Pregunta: Implementación de HTTPS para acceder a DesdeLinux

As we did with the TOR related implementation, where we asked what they thought, we asked them for ideas or suggestions, and in the end we reached a result intermediate that was approved by most of you, here we do the same with our HTTPS implementation, we ask for your opinion on that.

As many must have read on web sites, Google (who for better or for worse dictates what refers to SEO) ad that I was going to take into account the implementation or not of HTTPS in the sites when giving them an evaluation, it will influence the PageRank in the future (do not doubt it), although right now they say that it will only be a minimum weight, that almost no will be taken into account.

His words were:

For now it is only a slight sign - that affects less than 1% of global queries and carries less weight than other signals like high-quality content - while allowing time for webmasters to embrace HTTPS. But over time, we may decide to strengthen it, because we would like to encourage all website owners to switch from HTTP to HTTPS in order to keep everyone safe on the web.

HTTPS? necessary?

Not only because now Google decided to take it into account, but because HTTPS means secure traffic, protegido de las miradas de curiosos o intrusos. O sea, cuando accedan a DesdeLinux otras personas en su misma red no podrán saber exactamente qué hacen en DesdeLinux, qué artículo comentan o leen, entre otras cosas claro.

The first thing we must bear in mind is that when implementing HTTPS the user's data will travel encrypted through the network, meaning security above all, regardless of whether Google now says something or not, and it is precisely because of security that many sites (Twitter , Google, Facebook, etc.) automatically open in HTTPS.

Will putting HTTPS remove HTTP?

Eh aquí la duda o interrogante que tengo. Se puede implementar HTTPS en DesdeLinux, entonces cuando alguien acceda a https://blog.desdelinux.net it opens in an encrypted, secure connection, and also leave http, so that if you access https://blog.desdelinux.net it will still open, but without a secure connection.

That is: Option 1 -" Leave both HTTPS and HTTP for the user to enter through the one specified in their browser navigation bar.

Another thing that could be done is to remove the HTTP traffic from the site, rather, redirect it to HTTPS.

I mean that when a user accesses https://blog.desdelinux.net you will be automatically redirected to https://blog.desdelinux.net

That is: Option 2 -" No permitir tráfico NO seguro en DesdeLinux, obligando al usuario a siempre usar HTTPS

That is the main question, which I will let you comment on, discuss, advise. I choose to leave both, which is up to the user to enter, what do you think?

SSL provider?

Our domain is with NameCheap, which acts as an "intermediary" or "platform" to acquire a valid SSL certificate, that is, that they sign the one generated by us on our server and that when they access https://blog.desdelinux.net a browser window does not appear informing them that the site is insecure, or something like that.

NameCheap offers many options, or rather, it has several providers available, Comodo, RapidSSL, GeoTrust, etc. The question arises here ... does anyone recommend one? … Have you had experiences in this matter?

The end!

Well, nothing more to add, there I leave the post and I await your comments.

https


62 comments, leave yours

Leave a Comment

Your email address will not be published. Required fields are marked with *

*

*

  1. Responsible for the data: Miguel Ángel Gatón
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.

  1.   roader said

    I am in favor of allowing only safe traffic, it is easier to maintain this way.

    1.    x11tete11x said

      +1

    2.    KZKG ^ Gaara said

      It is not really difficult either one or the other. As much as having only HTTPS as HTTP & HTTPS, it is just as simple, from a technical point of view there is almost no variation.

      The problem is that HTTPS is a bit slower than HTTP, because it does the same but adding an X more time that it takes to encrypt the data. I ask thinking of people with poor bandwidth, like this one who writes you 😉

      1.    linuXgirl said

        As far as I'm concerned, and having the same problem as you, because I lean towards security, although the page takes a little while to load…. Ayyy, no, no, no, I've seen how long it takes to load, for example, Twitter, Facebook, etc !!!! No, no, no, queeeé goes ... they leave me the http pela'o, or in any case enable both: https and http ... no mess !!!!

        1.    KZKG ^ Gaara said

          Don't worry, it won't be remotely delayed like those haha ​​here we have everything well optimized 🙂

      2.    eliotime3000 said

        True. And that has happened to me many times.

  2.   AdrianArroyoStreet said

    I choose option 1. I think users should be able to choose. It also maintains better compatibility with somewhat outdated mobile devices. On the other hand, the SSL certificate is something that never convinced me, it is based on the fact that the provider of certificates to the client trusts the company that issues them and that can have quite negative consequences via human action, although at the moment nothing has happened. that.

  3.   George said

    Regards!

    It seems to me an excellent practice to allow only traffic via HTTPS
    With nginx or apache it is very easy to redirect requests from port 80 to 443
    Regarding the certificate, I suppose that for you it is easy for your company to sign the certificate, however, for cost reasons, it is also possible to generate a self-signed certificate that works exactly the same but with a warning when users connect.

