As part of today’s admin track at WordCamp San Diego, I delivered a talk titled “Getting Started with SSL.” My intent was to demystify the terminology and process involved with securely delivering traffic. I described my talk this way:
Revelations like Edward Snowden’s about NSA spying, and Google’s announcement that it will begin considering a site’s HTTPS status in its rankings, led to a lot of talk about moving websites to secure connections. Similarly, the rise in ecommerce, and the simplicity with which one can accept payments online, has increased the need for sites to be available securely. With so much terminology that’s likely new, often very similar, and rarely more than a stream of initialisms, this entire discussion can be very intimidating. I’ll clarify basic terminology, offer some reasons why it’s worthwhile to secure a site whenever possible, and share several solutions to cover everything from simple to enterprise needs.
While securing a site can be intimidating at first, the recent introduction of Let’s Encrypt (https://letsencrypt.org/) significantly simplifies the process for most sites. Many hosts have introduced support for this service, which I’ll discuss before delving into options for sites and circumstances that aren’t suited to Let’s Encrypt.
The slides from my talk are embedded below:
The slides are also available at https://slides.e15r.co/wcsd-getting-started-ssl/.
Additionally, here are several resources that I shared during the talk:
- SSL test from Qualys: https://www.ssllabs.com/ssltest/index.html
- Command-line SSL tests: https://testssl.sh/
- Common SSL command-line interactions: https://www.sslshopper.com/article-most-common-openssl-commands.html
Lastly, I’ve written several posts about SSL and my experience securing this site:
- Automatically renewing a lot of Let’s Encrypt certificates
- Ensuring encrypted web traffic with Strict Transport Security headers (HSTS)
- Creating Public Key Pinning headers (HPKP)
- Economically monitoring SSL certificate expiration
- External tools for checking my configurations
- nginx header inconsistency, aka setting headers all the way down
For everything I’ve written on the subject, check out http://ethitter.com/tag/ssl/.