Web Security and Cloudflare
I’ve never had to deal with SSL certificates before. That’s always been someone else’s responsibility. Being ignorant of the technical details, the idea of setting up SSL/TLS wrong scares me. The idea of my visitors seeing those browser warnings scares me even more. And they’re getting scarier by the year.
I listened to an episode of ShopTalk podcast with guests April King and Alex Sexton. They talk web security. I won’t paraphrase the whole discussion but one point sold me. It’s possible for a man-in-the-middle to inject anything into an unsecured web page. One could fake security messages in an attempt to phish information. Or inject advertisement (the example given). Unsolicited ads actually makes me angriest. I used to wonder why anyone would attack my website, but I realise that is missing the point. It doesn’t always matter what the website is for such attacks to work.
I’m in. Encryption across the entire web.
There are a couple of free options I know of. Let’s Encrypt and Cloudflare. I opted to go with Cloudflare since they offer more services (DNS management, CDN caching). They also have a handy article: Secure and fast GitHub Pages with CloudFlare.
So that’s what I set up.
Cloudflare has a great on-boarding process. You enter your domain and a video guide plays whilst Cloudflare scans DNS records. You’re then shown the new configuration — which you now understand — along with new nameservers, should you choose to continue. It was reassuring to see correct handling of my email records. So I clicked ‘continue’.
🔒 It’s Long overdue, but that little padlock is now protecting my website. Or it should be if DNS propagates and I don’t need a VPN to check it’s working. My ISP seems to be the last place on earth to update their cache.
I’ve also unlocked a new achievement by using Cloudflare. The final green checkbox on webpagetest.org that has eluded me for so many years.
That’s rather pleasing to see.