frozenfractal.com now available over HTTPS
As of just now, https://frozenfractal.com is a thing. This means you can browse my site securely, knowing that the NSA can probably not see which pages you are viewing. Sort of.
But in fact, everything on this site is public. Why use HTTPS to encrypt the connection at all? A selfish reason could be that, allegedly, it is good for your search engine ranking. There are other practical reasons too, including protecting site visitors against man-in-the-middle attacks that inject content (think malicious wifi routers).
But for me, the primary reason is just that it’s the Right Thing To Do™. I believe that end-to-end security on the web should be the default, no matter what type of content goes across the wire. This is also why I added redirects, so even if you try to be insecure and use HTTP, you can’t.
Thanks to Let’s Encrypt and Certbot, this was actually really easy to set up. Certbot is a Let’s Encrypt client that you install on your server. It automatically downloads the certificates and helps keep them up to date. What’s more, it automatically updates the web server configuration (nginx in my case). This is a bit scary, but it worked well for me, despite about twenty subdomains, some of which have custom configuration. All in all, it took only 15 minutes or so to get HTTPS up and running.
More time went into updating all the games to keep working. As it
turns out, I often used absolute URLs with http://
to refer to externally
hosted style sheets and scripts (e.g. Google Fonts and jQuery), and browsers
will refuse to load this if the origin page is served over HTTPS. The fix is to
remove http:
, ending up with a weird looking URL like
//ajax.googleapis.com/...
. This means “use the same protocol as the origin
site”, so it does the right thing in all cases. (Alternatively, always writing
https://
also works.)
So there you go. This site has arrived in the 21st century. Happy secure browsing!