Let's encrypt, indeed
Today I finally tackled a problem that's been irritating us for a very long time.
Jill and I have off-and-on used a shared wiki of our household stuff
for several years now. For quick-and-dirty security when I set it up,
I put it on its own subdomain, told the web server usernames and
passwords for each of us for that domain, and turned on the switch
that meant you access the site with the https
prefix instead of
http
. It was great!
If you know a little bit about web sites, then a red flag just went up for you. That setup is busted — the HTTPS setup is for careful authentication that there's no interference with a secure connection between the browser and the server, and requires a cryptographically-signed certificate (not a cheap thing) from one of a small number of trusted third-party suppliers. Otherwise, it's not really trustworthy, and your browser will show a red, open padlock with a line through it next to the URL instead of a nice happy secured green padlock!
But we didn't care. It's hardly some high-finance site needing bullet-proof security; we don't store passwords or credit card numbers there. It was secure enough for what we needed.
Fast-forward a few years: there's Great Concern that web site administrators are misconfiguring their secure sites, letting customers' data fall into criminal hands. The people behind the browsers we've settled on using share that concern…and react by making it lousy to use sites that have an imperfect HTTPS setup. Now I know that it's a Good Thing for Society, but it's really a pain in the ass as far as using our family wiki goes. The browser won't store our passwords anymore, so using the wiki gets much less convenient, and we really stopped using it.
Fast-forward a few more years: now, there's Great Concern that it's too hard and too expensive for small web site operators to configure HTTPS on their sites. Finally, some Great Concern that might make things easier! I had a little time today so decided to look at the options. It did take more than a little time, more like a few hours, but I might actually have brought it to the point where it will just work: I've sent my web hosting service the certificate and details, and hope to hear good news from them soon.
When it does all work I'll write up my notes and post a how-to article, but in the meantime here are pointers to two relevant sites.
- First, there's now a certificate authority Let's Encrypt that offers free keys: their user manual.
- Second, the instructions from my web hosting service Web Faction on Secure Sites via HTTPS.