Freek.dev

Creating wildcard subdomain SSL certificates isn't that straightforward with Let's encrypt as a normal SSL certificate.

Read more [rias.be]

If you're going to use basic auth, make sure that you use HTTPS.

Read more [joeldare.com]

What is the TrustProxies middleware and how can it help you generate secure HTTPS URLs, even when running Laravel behind a proxy?

Read more [michielkempen.com]

In a new post at the Oh Dear blog, there's a good explanation how HSTS improves security.

HSTS stands for HTTP Strict Transport Security. It's a mechanisme that allows a website to signal that it should only be reached via HTTPS - the encrypted HTTP - instead of the plain text HyperText Transfer Protocol.

Read more [ohdear.app]

Mattias Geniar argues that you shouldn't buy extended validation certificates.

You know those certificates you paid 5x more for than a normal one? The ones that are supposed to give you a green address bar with your company name imprinted on it? It's been mentioned before, but my take is the same: they're dead.

Read more [ma.ttias.be]

In a new blogpost Troy Hunt explains why you shouldn't bother buying an EV certificate anymore.

That's it - I'm calling it - extended validation certificates are dead. Sure, you can still buy them (and there are companies out there that would just love to sell them to you!), but their usefulness has now descended from "barely there" to "as good as non-existent". This change has come via a combination of factors including increasing use of mobile devices, removal of the EV visual indicator by browser vendors and as of today, removal from Safari on iOS

Read more [www.troyhunt.com]

Following is a list of the world's top 100 websites by Alexa rank not automatically redirecting insecure requests to secure ones. You'll then find the top 50 sites by country underneath that. The data is driven by Scott Helme's nightly crawl and is explained in detail in the launch blog post for this project.

https://whynohttps.com/

Read more

Together with Mattias I've been working on Oh Dear! for the last couple months. We launched it last week. If you want to try it out, just register and you'll get a trial period of 10 days. No credit card is needed.

I plan on writing a few technical posts on the whole project in the next couple of months. Right now you can already read this excellent article written by Paul Redmond about what Oh Dear! can do for you.

What differentiates Oh Dear from other uptime monitoring solutions, in my opinion, is the mixed content detection and SSL certificate monitoring. The web is moving to HTTPS, and your site’s availability can be affected by modern browsers when things go awry with your certificate.

https://laravel-news.com/oh-dear-app

Read more

Over at Laravel News Mike Bronner wrote some tips on how to achieve an A+ rating for your HTTPS website.

Let’s take a few extra minutes to optimize your server and help it perform faster and be more secure. In this tutorial we will look at using SSL session caching, HTTP Strict Transport Security (HSTS), and Hypertext Transfer Protocol 2 (HTTP/2).

Read more

In 2015 web developers understand more about SSL than they ever have. If you read Hacker News you should know:

• You can get domain validated (DV) certs from Let's Encrypt for free.
• You can get extended validation (EV) certs from CertSimple with checks before you pay. That's us by the way!
• The Mozilla SSL Config Generator can set up your server as secure as possible for the browsers you want to support.
• When you're done, use SSL Labs to check everything. Make sure you get an A, otherwise people will pick on you.

What about the rest?

Read more

If you have a form on your website where one of the fields is of the `type="password"`, the page will now be marked as insecure in your browser if it is served over a plain HTTP connection.

Read more

Today, however, there are more reasons than ever to switch to HTTPS — even for a news site, corporate site, or any site that doesn’t consider itself at the top of the security food chain. HTTPS adoption grew 80% last year alone, much faster than previous years, but we’re still very far from encryption being the norm.

If you’re not convinced HTTPS is right for you, or need ammo to convince your peers and bosses, here are 10 good reasons to go HTTPS.

Read more

When installing an SSL certificate on your server you should install all intermediate certificates as well. If you fail to do so, some browsers will reported “untrusted” warnings for your site like this one.

Searching and downloading those intermediate certificates can be a hassle.

Today my colleagues at Spatie and I launched certificatechain.io. This online tool helps you download all intermediate certificates. Just paste or upload your certificate and you'll get a file containing the entire trust chain that you can install on your server.

The site is built with Laravel 5 and uses the SSL certificate chain resolver we made last month.

Read more

All operating systems contain a set of default trusted root certificates. But CAs usually don't use their root certificate to sign customer certificates. Instead of they use so called intermediate certificates, because they can be rotated more frequently.

A certificate can contain a special Authority Information Access extension (RFC-3280) with URL to issuer's certificate. Most browsers can use the AIA extension to download missing intermediate certificate to complete the certificate chain. This is the exact meaning of the Extra download message. But some clients (mobile browsers, OpenSSL) don't support this extension, so they report such certificate as untrusted.

A server should always send a complete chain, which means concatenated all certificates from the certificate to the trusted root certificate (exclusive, in this order), to prevent such issues. Note, the trusted root certificate should not be there, as it is already included in the system’s root certificate store.

https://github.com/zakjan/cert-chain-resolver

Read more

Compare load times of the unsecure HTTP and encrypted HTTPS versions of this page.

Read more