in Chrome and Firefox will start to see sites using WoSign and StartCom Certificates getting Certificate Warnings as Google moves to distrust the organisations issues certificates in response to “WoSign knowingly and intentionally misissued certificates in order to circumvent browser restrictions and CA requirements” and attempting to “mislead the browser community”. Firefox is also following the same process

Starting January 2017 (or whenever Chrome 56/Chrome 51 rolls): Part 2

Continue reading “2017: The year of browser certificate warnings?”

Why all organisations should provide (and all consumers should demand) HTTPS applications

Security has been a hot topic for many years and when talking with customers about a multi-layer security design we are often recommending TLS (Transport Layer Security) as one of the basic components. This is often followed by more detailed questions about the benefits, costs and implementation compared with other, more discussed components which are front of mind for CSOs/CTOs. Below are some of the most common reasons for and myths against deploying TLS for your environments.

Pro: Performance and SEO benefits

Google has long said that speed is a ranking factor but did you know they are now using HTTPS as a ranking signal? As part of your Search Engine Optimisation strategy, why not add an easy additional boost to your environment using HTTPS, which gives the two fold benefit of ranking increase for simply using HTTPS but also a potentially significant increase for performance and reduce the time needed to load your pages via the use of HTTP/2. You can compare this using various tools.

Pros: Encryption and Authentication of your site

HTTPS when used correctly allows all website content to be securely encrypted in transit, meaning any malicious network devices between the user and the secure hosting environment supporting the website or application cannot access your data “on the wire”, helping to keep information such as Usernames/Passwords/Emails secure and private. In addition it allows authentication of the website/application to the end user, allowing them to identify that the site they are visiting is not being spoofed or maliciously edited (such as by rogue Wi-Fi network hotspots inserting advertising or malicious redirection).

Continue reading “Why all organisations should provide (and all consumers should demand) HTTPS applications”

Using HAR and Waterfall graph analysis to improve site load times

2015With site loading times so critical for conversion of visitors to purchases and its use by Google as a signal in their search rankings, understanding the exact performance of your site for users and the reasons for that performance can be very important to not just the popularity of your site, but also the revenue of your business.

If your business involves online retail or eCommerce, then you should be used to investing in areas such as A/B testing to determine what changes improve your conversion rates and you may be aware of the effect of performance on users in general, but from experience the amount of organisations who have a tight focus on performance when building their site is pretty small.

There are many tools that are available to test the performance of your site for users:

Continue reading “Using HAR and Waterfall graph analysis to improve site load times”

CDN implementation considerations

Content Delivery Networks (CDNs) are often considered to be a solution to multiple problems, but it is very important to consider the problem(s) that you are looking to solve for when determining whether, when and where to use one.

CDN overview

CDN companies run multiple servers in multiple geographic locations with plentiful and high quality networking connections and compute resources. These can, depending on the company and their business model, run into the hundreds of thousands of servers, in hundreds of locations, with multiple Terabits (1,000 Gigabits) of connectivity. Typically CDNs aim to provide value to their customers in multiple ways, which depending on their feature focus may include a range of:

Continue reading “CDN implementation considerations”

nginx SSL best practice including PFS and OCSP

nginx enables many additional features over Apache’s httpd server, which allows a much more secure SSL configuration, enabling features such as Perfect Forward Secrecy (PFS) which cannot be enabled using default Apache installs from repository.

Below is a guide on how to enable a very secure SSL configuration for your nginx server, including using Diffie–Hellman for key exchange, enabling Online Certificate Status Protocol (OCSP) features and making use of higher security ciphers and protocols only.

Continue reading “nginx SSL best practice including PFS and OCSP”