-
Notifications
You must be signed in to change notification settings - Fork 11
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HTTPS review #40
Comments
Sure, here's some feedback!
^ I would also emphasize that any node between the user's browser and server has access. That can include the user's home router, any load balancer the traffic might run through on the way, and other random devices. At least emphasizing the home router part is helpful, since those are frequently compromised devices.
I strongly encourage you to refer to it as TLS throughout instead. SSL is a dead protocol, and the term is only used by people who are trying to sell you something. (Fun fact: Let's Encrypt never uses the term.) I go out of my way to only use "TLS".
It might be wise to hedge on this. No one's yet been able to isolate the effect that HTTPS actually has on search rankings in Google, and no other search engine has said that HTTPS has an impact yet. I don't think Google is lying, but it seems to currently be weak enough (more of a tiebreaker, perhaps) that you may risk setting mismatched expectations by including this as definitive.
I would go so far as to make the point that Do Not Track can't guarantee anything without HTTPS. The server might try to respect the user's wishes not to be tracked, but the computers in between may track the user anyway. A malicious network could even strip the Do Not Track header from the request.
It's worth noting that this only applies to ELBs and CloudFront distributions, as far as I can recall. I do not believe you can get Amazon certificates for e.g. an EC2 instance, so it's not totally correct to say that it's useful if you are "using Amazon Web Services". Amazon does let you get wildcard certificates (for free), which Let's Encrypt does not.
SSLMate also supplies wildcard certificates to a general audience (for money), which Let's Encrypt does not. Let's Encrypt, Amazon Certificate Manager, and SSLMate each have differentiating features from each other that make them more suitable for different situations.
I would add a recommendation for SSL Labs, which does an excellent report.
I would jump right from redirecting to HSTS, rather than put the Mixed Content section between them. |
These are all fantastic suggestions @konklone! Thank you so much for the thorough (and quick!) review. |
@konklone If you're interested the initial draft of the HTTPS chapter is done: https://github.com/ascott1/ethical-web-dev/blob/master/web-apps-privacy-security/03-https.md
I haven't gone back and read it yet, so it likely still has a number of typos, errors, and areas that will need fleshed out. However, I'd love your thoughts and feedback if you have a chance.
The text was updated successfully, but these errors were encountered: