Securing a Personal Website

14 March 2015

So a while ago I decided that SSL/TLS (why it’s really TLS, not SSL) was the right thing to do, but CloudFlare’s blog, the seem­ingly endless run of TLS/SSL vulnerabilities, and the various blog posts ex­plain­ing just how com­pli­cated it is to set up TLS (let alone get an A+ rating on SSL Labs’ SSL Test [1][2][3]), got me all depressed.

For a little while I con­sid­ered holding out for the EFF-supported Let’s Encrypt project, which is sup­posed to make se­cur­ing a website as easy as running two commands but: (a) it’s not avail­able yet (it’s ar­riv­ing “Mid-2015”); and (b) I’m skep­ti­cal that they can ac­tu­ally make it as easy as all that unless you’re running a very popular Linux dis­tri­b­u­tion in a very default way, and I kinda wanted to get out of the busi­ness of running my own HTTP server anyway.

Sadly it seems that these days, out­sourc­ing TLS is the only simple, secure and per­for­mant way to do it, as it is with DNS and SMTP. (This also pro­vides a few other bells and whis­tles that would oth­er­wise be days or hours of work to con­fig­ure and main­tain at the same time too, like abuse protection, a reverse proxy and maybe even a CDN.)

I’ve in­ves­ti­gated two ap­proaches in a little bit of detail—Gandi’s Simple Hosting and CloudFlare’s Free Plan in Flexible SSL mode—and even­tu­ally went with Gandi. Cloud­Flare has more features, is likely to be faster for anyone not in Paris (especially for the first page load), and is in­cred­i­bly easy to set up and con­fig­ure (you don’t even need to buy a certificate), but in the end it’s another piece of in­fra­struc­ture to configure, if not exactly “manage”, and I already had a Gandi account, and a happy re­la­tion­ship with them. A web site also seems like a fairly im­por­tant bit of in­fra­struc­ture to be handled by a free service, es­pe­cially since you also need to use their DNS servers.

Anyway, the upshot of all this is that this site now runs on Gandi’s PaaS infrastructure, and I have an A+ rating on SSL Labs’s SSL Test. (Buying a cer­tifi­cate through Gandi got me to an A; the A+ comes from en­abling HTTP Strict Trans­port Security, which is a little bit scary since I’m now com­mit­ted to running for at least a year.)