Anne van Kesteren

TLS: first steps

Given Pervasive Monitoring Is an Attack and the proposal to require TLS for new platform features I was ready to invest some time. Overall TLS advocacy is increasing. On IRC someone quipped “TLS is the new utf-8”.

TLS helps with protecting credentials, what content is being viewed, the path and query components of a URL, and provides an assurance you are actually getting content from the given domain rather than an attacker. Of course, if the given domain is compromised or talks to other domains in the backend without encryption, you are none the wiser. That relies on the user trusting the domain owner.

TLS used to not have an equivalent to the Host header, requiring a unique IP address for each domain you wanted to have TLS on. With the Server Name Indication (SNI) extension, TLS has become virtually free. The catch is that older Android and Internet Explorer on Windows XP will not be able to get to your domain. (Just as Internet Explorer 2 cannot get to your domain now as it likely requires a Host header.) Python 2 is being patched.

Mathias already has TLS deployed and asked if html5.org could follow. I use DreamHost. DreamHost supports “Secure Hosting” though does not use it much itself yet unfortunately and has ample room for improvement. Their support team claims they are working on it as they are transitioning to a new OS for their servers.

DreamHost is also rather expensive for certificates. StartTLS is not, so I created an account there. Unfortunately html5.org has a number of subdomains so I had to pay USD 60 to get myself validated. That way I get access to more elaborate certificates. Lacking proof of my mobile phone number I am now waiting up to ten business days for a letter with a key to arrive that will get me said validation. Otherwise StartSSL has been excellent in support so far and although the UI leaves much to be desired, it is workable.

Another problem remaining with DreamHost (shared hosting) is that databases are on a different domain and the connection to it is not encrypted. Now they claim to have safety measures in place and generally only allow internal access to those databases, but that could be better still. (See To Celebrate Spying on Google Users, the NSA Drew a Smiley Face.)