Thursday, September 4, 2014

Securitycurmudgeon.com Moving to HTTPS\TLS

A short administrative message about this site, only for those interested.  Over the years readership of Securitycurmudgeon.com has grown significantly.  I have been particularly concerned about lack of transport security (e.g., HTTPS) available on Blogger, keeping readers computers secure, as well as ensuring the content I develop is the content delivered to readers desktops.  I decided to give CloudFlare a try.

With CloudFlare the browser session is protected via HTTPS\TLS between the user's web browser and the CloudFlare cloud service.  The connection is unencrypted between CloudFlare and Blogger web servers.  CloudFlare calls this their Flexible SSL encryption option, which is really TLS.  Of course, the best solution is to have the entire transport path encrypted but it's not possible at this time.  TLS to users desktops mitigates most Man in the Middle security concerns from most attackers.  The solution does not defend against attacks on Internet infrastructure like intrusion from Internet service providers and governments.  Still some security is always better than no security.

Perhaps with Google's emphasis on HTTPS, increased priority on HTTPS sites with their search engine, they will someday consider moving Blogger to HTTPS.  Also I'm not trying to disparage Google for lack of HTTPS support on their free service.  I'm interested in mitigating my security concerns.  With the low monthly price of CloudFlare I decided to give it a try.  If something is broken or not working as expected I have information on my About page you can reach me.  This is work in progress.  If anyone has any tips on CloudFlare or otherwise feel free to send along.

--Milton

Share It!