Expect your sites to be accessed over https and ensure your certificates match
Posted by jpluimers on 2020/05/22
igOver the last lustrum, there has been a steady increase in https usage. It crossed the 30% mark early 2016, crossing the 50% mark early 2017 and 80% mark early 2018, even the https-by-default configuration is now pretty large:
- [WayBack] Why You Should Move Your Site to HTTPS
- [WayBack] HTTPS Tops 30%: How Google Is Winning the Long War – Moz
- [WayBack] Measuring HTTPS Adoption on the Web – Research at Google
- [WayBack] Let’s Encrypt Stats – Let’s Encrypt – Free SSL/TLS Certificates
Ever since 2012, but especially with the increased HTTPS adoption, you can expect more and more users to run plugins like HTTPS Everywhere – Wikipedia which switch a request from insecure http to secure https.
Users are right: http is a thing from the past and https is the way to go forward.
This means you need to ensure your web sites to serve https well, which starts with servicing https at all and includes serving a correct https certificate for them.
Often, IT departments are not even aware that when serving http for a domain, the endpoint also answers https requests for that domain.
WordPress.com was really bad at this when servicing custom domains ordered from their premium plans. Which was odd, as customers payed for those domains. They solved this in spring 2016, they started to use LetsEncrypt (which started in 2015) for their certificates: [WayBack] HTTPS Everywhere: Encryption for All WordPress.com Sites — The WordPress.com Blog.
So this is what you need to do for all your subdomains:
- check if they are serviced by http
- contemplate (in fact urge to) servicing https for them
- when an endpoint services https, ensure the certificates for it are correct
- do not mix https and http in the same site
- avoid redirecting from https to http
Adopting https can be tedious, but many sites have already done this and wrote down their experiences, even back in 2016:
- [WayBack] Verschlüsselung: heise online und Heise-Onlinedienste per HTTPS erreichbar | heise online
- [WayBack] Tweakers stapt over op https – Site-performance – Achtergrond – Tweakers
Many sites still get their https configuration wrong though, and this post is a reminder to myself for one of them.
A good example from 3 years ago for https://forms.embarcadero.com raised in 2017 [WayBack] Hello Embarcadero! Who is secure.eloqua.com? While I try to access the forms sub-domain via https I get an error… – Fred Ahrens – Google+. I tested again in 2018, re-raised the issue, so this is a reminder to check again: [Archive.is] SSL Server Test: forms.embarcadero.com (Powered by Qualys SSL Labs).
In this case, the https is serviced by Eloqua ([Archive.is] What is Eloqua all about? – Quora) a product costing USD 2000+ a month for which I’d expect they handle security a bit better ([WayBack] Oracle Eloqua Pricing & Packages | Oracle Marketing Cloud).
forms.embarcadero.com is serviced by a server identifying tiself as secure.eloqua.com (an Oracle product)
–jeroen
Leave a Reply