  4.   eliotime3000 said

    I almost told you CAcert, but that SSL provider has forced Parabola GNU / Linux-Libre to redirect their entire page to their entire wiki.

    Anyway, I don't know of another SSL service that seems really trustworthy to me.

    1.    gorlok said

      But the CACert root certificate is not included in any major browser, it is not much different from using a self-signed certificate 😛 http://en.wikipedia.org/wiki/CAcert.org

      If there are no problems with resource consumption, I would just leave https. If both are left, it must be made clear to users that they have the possibility of using https and that they are otherwise in an insecure connection. It seems simpler to me to use only https, but it is subjective.

      By the CA ... any known, the one that is cheaper 😀

  5.   mstaaravin said

    I consider that option 1 has to be the default, compatibility is an important factor to take into account.

    And a little fix on https

    The increase in bandwith consumption is practically insignificant, what does increase significantly is the consumption of CPU in the server, but with today's processors this is practically imperceptible although it all depends on the amount of traffic they have.
    They should also consider the extra content that they publish as linked images (in frames as well) that may be available only for http and will give a warning message in most browsers.

    If you do not want to spend on a certificate you can generate a free class1 at http://www.startssl.com that are widely supported, even on many mobile devices.

    Although they use nginx, one way to alleviate CPU consumption is by adding to W3Cache the use of fast-cgi cache so as not to reprocess PHP so much.

    In principle that.

  6.   dwarf said

    I told you before and I tell you here, just so that it is reflected.

    For me the best thing is to allow only HTTPS, I don't see what advantage it brings to give the option of using a protocol considered insecure, so that users can choose? For slow connections? Well, I have a slow connection (at most, 1mb at most) and it doesn't bother me, although you have a much worse one ... but I think it's not worth keeping two protocols, knowing that users, no matter how warned they are Surely they have us marked in http, and they will not change it, nor will they; and new users don't even imagine.

    Brother, the figure you gave me to pay for the certificate is high for the little that we drive, why spend so much if there is the possibility that few use it? My vote is in favor of only HTTPS, I do not see another.

    1.    elav said

      En Cuba por ejemplo, una mala práctica por parte de algunos de los Administradores de Redes, es cerrar el 443 para que no hayan «filtraciones». Por lo tanto, los lugares donde esto sucede no tendrían acceso a DesdeLinux.

      1.    roader said

        Umm, in my humble ignorance, I think I remember that http provides access from other ports, I guess https can do the same. You put it in another port and you forget about the problem. Damn censorship, that shows that tor is very necessary. Here in Spain they do not need censorship, total, most of the people have eaten the jar and if you tell them something that they did not hear on the news they accuse you of a demagogue.

      2.    peterczech said

        Bueno si en Cuba cierran el puerto 443 como dices, puedes usar puertos alternativos como 8443 o como yo suelo hacer 4433 :).. A Nginx o Apache les da igual lo que configures que se abra por default al ingresar desdelinux.net..

        1.    KZKG ^ Gaara said

          They leave 80 open and sometimes 443 ... But the rest are always closed 🙁

    2.    Oktoberfest said

      1mb !!! That's gold, I tell you that in the company I work for, in Cuba, we are one of the ones with the most bandwidth compared to the closest ones in the area, and we have 512 kbits or half of you have, but not there The thing remains, we are like 10 or 15 people in the entity that uses this channel, so draw your own conclusions, sometimes I have to use bing.com because Google, as it uses https, does not charge me to do searches ...

  7.   Miguel said

    Better to keep the 2 options. It is clear that https is the ideal for privacy issues, after all, nobody cares what I'm looking at, BUT it turns out that in many places (universities, schools ...) that traffic is filtered to have greater control (mainly cut proxies) and leave only some sites allowed. Therefore, the two protocols are better.
    Greetings to all.

    1.    KZKG ^ Gaara said

      Here in Cuba it's the same

  8.   drako said

    StartSSL.

    It gives you a valid and free certificate for one year for your domain and a subdomain.

    1.    KZKG ^ Gaara said

      It would be good to have the subdomains also by https, which are several

      1.    drako said

        In that case, it is not free, it costs $ 59.99, I think like all the others.

  9.   Cristianhcd said

    htpps please 😀

  10.   peterczech said

    Hola chicos de desdelinux,
    I can generate an ssl certificate signed by the StartCom authority which comes in all web browsers by default.

    The certificate would be valid for 1 year from the day you wish and I will do it for free ..: D. For next year we will renew it :).

    I await your reply and I greet the entire community.

    1.    peterczech said

      Una cosa más.. Recomiendo que se redirija de manera manera automática http a https y usar solo https en desdelinux.net 🙂

    2.    KZKG ^ Gaara said

      How much would it really cost? Or can they be obtained for free?

