The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

  • Twitter Updates

  • My Flickr Stream

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 2,117 other followers

Expect your sites to be accessed over https and ensure your certificates match

Posted by jpluimers on 2020/05/22

igOver the last lustrum, there has been a steady increase in https usage. It crossed the 30% mark early 2016, crossing the 50% mark early 2017 and 80% mark early 2018, even the https-by-default configuration is now pretty large:

Ever since 2012, but especially with the increased HTTPS adoption, you can expect more and more users to run plugins like HTTPS Everywhere – Wikipedia which switch a request from insecure http to secure https.

Users are right: http is a thing from the past and https is the way to go forward.

This means you need to ensure your web sites to serve https well, which starts with servicing https at all and includes serving a correct https certificate for them.

Often, IT departments are not even aware that when serving http for a domain, the endpoint also answers https requests for that domain.

WordPress.com was really bad at this when servicing custom domains ordered from their premium plans. Which was odd, as customers payed for those domains. They solved this in spring 2016, they started to use LetsEncrypt (which started in 2015) for their certificates: [WayBack] HTTPS Everywhere: Encryption for All WordPress.com Sites — The WordPress.com Blog.

So this is what you need to do for all your subdomains:

  1. check if they are serviced by http
  2. contemplate (in fact urge to) servicing https for them
  3. when an endpoint services https, ensure the certificates for it are correct
  4. do not mix https and http in the same site
  5. avoid redirecting from https to http

Adopting https can be tedious, but many sites have already done this and wrote down their experiences, even back in 2016:

Many sites still get their https configuration wrong though, and this post is a reminder to myself for one of them.

A good example from 3 years ago for https://forms.embarcadero.com raised in 2017 [WayBack] Hello Embarcadero! Who is secure.eloqua.com? While I try to access the forms sub-domain via https I get an error… – Fred Ahrens – Google+. I tested again in 2018, re-raised the issue, so this is a reminder to check again: [Archive.is] SSL Server Test: forms.embarcadero.com (Powered by Qualys SSL Labs).

In this case, the https is serviced by Eloqua ([Archive.is] What is Eloqua all about? – Quora) a product costing USD 2000+ a month for which I’d expect they handle security a bit better ([WayBack] Oracle Eloqua Pricing & Packages | Oracle Marketing Cloud).

forms.embarcadero.com is serviced by a server identifying tiself as secure.eloqua.com (an Oracle product)

forms.embarcadero.com is serviced by a server identifying tiself as secure.eloqua.com (an Oracle product)

–jeroen

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

 
%d bloggers like this: