Always-On SSL: What It Is and Why You Should Implement It

I've written a blog post about why SSL should be available and always on for your website. Let me know what you guys think. There's also a tip about NodeBalancers hidden in there ;)

https://felicianotech.com/blog/always-o … lement-it/">https://felicianotech.com/blog/always-on-ssl-what-it-is-and-why-you-should-implement-it/

6 Replies

Cheers shared it with folks at https://community.letsencrypt.org/t/jus … ffic/671/3">https://community.letsencrypt.org/t/justification-for-encrypting-all-web-traffic/671/3 :)

@centminmod:

Cheers shared it with folks at https://community.letsencrypt.org/t/jus … ffic/671/3">https://community.letsencrypt.org/t/justification-for-encrypting-all-web-traffic/671/3 :)

Awesome! Thank you so much. I've been receiving traffic from that forum already. :)

SSL as a protocol is obsolete and completely vulnerable, I think you really mean TLS (Transport Layer Security).

Lets Encrypt is going to be a great service to the whole community

I was going to add a reply to the guy who said only one IP per certificate but your forum only allows social media login. My reply would have been that you can have the certificate on a front-end server like Apache and use reverse proxy to connect to the server on the backend running on localhost. That's also a convenient way to have servers written in varying platforms and languages running under the protection of one public facing IP and certificate.

If the guy really meant on certificate per domain, I think you could still host multiple domains on one IP using SSL (well TLS) as long as you assign each one in the associated virtualhost config for each domain, though I've not tried that.

sjashe,

I do mean TLS. It's mentioned in my post.

jebblue,

You can comment using Disqus. You don't need a social media login. This is a great tip. I'll comment it on my post on your behalf. Thanks!

(I'm going to use the term SSL, as that is the common way for describing this stuff even if it isn't technically correct.)

Interesting about the one IP per certificate issue/discussion. This was often the case, and Linode still accept using a trusted signed HTTPS SSL cert as justification for another IP address, but for many years it has been possible to serve multiple SSL certs on different domains from a single IP address. This is known as Server Name Indication (SNI) and works under Apache and IIS and other popular web servers that support TLS. It seems the major pitfall is that it isn't supported on any XP compatible version of IE, but I'm not sure that really matters to many of us in 2015.

I have never actually used this - I still use 1 IP per cert, but has anyone any real life experience of SNI they care to share?

Good article here: https://www.digicert.com/ssl-support/ap … ng-sni.htm">https://www.digicert.com/ssl-support/apache-multiple-ssl-certificates-using-sni.htm

Chris

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct