Freek.dev

Creating wildcard subdomain SSL certificates isn't that straightforward with Let's encrypt as a normal SSL certificate.

Read more [rias.be]

Earlier this year, Apple announced that it limit the lifetime of trusted certificates to 398 days. Shortly after, both Firefox and Chrome followed in their footsteps.

Read more [ohdear.app]

Oh Dear performs SSL certificate monitoring in a slightly different than other services, which is why it was able to detect a problem with the SSL certificates of a very large, commercial, CDN provider.

Read more [ohdear.app]

On the Oh Dear blog, Mattias Geniar shares how he found all certificates that were affected by Let's Encrypt mass revocation of SSL certificates.

Read more [ohdear.app]

My buddy Mattias explains how you can use Laravel and Caddy to handle https traffic to dynamic subdomains.

We recently launched our new Status Page feature. Under the hood, it's using the Caddy proxy server and Laravel's subdomain routing to serve the right status page on the right domain. With this technology stack, we can automatically generate, configure & renewe the SSL certificates for custom domains of our clients.

Read more [ohdear.app]

In a new post at the Oh Dear blog, there's a good explanation how HSTS improves security.

HSTS stands for HTTP Strict Transport Security. It's a mechanisme that allows a website to signal that it should only be reached via HTTPS - the encrypted HTTP - instead of the plain text HyperText Transfer Protocol.

Read more [ohdear.app]

Mattias Geniar argues that you shouldn't buy extended validation certificates.

You know those certificates you paid 5x more for than a normal one? The ones that are supposed to give you a green address bar with your company name imprinted on it? It's been mentioned before, but my take is the same: they're dead.

Read more [ma.ttias.be]

In a new blogpost Troy Hunt explains why you shouldn't bother buying an EV certificate anymore.

That's it - I'm calling it - extended validation certificates are dead. Sure, you can still buy them (and there are companies out there that would just love to sell them to you!), but their usefulness has now descended from "barely there" to "as good as non-existent". This change has come via a combination of factors including increasing use of mobile devices, removal of the EV visual indicator by browser vendors and as of today, removal from Safari on iOS

Read more [www.troyhunt.com]

Following is a list of the world's top 100 websites by Alexa rank not automatically redirecting insecure requests to secure ones. You'll then find the top 50 sites by country underneath that. The data is driven by Scott Helme's nightly crawl and is explained in detail in the launch blog post for this project.

https://whynohttps.com/

Read more

Scott Helme, creator of securityheaders.io, wrote a good introduction to certificate transparency.

Certificate Transparency is an open framework for monitoring and auditing the certificates issued by Certificate Authorities in near real-time. By requiring a CA to log all certificates they generate, site owners can quickly identify mis-issued certificates and it becomes much easier to detect a rogue CA.

https://scotthelme.co.uk/certificate-transparency-an-introduction/

Oh Dear!, my side project leverages certificate transparency logs to send you a notification as soon as a new certificate is issued for your domain.

Read more

In a new article on his blog Ian Carroll shows that it's quite easy to trick users into thinking that they're connected to the right site.

Extended validation ("EV") certificates are a unique type of certificate issued by certificate authorities after more extensive validation of the entity requesting the certificate. In exchange for this more rigorous vetting, browsers show a special indicator like a green bar containing the company name, or in the case of Safari completely replace the URL with the company name. ... Today, I will demonstrate another issue with EV certificates: colliding entity names. Specifically, this site uses an EV certificate for "Stripe, Inc", that was legitimately issued by Comodo.

https://stripe.ian.sh/

Read more

Together with Mattias I've been working on Oh Dear! for the last couple months. We launched it last week. If you want to try it out, just register and you'll get a trial period of 10 days. No credit card is needed.

I plan on writing a few technical posts on the whole project in the next couple of months. Right now you can already read this excellent article written by Paul Redmond about what Oh Dear! can do for you.

What differentiates Oh Dear from other uptime monitoring solutions, in my opinion, is the mixed content detection and SSL certificate monitoring. The web is moving to HTTPS, and your site’s availability can be affected by modern browsers when things go awry with your certificate.

https://laravel-news.com/oh-dear-app

Read more

If you need a free SSL certificate Let's Encrypt seems like the obvious way to go. But the installation and renewal process of Let's Encrypt surely has it's caveats. An alternative to Let's Encrypt is to use a free certificate issued by Cloudflare. On his blog Taylor Otwell published a post explaining how to request and install such a certificate.

I personally prefer to use Cloudflare, another service that offers free SSL certificates, as well as a variety of other free and paid services that are useful for web developers. I prefer Cloudflare because: - Cloudflare doesn’t require any renewal process to ever run on my server. LetsEncrypt renewals must run on my server at least every 3 months and that’s just one more thing that sometimes can (and does) go wrong. - Cloudflare supports wildcard sub-domains.

https://medium.com/@taylorotwell/free-wildcard-ssl-using-forge-cloudflare-ab0ebfbf129f

Read more

On his blog Simone Carletti gives a good overview of everything Let's Encrypt has to offer (and he also touches on what the service doesn't offer)

Let’s Encrypt is a new certificate authority that entered the internet scene at the end of 2015. ... However, Let’s Encrypt is not only free. Quoting the homepage: Let’s Encrypt is free, automated, and open.

But what does it mean? In this article I’ll share some of the direct consequences of that quote to help you better understand how Let’s Encrypt (currently) works. My goal here is not to judge or advertise the service offered by Let’s Encrypt (either in a negative or positive way), rather provide an overview of what you should expect if you use this service, and let you decide whether Let’s Encrypt is a good fit for you or not.

https://simonecarletti.com/blog/2016/02/things-about-letsencrypt/

Read more

With vanilla PHP it's possible to check of if the SSL certificate of a given site is valid. But it's kinda madness to do it. Let's look at the code required:

<br />// Step 1: downloading the certificate from the site
$streamContext = stream_context_create([
    'ssl' => [
        'capture_peer_cert' => true,
    ],
]);

$client = stream_socket_client(
    "ssl://spatie.be:443",
    $errorNumber,
    $errorDescription,
    $timeout,
    STREAM_CLIENT_CONNECT,
    $streamContext);

$response = stream_context_get_params($client);

$certificateProperties = openssl_x509_parse($response['options']['ssl']['peer_certificate']);

// Step 2: parsing the certificate

/*
* I'm not even going to type out the further code needed.
*
* `$certificateProperties` has two keys `validFrom_time_t` and `validTo_time_t`. 
* Those keys contain the UTC representation of the date.
* You will need to check if the current date is between those dates.
*/ 

What. The. Actual. F. Let's fix this!

We've released a new package named spatie/ssl-certificate that makes checking the SSL certificate of a site laughably easy. Let's take a look at the code:

$certificate = SslCertificate::createForHostName('spatie.be');
$certificate->isValid(); // returns true if the certificate is currently valid

Boom, done.

The package has a few more methods that makes working with an SSL certificate a breeze:

$certificate->getIssuer(); // returns "Let's Encrypt Authority X3"

$certificate->getDomain(); // returns "spatie.be"

//A certificate can cover multiple (sub)domains. Here's how to get them.
$certificate->getAdditionalDomains(); // returns ["spatie.be", "www.spatie.be]

$this->certificate->validFromDate(); // returns an instance of Carbon

$certificate->getExpirationDate(); // returns an instance of Carbon

You can also use isValid to determine if a given domain is covered by the certificate. Of course it'll keep checking if the current datetime is between validFromDate and expirationDate.

$this->certificate->isValid('spatie.be'); // returns true
$this->certificate->isValid('laravel.com'); // returns false

The source code of the package is available on GitHub. My company has made many more PHP framework agnostic, Laravel and JavaScript packages in the past. Take a look at the open source page at our site to see if we've made anything that could be of use to you.

Read more

Cloudflare pushes forward! Read the entire article for a good explanation on http2 and server push.

Today, we’re happy to announce HTTP/2 Server Push support for all of our customers. Server Push enables websites and APIs to speculatively deliver content to the web browser before the browser sends a request for it. This behavior is opportunistic, since in some cases, the content might already be in the client’s cache or not required at all.

In semi-related news: Laravel Forge recently made a nice change as well. If you install an ssl certificate on a Froge provisioned server, http2 will be enabled by default.

Read more

Added on 2016-04-28: newly provisioned Forge servers will now use http2 by default whenever you install an ssl certifcate.

Like mentioned in the post on how to upgrade PHP, I'm a big fan of Forge. By default sites provisioned by Forge use regular http. Let's learn how to enable http2.

The http2 protocol provides a lot of benefits over http. In short it'll make your website load much faster. If want to know how this protocol works under the hood watch this excellent video by Mattias Geniar or read this blogpost at Cloudflare. Here an interesting test by (again) Mattias that shows the potential speed improvements.

A prerequisite for using http2 is that you serve your website via an encrypted connection (note: this is not 100% true but virtually all major browsers won't support http2 via unencrypted connections). Thanks to LetsEncrypt you can get free ssl certificates. Watch this free video on Laracasts to learn how to install a LetsEncrypt certificate.

Support for http2 was introduced in Nginx 1.9.5. You can check the version number of your Nginx installation by running nginx -v. If you're on 1.9.5 or higher you're good. You just have to add http2 to a server block in the Nginx configuration:

server {
  listen 443 ssl http2;
  ...
}

The Chrome developer tools can be used to check if you're site is indeed using http2. The column "protocol" should display "h2".

Don't be overwhelmed with sadness if you're running something below Nginx 1.9.5. Upgrading is easy! Only three instructions are needed to upgrade to, at the time of this writing, Nginx 1.9.14:

sudo add-apt-repository ppa:nginx/development
sudo apt-get update
sudo apt-get install nginx

Read more

Over at Laravel News Mike Bronner wrote some tips on how to achieve an A+ rating for your HTTPS website.

Let’s take a few extra minutes to optimize your server and help it perform faster and be more secure. In this tutorial we will look at using SSL session caching, HTTP Strict Transport Security (HSTS), and Hypertext Transfer Protocol 2 (HTTP/2).

Read more

In 2015 web developers understand more about SSL than they ever have. If you read Hacker News you should know:

• You can get domain validated (DV) certs from Let's Encrypt for free.
• You can get extended validation (EV) certs from CertSimple with checks before you pay. That's us by the way!
• The Mozilla SSL Config Generator can set up your server as secure as possible for the browsers you want to support.
• When you're done, use SSL Labs to check everything. Make sure you get an A, otherwise people will pick on you.

What about the rest?

Read more