My goal is to get my code accessible by anyone on the internet, yet prevent anyone else from knowing who visited my site, or seeing any data in transit from them to my server. I hope I can also prevent my visitors’ data from being saved on my server, or prevent my own server, with possibly their data on it, from getting hacked.
Will HTTPS get me there?
Ostensibly, yes. From my understanding, HTTPS is the first major step to prevent bad actors from eavesdropping, tampering, and message forgery on my site.
To be honest, I don’t yet how “safe” HTTPs really is. Can I, the owner of the server, see who is visiting my HTTPS site? How can I not do this? How can I prevent others from hacking my server?
Along these lines, I’ve read that people can modify HTTPS’ security parameters to their liking, which seems to defeat the purpose of consistent and safe browsing on the internet. Maybe it’s not as much modification as it first sounds like. But I need to find out what kinds of security parameters I will add to my site.
Generally, though, HTTPS is the accepted standard. Even Google Chrome wants me to know which sites are secure or not. Interestingly, my WordPress editing page is not secure.
So, what is HTTP?
HTTP is a protocol that sends data between a visitor’s browser and a website. (HTTPS stands for Hyper Text Transfer Protocol). HTTP fetches resources to show on your browser when you visit sites.
And what is HTTPS?
Adding an S on the end signifies the protocol is secure (Hyper Text Transfer Protocol Secure).
HTTPS is secure because it uses additional protocols, most commonly TLS (Transfer Layer Security), to apply encryption to the client’s data.
What is TLS?
TLS offers authentication, encryption, and integrity. It confirms the identity of the server and user. It encrypts any data passed back and forth. And it ensures the data is not lost along the way.
How does HTTPS/TLS check for identity?
HTTPS/TLS helps your browser check a website’s server’s digital certificate to see if it was issued by a trusted organization (important because otherwise anyone can create a certificate claiming to be whatever website they want).
The certificate is used to confirm identity. Specifically, a digital certificate is a data file that links a private cryptographic key to an organization.
You’re Not Done
To modify your server’s configuration of TLS, Mozilla recommends using newest cryptographic tools available for the browsers you want to connect to your site. There are basically three options, each allowing you to work with older and older browsers if needed.
Once you use a configurator tool like Mozilla’s to find a TLS set up that’s best for your visitors, it looks like you enter the provided TLS text inside an appropriate file on your server and restart the server. You need to review the new TLS text in your file to add correct domain names.
How to Actually Build a Site with HTTPS
The ‘Moving to HTTPS Guide‘ is a good overview & how-to for switching over. … Or at least the Mozilla Foundation recommends it, and I trust Mozilla!
You can find the actual configuration options and associated code at Mozilla’s configurator tool here.
I’m unclear if using CertBot’s command-line level application to get a HTTPS key and certificate removes the need to use Mozilla’s TLS configurator tool above? Or do I also need the TLS protocol text provided by Mozilla?
Steps I Need to Take
I started a guide for myself here.
References and More Reading
Cookies – I don’t need cookies since my visitors won’t be logging in and want anything saved for later (requires cookies to remember state information for the stateless HTTP protocol), and I don’t want to save or analyze my visitors behavior.
Web Analytics – Do I want to know how many people visit the site? Can I accomplish this without google analytics?