Securing a Personal Website
14 March 2015
So a while ago I decided that SSL/TLS (why it’s really TLS, not SSL) was the right thing to do, but CloudFlare’s blog, the seemingly endless run of TLS/SSL vulnerabilities, and the various blog posts explaining just how complicated it is to set up TLS (let alone get an A+ rating on SSL Labs’ SSL Test ), got me all depressed.
For a little while I considered holding out for the EFF-supported Let’s Encrypt project, which is supposed to make securing a website as easy as running two commands but: (a) it’s not available yet (it’s arriving “Mid-2015”); and (b) I’m skeptical that they can actually make it as easy as all that unless you’re running a very popular Linux distribution in a very default way, and I kinda wanted to get out of the business of running my own HTTP server anyway.
Sadly it seems that these days, outsourcing TLS is the only simple, secure and performant way to do it, as it is with DNS and SMTP. (This also provides a few other bells and whistles that would otherwise be days or hours of work to configure and maintain at the same time too, like abuse protection, a reverse proxy and maybe even a CDN.)
I’ve investigated two approaches in a little bit of detail—Gandi’s Simple Hosting and CloudFlare’s Free Plan in Flexible SSL mode—and eventually went with Gandi. CloudFlare has more features, is likely to be faster for anyone not in Paris (especially for the first page load), and is incredibly easy to set up and configure (you don’t even need to buy a certificate), but in the end it’s another piece of infrastructure to configure, if not exactly “manage”, and I already had a Gandi account, and a happy relationship with them. A web site also seems like a fairly important bit of infrastructure to be handled by a free service, especially since you also need to use their DNS servers.
Anyway, the upshot of all this is that this site now runs on Gandi’s PaaS infrastructure, and I have an A+ rating on SSL Labs’s SSL Test. (Buying a certificate through Gandi got me to an A; the A+ comes from enabling HTTP Strict Transport Security, which is a little bit scary since I’m now committed to running
https://beebo.org for at least a year.)