      1.    peterczech said

        59.90 $ the basic for two years :) .. But I tell you I can generate one legally right now 😀

      2.    peterczech said

        Well, check with Elav and if you are interested, send me the email with which the certificate is verified. From what I see, the available ones are: D:

        postmaster@desdelinux.net
        hostmaster@desdelinux.net
        webmaster @desdelinux.net
        abuse@enom.com
        desdelinux@myopera.com

        They already know my email :). It would also generate the subdomains for you.
        A greeting..

      3.    peterczech said

        También podéis crearos vuestra propia autoridad (CA) con la cual generarías vuestro propio certificado y ofrecer la parte pública de la CA a descargar para que los usuários de desdelinux puedan implementarla en sus navegadores web y así ver el sitio firmado correctamente por la autoridad de desdelinux :).

  11.   Daniel said

    I have a question, because search engines do not implement encryption for connections without the need for the provider to use https.
    I have installed the https everywhere, the one that supposedly does this on unencrypted webs.
    Wouldn't this be more practical for everyone?
    It can be activated / deactivated by default and whoever wishes can deactivate / activate it.

    A greeting.

  12.   yukiteru said

    It is a good idea to switch to HTTPS, especially because here you have to use email accounts or access the blog user to be able to comment, and by doing that, users are given a layer of security. Also, all current reputable browsers offer HTTPS support, so I doubt that there will be any impact when it comes to accessing the site by users.

  13.   yukiteru said

    Reading a little about the StartSSL SSL Certificate Service I can see that it is missing some things like:

    * Does not offer multi-domain support.
    * Does not offer support for multiple emails.
    * Does not work for subdomains.
    * Does not offer identification and organization details.

    Some of these things are useful for the portal, especially for the issue of authenticating the forum and the paste once and for all, and in comparison with the cheaper paid service, StartSSL takes the prize.

    1.    mstaaravin said

      * startssl.com does allow wildcards, I use it and I'm generating certificates all the time.
      * There is always only one valid email to manage and there is a form that allows you to choose which one to use.
      * does work for subdomains.
      * It does offer this service but paying and verifying identity, in this case it would not be necessary.

      1.    yukiteru said

        Certainly, StartSSL offers wildcard support, multi-domain and all that but… IT IS PAID! You were talking about the free option (you were telling KZKG), and that is why I made the statement below, that the cheapest paid service was by far StartSSL where it does offer everything reviewed and that it was obviously better because of how it is constituted the blog and the different services it offers.

        PS: Reading * well * costs nothing 🙂

  14.   Leo said

    Opino que ambos protocolos serían útiles en diferentes casos. Pero lo mejor para mí sería que por omisión se entrara a desdelinux con https, en especial si se accede de google (creo que esto es mas fácil decirlo que hacerlo, ja.), pues en lo personal prefiero las conexiones seguras.

  15.   santiago alessio said

    For me it would be better only https, although if it is not much technical problem to leave them it would be better for users to choose, but if I can, I will always use https

  16.   DAVID HENRY said

    The most practical thing for users would be to redirect traffic to https

  17.   mstaaravin said

    From the comments I realize that there are few of us who suggest providing both functionalities and only me clarifying what publishing under https implies, the rest I think are just newbies who want https at all costs without thinking about its consequences.

    Sorry ...

    1.    elav said

      Man is that unfortunately not all have the same situation and well, each one pulls for his own. But we understand you.

      1.    let's use linux said

        Without being an expert on the subject ... and you cannot make the page use https by default and in case the user cannot access it (locks, etc.) load the usual http page?
        I mean, use the http page as a fallback?
        Hug! Paul.

    2.    yukiteru said

      Your point is valid, as you say, you have to see all the possibilities, and the main problem of providing HTTPS is for those people who are behind a proxy, firewall or filtering system that does not allow them to access secure services (Universities, offices, countries with internet blocks), that would be the biggest problem for users. On the other hand, there is the issue of the impact that implementing SSL would have on the server (a minimal impact considering the current hardware) or on the "slowness" that the page would have when loading using HTTPS (make a comparison of the time of loading the blog with Facebook or Twitter, it's wrong !!) but the truth is that I prefer HTTPS.

  18.   NotFromBrooklyn said

    I understand that it is almost the same to implement only HTTPS with HTTP redirected to the first or both. So the question is which SSL provider to use and trust and cost influence here, right?

    Why not now take that money and use a fully trusted certificate at the same time? How? Leave both HTTP and HTTPS implemented, create your own SSL certificate (click on the accept tab, this certificate is trusted, it's easy) and create, for example, a blog post or a small banner explaining to people that the possibility exists of encrypted communication and that the certificate is encrypted by you.

