This site is going all-HTTPS, all the time. Read on for background and details.
[2018-03-11: HSTS implemented with
max-age=1800, i.e., 30 minutes.]
[2018-04-16: HSTS implemented with
max-age=31536000, i.e., one year.]
There has been a push towards “encrypting the web”, with all browser
connections protected by some form of transport security, for some years. It’s
common to refer to connections using the
https:// scheme as “secure”
regardless of any other considerations.
That terminology is annoyingly imprecise, but in a world where ISPs frequently inject advertising material into unprotected HTTP connections, and where advertising networks carry malware such as cryptocurrency miners, the additional protection seems like a no-brainer. I don’t run advertising here, but the two issues together make it an issue I’m concerned with on your behalf.
The arrival of the Let’s Encrypt certificate authority and its
integration by my hosting provider made it easy to set this up in
early 2016, but the majority of my traffic has continued to come through
My intention has always been to to migrate fully to HTTPS. Now that the
conversion to Nanoc is complete, and with Google’s confirmation of
their earlier plans to start labelling non-HTTPS connections as “insecure”
starting in July 2018, I took the next step in that direction yesterday (on
2018-02-08) by redirecting all
http:// accesses to
Simply redirecting everything doesn’t completely protect visitors because it’s still possible for a “man in the middle” such as an ISP to inject material to prevent the redirection or to perform an SSL stripping attack. I’m therefore planning to deploy the HSTS (HTTP Strict Transport Security) mechanism here over the next few months.
The idea of HSTS is that if you once visit a site through HTTPS, the site
itself is in a position to tell you that you should always visit it that way.
The notification includes a time during which the browser should regard that
policy as being in force, so it is possible to revert it if necessary, but
with a significant delay. In a month or so, after the initial redirect scheme
has settled down, I will initiate HSTS with a short
max-age for some period
before finally settling on a long-term configuration.