Cache: Now with HTTPS

 

HTTPS should be used everywhere. Every request you make to over HTTP can be modified. It can be watched and recorded, data can be injected, changed, or removed.

You could argue that all data transmitted by an individual is sensitive data, but what about received, too? By reading something like a blog or news site, you could say that there’s nothing sensitive being sent, and that’s fairly true… but if I can record what websites you visit and what parts of it you interact with (do you make a comment? Save a picture? Read a certain type of article but ignore the others?) I can learn more and more about you as a person. Suddenly, your browsing habits and history could be considered sensitive. With GDPR around the corner, this does become sensitive data.

To that end, I’m going to encrypt the connections to this site. Doing so only helps make the web more encrypted. Always a good thing!

I haven’t done this yet, but I have just enabled HTTPS for the cache subdomain, which hosts all the larger files, such as the images, used by the site. This server is hosted by gandi.net, and as the domain is registered there too I get a free certificate from them. Not bad!

In time, I will configure the fyr.io domain to be encrypted too, using Let’s Encrypt. I tested Let’s Encrypt a while ago and got it working right away, so it should be fairly easy to do I have now moved the site to Gandi, too, so it gets a certificate via them. On the cache subdomain, I also have the option of uploading my own certificate so I may end up scripting a Let’s Encrypt cert for there, too.

Once I’m happy with it and have set it up a high standard, such as only using TLS 1.2+, I will then disable HTTP access entirely and use HSTS to force HTTPS on everything forever. I’ll write something a bit more technical about it then!

UPDATE 2018-11-13: Due to the reasons outlined here I’ve actually moved this website over to WordPress on an external host. I plan on going back to the Pi2 so this is still kinda relevant. The cache subdomain still exists, too, though I likely won’t use it moving forward.

UPDATE 2022-04-18: Two individuals reported some vulnerabilities to me – the first being that this site is embeddable in an iFrame (fixed with a Content-Security-Policy header) and the second being that my images had metadata. Upon fixing the first issue, I inadvertently broke the cache. subdomain, and when fixing the 2nd I spotted the issue caused by the first and have migrated all images across to wordpress. The cache domain will be going away completely, soon.

Leave a Reply