    As I see it, visiting your website in HTTP is placing trust in you, so there is no problem in accepting your own certificate. And those who do not want to add your certificate to their browser, fuck it ... and use HTTP.

    I don't know about you, but personally it seems absurd to have to use a third-party service to do something that I can do myself without any complications or cost.

    1.    elav said

      The same I think and I have told my colleague. I prefer to create my own certificate even if it is not approved and that's it. Li important in this case is security, right?

      1.    dhunter said

        Elav using your own certificate is the same as not using any, they make you a very easy man-in-the-middle and you don't find out because as you "trust" the site you agree, that's why it's the idea that browsers already They come with authorized CAs and they validate the certificates against them, that way unless a browser with modified CAs has filtered you, it always warns you.

        1.    elav said

          Yes, I know, but who tells me that this guarantee for which up to $ 100 is paid is not vulnerable anyway? Look at all the hype that went into SSL, and it was supposed to be the most secure thing on the web.

      2.    peterczech said

        It's just what I wrote yesterday above .. They export the public part of your own CA and offer it for download in the part of the banner to give an example .. Then each of us can import it into our browsers and that's it. Verified site: D.

      3.    Joaquin said

        I agree with what @petercheco says, you could make a banner in a corner announcing the news and leading to a post where everything is explained.

  19.   Voice said

    I would not touch anything until Google publishes the documentation to maintain the two HTTP / S versions and not lose SEO. In my opinion implementing HTTPS is not a joke, it requires a lot of work.

    1.    elav said

      Good idea.

    2.    mstaaravin said

      It is not a joke for someone who does not know or is a server administrator.

      1.    Zeokat said

        Well mate, even today to 2017 migrating and auditing a migration from HTTP to HTTPS continues to give you headaches no matter how sysadmin-pro you think.

        You just have to see how it is implemented in your blog to realize that you have done it wrong. As you well say I don't know, nor am I sysadmin, but ... you being so (or at least believing you are) you have shown that you have no idea.

        Of course I would not hire you as a sysadmin seeing the botched you have done.

  20.   rotietip said

    If you asked this a few years ago, I would have said to choose option 2 without hesitation, but what about mobile users who only connect through the data plan offered by their telephone company? Many of them have an amount of X bits to consume per day (usually between 500 MB to 1 or 2 GB depending on the plan and the company). Since https requires additional bandwidth consumption, if unsecured traffic is blocked, many might think twice before viewing the site from a smartphone without Wi-Fi nearby, and that could negatively affect visits.

    1.    peterczech said

      This is nonsense .. What you are saying determines the content of the web page and not the ssl certificate ..

  21.   Pedro Romero said

    First of all have a coordial greeting, I really like your blog, I have followed it since I am in the computer world and I have found it very good.

    From my personal point of view and experience, if you have an http, there is the possibility that when a user connects, they may be a victim of man in the midle forcing them to see the connection without encryption, the other thing is that many browsers or devices do not have the SSL case that occurs here in Venezuela where technology is expensive ...

    1.    yukiteru said

      SSL is integrated in almost all current browsers (even IE brings it), also at the level of mobile devices, most of them already come with that support too, so if you use Blackberry, Android, Firefox OS, Nokia OS, or BREW you shouldn't worry about that 🙂

  22.   French said

    Do you really believe that X.509 certificates are safe?
    http://64.233.185.141/translate_c?depth=1&hl=es&ie=UTF8&nv=1&prev=_m&rurl=translate.google.com.cu&sl=auto&tl=es&u=http://okturtles.com/&usg=ALkJrhgh7R1XoVQIboP9GTkaBW_mwXuq4Q
    So encrypted.google.com is more secure than startpage.com/eng/download-startpage-plugin.html, I highly doubt it.

  23.   rawBasic said

    Yo voy a por una opción híbrida, tener tanto https como http redirigida a conexiones https seguras.. ..y una opción de subdominio que sería la entrada al blog pero http, como: portucuenta.desdelinux.net – inseguro.desdelinux.net.. ..o similar, haciendo al usuario totalmente voluntario y conciente su decisión de una conexión no segura..

  24.   auroszx said

    Well ... it seems to me that it is enough to activate HTTPS and redirect if it is to enter with HTTP. That is, alternative option 1.

  25.   Bart said

    In summary and calibrating the best comments, it seems clear to lean towards option 1.

  26.   Gonzalo said

    Besides, when using https the websites we can skip the filters of many proxies that companies use, in mine for example using https I can skip the proxy content filters> :)

  27.   kevinjhon said

    I choose option 1

  28.   Horacio said

    I have a question that consumes more http or https bandwidth and how much in what proportion, depends on the certificate used 128, 256 bits, etc.
    Thank you