Miskatonic University Press

HTTPS and HSTS

privacy unix

This web site now works with HTTPS! I’ve been meaning to do this for a while, and today, the day to Reset the Net, was the perfect time to do it.

I signed up at StartSSL, which offers free one-year certificates (Ars Technica’s Taking e-mail back, part 2: Arming your server with Postfix and Dovecot explains all the steps nicely) and got a cert for www.miskatonic.org.

I put the private and public keys up on the shared server at Pair.com and the very good tech support people there got things in place. (I realize I have a private key on an American hosting provider, but it’s all I can do right now, and if the spy agencies can still watch us, at least it messes them up a bit, and it means our browsing is completely private to anyone else.) HTTPS worked right away. But that’s not enough—HTTP could still be used, and I wanted that off.

To make sure HTTPS was always used, I followed a link on Reset the Net’s How we secure the web (HTTPS, HSTS & PFS) to Mikkel Høgh’s Protecting your users from phishing with Apache rules and HSTS. I just had to add these lines into my .htaccess:

# HSTS
# See http://mikkel.hoegh.org/blog/2010/09/09/protecting-your-users-phishing-apache-rules-hsts/
# (15768000 seconds = 6 months)
Header add Strict-Transport-Security "max-age=15768000"

RewriteEngine on

# HSTS
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

That meant that all links to pages on http://www.miskatonic.org/ would be automatically redirected to the same page on https://www.miskatonic.org, and from now on the browser should remember to use HTTPS.

One special page broke: Stuff, Standards and Sites: Libraries and Archives in AR, which uses reveal.js. I had all the Javascript libraries stored locally on my site, but the was blank. Using the inspector I saw warnings about “active mixed content” because the URLs to the Javascript files were hardcoded with http. Mozilla’s How to fix a website with blocked mixed content explained ways to fix this, and I just edited http://www.miskatonic.org/js/reveal.js/lib/js/classList.js to //www.miskatonic.org/js/reveal.js/lib/js/classList.js and that did the trick.

Instead of a pure green lock in the location bar I see, in Firefox, a little warning sign (an exclamation mark in a triangle) because there’s a mix of secure and insecure content on the page, because I’m pulling in a widget from CO2 Now and possibly some YouTube videos. Nothing I can do about that if the other site doesn’t use HTTPS, but I’ll do what I can to tighten things up.