If you are a regular visitor, you may have noticed that there is (or should be!) a small green padlock in your browser’s address bar, signifying that I’ve got round to enabling TLS (or SSL, but technically that refers to deprecated versions) for this website.
Why enable encrypted connections for a basic website such as this? I’m not storing personal details or transmitting credit card information, so do I really need the extra security? Here are a few reasons which helped convince me:
- I do submit some sensitive data on this site, most obviously on the login page, and that shouldn’t be transmitted in the clear.
- Because TLS checks to make sure that the certificate matches the site you’re connecting to, you can be more confident that when you type www.phpdeveloper.org.uk you will reach this site (this mechanism isn’t perfect, as it relies on certificate authorities checking that someone ‘owns’ a domain before issuing a certificate).
- Using encryption makes it harder for someone to snoop on your browsing traffic — particularly the content of pages you visit. You might think this isn’t that important, as I live in a democratic country, but our government is currently trying to pass a piece of legislation known as the Investigatory Powers Bill, which will allow various organisations access to your browsing history.
- Google is starting to use HTTPS as a ranking signal, so this potentially boosts my ranking in search results. It’s only a small signal at the moment, but Google have stated that they may increase its importance over time.
Obtaining the certificate was easy, now that LetsEncrypt is out of beta and I’ve got round to writing a script to work with its DNS challenges. I also had to tweak a few settings in Apache and replace all the HTTP URLs with HTTPS equivalents in WordPress. Early next week I will post all the technical details for those who are interested.