We Finally Have Security

Posted by on 21st Nov 2018

After much hassle this site now allows you to connect via HTTPS. I did this more as a cosmetic than an actual need to secure any data. Now that green lock is present, we all can feel safer.

Adding TLS support is cosmetic for everyone reading is because you are not sending sensitive data to my server nor am I sending any to you. In my mind, not every site needs to be transmitted over TLS and is a bit of unnecessary overhead for a static website that has no interaction from the visitors.

The only benefit to serving a flat file or static website over HTTPS is making search engines happy. I believe search engines expect that now and may not rank a page without using TLS. Not that this site needs ranking, but I won't turn down a top rank if it happens one day.

What is TLS/HTTPS

TLS (and before SSL) uses symmetric cryptography which is a fancy way to say both your web browser and the website share a secret used to send encrypted data back and forth. When your web browser and this site make content they share a "secret."

This secret is used when encrypting and decrypting the information from each other. Also at this time, the two agree on what encryption algorithm to use, such as AES. Sending encrypted data instead of plain text allows for sensitive data to remain private even if someone is snooping on internet traffic (a trivially easy task).

For the technical details of TLS read, "The Transport Layer Security (TLS) Protocol, Version 1.2".

Why not use HTTPS from the start?

The short answer is because it was not as intuitive as it was in the past. I am using a shared hosting plan from NameCheap with cPannel. I'm used to bare metal servers or routing my domains through CloudFlare. Since the SSH access to my shared host is limited with what I can do and the need to use their DNS for routing a domain to a specific folder, I found myself tripping over every step.

On top of needing to get the cert stuff worked out, I was blogging, figuring out a new CMS, researching a web-based CMS, running a podcast, and working a full-time job. Sometimes the time just slips away (I'm looking at you, YouTube...).

But hey, at least the cert was free!

Grav Admin Should Use TLS

Using TLS is good for me though since I changed my flat-file CMS from Publii to Grav. I chose to move to Grav because I wanted the ability to post and update my site from anywhere, not just my desktop. However, I would not recommend Grav to most people looking to spin up a blog. That is where Publii shines, it's super easy to use. Grav has a lot to learn with it, I love it and the new ideas I get to learn while using the CMS.

The reason the move to TLS is good for a Grav based site is due to the use of the admin plugin. This plugin gives web-based access to make edits to the site instead of needing to do everything in the terminal. That is what I needed, because by using a shared host I am limited on what I can do over SSH. I can't install anything and tools I need to edit my new Grav site via the terminal do not come preinstalled. I'm talking everyday things like Git.

The theme of the admin portal is epic though.