Implementing HTTPS

Padlock icon

For whatever reason, at this time of year I always do some kind of major redesign work on this website. I think focusing on this as a little project helps me stave off the winter blues.

I always start off with good intentions of rebuilding the theme from scratch. But inevitably I end up re-using chunks of what came before. Each time I promise myself that next year is the year I do it properly.

My main aim was to sharpen up the look, with a focus on accessibility. So text on top of hero images is gone, and so is the wispy 300 weight font. It’s still a bit of a work in progress, but it’s far enough along for me to be happy to launch it.

I made some significant changes behind the scenes too, most of which are mainly for my own peace of mind.

Most importantly, I have implemented SSL so that the website is now served over HTTPS. In layman’s terms, that means that the data you send and receive from this website is encrypted, so it’s more secure.

You might be wondering why a personal blog like this would need to be so secure. So did I at first.

But increasingly, HTTPS is being seen as essential for all websites. So much so that in 2017 Google and browser vendors are going to start warning users about websites that do not have HTTPS in place.

Google has explained why HTTPS is so important for all websites, not just those handling sensitive data.

Intruders exploit every unprotected resource that travels between your websites and your users. Images, cookies, scripts, HTML … they’re all exploitable. Intrusions can occur at any point in the network, including a user’s machine, a Wi-Fi hotspot, or a compromised ISP, just to name a few.

Since reading that article, I have fully intended to implement HTTPS. But I delayed it, fearing that it would be a complex project that would suck up hours of my scarce spare time.

When it came to actually doing it, I found that adding an SSL certificate and switching to HTTPS was ridiculously easy. It was a ten minute job. I needn’t have worried at all.

Getting an SSL certificate is no longer the expensive exercise it once was. Thanks to Let’s Encrypt, an open initiative backed by some of the industry’s leading players, it is now possible to encrypt your website for free.

I was able to install the certificates across all my websites via my web hosting provider.

Then I made a few tweaks to my WordPress theme and used a plugin to redirect all traffic to HTTPS.

Next, I was worried about mixed content. Most web browsers will not display any content (such as images) inserted using HTTP on a page that is itself served over HTTPS. The implication for users is that vital elements can sometimes not be loaded, without the user necessarily knowing why.

However, these problems have not emerged on my website as far as I have seen. No doubt there are some hard-coded elements in some older blog posts that are problematic. But I haven’t come across any issues yet.

If you are thinking about implementing HTTPS, but like me you were nervous, my experience would suggest that you have nothing to worry about. The exercise was much quicker and easier than I was anticipating.

Now that I have HTTPS in place, I hope to spend some time in 2017 exploring service workers and progressive web apps. The potential of service workers for the web seems huge.

Again, you my wonder why a blog would benefit from using service workers. But then again, why not make it available offline? We’re about to live in the future. ⚡


Also published on Medium.

Leave a reply

Your email address will not be published. Required fields are marked *