HTTPS the new standard

If you check the upper left corner of your browser you will see that my blog is using HTTPS connection. That means you are connected to my blog using the same technology used for making secure payments online. A certificate authority (Letencrypt) generated digital proof that the server you are connected to Secretum. It also means that your connection is encrypted. If you use the contact form, your message is kept secret until it reaches the server. From that point, your message will be encrypted using OpenPGP and delivered to my mailbox. For the more advanced user: my public PGP/GPG key is available on the contact page. So you can encrypt the message directly from your device.

But what if the network administrator creates a fake certificate and reconnect to your server?

That a Man in the Middle attack or an SSL strip. But it won’t work with my blog. The blog is actually configured to use HSTS connection with Perfect Forward Secrecy. In plain English: if you ever connected to my blog from the same computer, you will be forced to use a secure connection and your browser will know if it’s a fake certificate. Even if you have never connected the information is preloaded on most major browsers (recent version). That means if you try to replace my certificate with a fake one. Chrome will detect the attack and block the connection.

​What is Perfect Forward Secrecy?

Please see the following article from Wired. It will explain why I use Perfect Forward Secrecy and why t truly important to do so.

So your website is bulletproof?

Actually, no… As any website, it can be hacked. It possible that somebody hack my website and change the source code to generate malicious stuff. But I have a backup of the website, my hosting service do anti-virus scans, and I also use a web service to do exactly the same.

​The point is HTTPS protected the site when the information is in transit. It’s much easier to swap content in transit from a public wifi if it’s not secure them to hack the website. I mean the wifi “free” provider won’t be able to modify my blog to add ads and other kind of junk in transit.

For those curious, there my HTTPS with HSTS and Perfect Forward Secrecy configuration report on SSLLAB.COM: A+!