{"id":950,"date":"2015-03-09T19:25:40","date_gmt":"2015-03-10T02:25:40","guid":{"rendered":"https:\/\/galencharlton.com\/blog\/?p=950"},"modified":"2015-03-17T06:56:01","modified_gmt":"2015-03-17T13:56:01","slug":"notes-on-making-my-wordpress-blog-https-only","status":"publish","type":"post","link":"https:\/\/galencharlton.com\/blog\/2015\/03\/notes-on-making-my-wordpress-blog-https-only\/","title":{"rendered":"Notes on making my WordPress blog HTTPS-only"},"content":{"rendered":"

The other day I made this blog, galencharlton.com\/blog\/<\/a>, HTTPS-only. \u00a0In other words, if Eve\u00a0want to sniff what Bob is reading on my blog,\u00a0she’ll need to do more than just capture packets between my blog and Bob’s computer to do so.<\/p>\n

This is not bulletproof: perhaps Eve is in possession of truly spectacular computing capabilities or a breakthrough in cryptography and can break the ciphers. Perhaps she works for any of the sites that host external images, fonts, or analytics for my blog and has access to their server logs containing referrer headers information. \u00a0Currently these sites are Flickr (images), Gravatar (more images), Google (fonts) or WordPress (site stats \u2013 I will be changing this soon, however). Or perhaps she’s installed a keylogger on Bob’s computer, in which case anything I do to protect Bob is moot.<\/p>\n

Or perhaps\u00a0I<\/strong> am Eve and I’ve set up a dastardly plan to entrap people by recording when they read\u00a0about MARC records, then showing up at Linked Data conferences and disclosing that activity. \u00a0Or vice versa.\u00a0(Note: I will not actually do this.)<\/em><\/p>\n

So, yes \u2013 protecting the privacy of one’s website visitors is hard; often the best we can do is be better at it than we were yesterday.<\/p>\n

To that end, here are some notes on how I made my blog require HTTPS.<\/p>\n

Certificates<\/h2>\n

I got my SSL certificate from Gandi.net. Why them? \u00a0Their price was OK, I already register my domains through them, and I like their corporate philosophy: they support a number of free and open source software projects; they’re not annoying about up-selling, and they have never (to my knowledge) run sexist advertising, unlikely some of their larger and more well-known competitors. But there are, of course, plenty of options for getting SSL certificates, and once Let’s Encrypt<\/a>\u00a0is in production, it should\u00a0be both cheaper and easier for me to replace the certs next year.<\/p>\n

I have three subdomains of galencharlton.com that I wanted a certificate for, so I decided to get a multi-domain certificate. \u00a0I consulted\u00a0this tutorial<\/a> by rtCamp to generate the CSR.<\/p>\n

After following the tutorial to create a modified version of openssl.conf<\/code>\u00a0specifying the\u00a0subjectAltName values I needed, I generated a new private key and a certificate-signing request as follows:<\/p>\n

openssl req -new -key galencharlton.com.key \\\r\n  -out galencharlton.com.csr \\\r\n  -config galencharlton.com.cnf \\\r\n  -sha256<\/pre>\n
The openssl<\/code> command asked me a few questions; the most important of which being the value to set the common name (CN) field; I used “galencharlton.com” for that, as that’s the primary domain that the certificate protects.<\/p>\n
I then entered the text of the CSR into a form and paid the cost of the certificate. \u00a0Since I am a library techie, not a bank, I purchased a domain-validated certificate. \u00a0That means that all I had to prove to the certificate’s issuer that I had control of the three domains that the cert should cover. \u00a0That validation could have been done via email to an address at galencharlton.com or by inserting a special TXT field to the DNS zone file for galencharlton.com. I\u00a0ended up choosing to go the route of placing a file on the web server whose contents and location were specified by the issuer; once they (or rather, their software) downloaded the test files, they had some assurance that I had control of the domain.<\/p>\n
In due course, I got the certificate. \u00a0I put it and the intermediate cert specified by Gandi in the \/etc\/ssl\/certs<\/code> directory on my server and the private key in \/etc\/private\/<\/code>.<\/p>\n
Operating System and Apache configuration<\/h2>\n
Various vulnerabilities in the OpenSSL library or in HTTPS itself have been identified and mitigated over the years: suffice\u00a0it to say that it is a BEASTly CRIME to make a POODLE suffer a HeartBleed — or something like that.<\/p>\n
To avoid the known problems, I wanted to ensure that I had a recent enough version of OpenSSL on the web server and had configured Apache to disable insecure protocols (e.g., SSLv3) and eschew bad ciphers.<\/p>\n
The server in question is running Debian Squeeze LTS, but since OpenSSL 1.0.x is not currently packaged for that release, I ended up adding Wheezy to the APT repositories list and upgrading the openssl and apache2 packages.<\/p>\n
For the latter, after some Googling I ended up adapting the recommended Apache SSL virtualhost configuration from this blog post<\/a> by Tim Janik. \u00a0Here’s what I ended up with:<\/p>\n
<VirtualHost _default_:443>\r\n    ServerAdmin gmc@galencharlton.com\r\n    DocumentRoot \/var\/www\/galencharlton.com\r\n    ServerName galencharlton.com\r\n    ServerAlias www.galencharlton.com\r\n\r\n    SSLEngine on\r\n    SSLCertificateFile \/etc\/ssl\/certs\/galencharlton.com.crt\r\n    SSLCertificateChainFile \/etc\/ssl\/certs\/GandiStandardSSLCA2.pem\r\n    SSLCertificateKeyFile \/etc\/ssl\/private\/galencharlton.com.key\r\n    Header add Strict-Transport-Security \"max-age=15552000\"\r\n\r\n    # No POODLE\r\n    SSLProtocol all -SSLv2 -SSLv3 +TLSv1.1 +TLSv1.2\r\n    SSLHonorCipherOrder on\r\n    SSLCipherSuite \"EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+\r\naRSA+SHA384 EECDH+aRSA+SHA256 EECDH+AESGCM EECDH EDH+AESGCM EDH+aRSA HIGH !MEDIUM !LOW !aNULL !eNULL\r\n!LOW !RC4 !MD5 !EXP !PSK !SRP !DSS\"\r\n\r\n<\/VirtualHost><\/pre>\n
I also wanted to make sure that folks coming in via old HTTP links would get permanently redirected to the HTTPS site:<\/p>\n
<VirtualHost *:80>\r\n    ServerName galencharlton.com\r\n    Redirect 301 \/ https:\/\/galencharlton.com\/\r\n<\/VirtualHost>\r\n\r\n<VirtualHost *:80>\r\n    ServerName www.galencharlton.com\r\n    Redirect 301 \/ https:\/\/www.galencharlton.com\/\r\n<\/VirtualHost><\/pre>\n
Checking my work<\/h2>\n
I’m a big fan of the Qualsys SSL Labs server test<\/a>\u00a0tool, which does a number of things to test how well a given website implements HTTPS:<\/p>\n