HTTPS on Everleap

Michael PhillipsWe recently published an article over on the DiscountASP.NET blog entitled, “https: who needs it?“, and it talks about all of the compelling reasons to implement HTTPS (via an SSL certificate) on your website. The tl;dr summary of that article is: You really need to implement HTTPS at your earliest convenience. Or maybe even before it’s convenient.

So yes, everyone needs to use https, and that includes us. We’ve gone through the Everleap website and made all the necessary changes, including forcing connections that come in on port 80 – normal HTTP connections – to HTTPS. You may have noticed we did the same on this blog, and our forum as well.

Now, I’m not going to lie to you brothers and sisters, it wasn’t a lot of fun making the change to our website. And just to make things interesting, it’s a bit more difficult to implement on sites like this and the forum, sites that are database-driven. But nothing worthwhile is easy, right?

Well, one of the things that’s definitely a drawback in my book was making all of the internal links on the site absolute URLs rather than relative paths. That’s not a requirement to move to HTTPS, but it’s an SEO/Google thing, so we rolled it up into the update. Absolute URLs are beneficial when Google is crawling your site (and maybe more importantly, they prevent accidental infinite redirect loops), but it causes problems in the development environment, since you can’t click any links in dev without bringing up the live site. Overall it’s an adjustment, for sure, but then any kind of progress requires adjustment. Both in the online world, and the real, walking-around-and-bumping-into-other-humans world.

Some people complain that Google is in effect forcing people to switch to HTTPS (and forcing other server-level security issues, like getting rid of old ciphers) with the changes they make to the Chrome browser (like those lovely “insecure” warnings on HTTP pages where there is user input) and with the hoops you have to jump through to remain relevant in search results. But really, if someone wasn’t forcing the issue, most of us would never change what we’re doing. Stasis is easier than progress. Not necessarily better, but easier.

So where are you on the path to HTTPS security? If you haven’t given it much thought, now may be a good time to change your approach to protecting your online kingdom (or queendom, or person-dom…you get the drift).


6 Responses
  • Eaton Reply

    Very nice work! I did this on my sites and it was a pain.

    A few points:

    1. Why don’t you implement Strict Transport Security (HSTS) for additional security?

    2. There’s a few other tweaks you can do: Downgrade attack prevention, tweak Forward Secrecy, fix your vulnerability to the DROWN attack, and remove that one weak cipher.

    3. Your forum in particular needs some improvements.

    4. Please make sm14.internetmailserver.net only accessible over HTTPS.

    • Michael Phillips Reply

      Thanks for your feedback. There are things we can’t change on the forum server because it’s running on Azure. We run it outside of our network so it can remain available for communication in the event that our corporate servers or network were ever to become unavailable for some reason.

      As for forcing the mail servers to https, I have to say that’s probably not likely to happen any time soon. You know how security works – the tighter the server, the more problems you cause for people who insist on using (or are forced to use) outdated technology. Maybe Google can say, “Well, tough luck. It’s for your own good. Upgrade your stuff. Bye.” But we can’t afford to do that. People are understandably sensitive to changes in services they pay for.

      We run special hardened servers at DiscountASP.NET for people who have trouble passing PCI scans, and when they move to those servers they lose functionality and visibility. That’s the reality of the situation, but it’s a trade off that has to be made in some cases. But there’s no way we could lock down all of our servers the way the hardened servers are secured. People would attack our offices with torches and pitchforks. 😉

      None of this means that we intend to put off changes until the very last person is prepared for them. We’ve made changes here, and we’ve had to force a number of changes over at DiscountASP.NET when old Microsoft (or other) technology stops being supported (we spent 6,000 hours over the course of two years retiring Windows 2003). So we don’t intend to lag where security is concerned.

  • Eaton Reply

    Hi Michael,

    Thanks for your explanation. Keeping things compatible is a good thing, but some of those changes, especially with the HTTP headers, shouldn’t cause any compatibility issues at all. securityheaders.io recommends a lot of things that won’t really break anything. HPKP may not be advisable, but everything else recommended on that site can be added via web.config in a few minutes. Besides, it’s probably only a matter of time before Google starts accounting for secure HTTP headers and cipher configuration as part of their ranking algorithms.

    Also, do you run hardened servers on Everleap? Your support team told me this was only the case on DiscountASP. Having RC4 enabled on my sites through the default WAP configuration bugs me, so if things have changed, let me know.

    • Michael Phillips Reply

      Thanks, I’ll look in to the web.config changes. Yeah, sorry, I should have been more clear, the hardened servers are only on DiscountASP.NET. I’ll edit that. We looked in to hardened servers for Everleap, but we’d essentially have to create a second WAP platform for that, which doesn’t make sense right now (from either a cost or a maintenance standpoint). The way things are going though, I wouldn’t rule it out in the future. Things are changing quickly.

      • Eaton Reply

        Another write up on the headers that goes into a lot of detail:
        https://blog.appcanary.com/2017/http-security-headers.html

        BTW, the check boxes that you can check when commenting do not send emails.
        Notify me of new comments via email
        Notify me of new posts via email.
        ^Do not do anything

        • Michael Phillips Reply

          Email notifications should be fixed. They may not work for you until you make another comment and verify your notification status.

Leave a Reply