Sophos Cloud Optix
OK, it isn’t the biggest news story ever but if we didn’t tell you, you wouldn’t know. So here it is – every page of Naked Security is now available to everyone over HTTPS (including the one you’re reading).
HTTPS is the secure, encrypted, version of the Hypertext Transfer Protocol – the language that your web browser uses when it’s talking to a website.
Using HTTPS instead of HTTP means that any data you send or receive, such as pages, cookies, images, comments, personal data or passwords, is encrypted and therefore unintelligible to anyone trying to eavesdrop on what you’re doing.
Since the earliest days of the web, HTTPS has been used to keep sensitive information like passwords and credit card numbers safe.
As web users have begun to understand how blanket surveillance works, and how it can make use of very large amounts of apparently mundane data, the demand for more routine use of encryption has grown.
Of course we haven’t just discovered HTTPS – the Naked Security team has always used HTTPS when logged in for tasks such as publishing articles, processing comments and carrying out administrative tasks.
However because Naked Security is hosted by WordPress VIP, the pages that need encryption have also had to use a wordpress.com certificate and subdomain. A result of that was that we couldn’t use HTTPS with the site’s well known and trusted public domain – nakedsecurity.sophos.com.
It was a situation we lived with but we long-harboured a desire to offer you, our readers, the option of using HTTPS, even though what you are reading is already publicly-available information.
When the folks at WordPress VIP told us they were piloting the use of Server Name Indication (SNI), a technology that would allow us to offer HTTPS with the domain name our users know and trust, we jumped at the chance.
SNI will ‘just work’ for most people but isn’t supported by some very old software.
By the way, if you are browsing the web using technology that’s so old that it doesn’t support SNI, most notably Internet Explorer on Windows XP, then you likely have far more serious security problems to worry about than certificate errors on Naked Security and you probably shouldn’t be connected to the internet at all!
If you’d like to make sure you always read Naked Security over an encrypted connection then we recommend the Electronic Frontier Foundation’s HTTPS Everywhere. It’s a plugin that forces your browser to use HTTPS wherever it’s available.
To use HTTPS Everywhere with Naked Security either configure it according to your own preference or download our HTTPS Everywhere ruleset and save it to the appropriate place on your system.
Good for WordPress for stepping up on the security – the no https has been an issue with many
What about people on Opera / Nokia browser on Symbian S60? On Android 2.3? Or BlackBerry OS 7.1 (devices still being sold…)?
Not trying to be funny – SNI is something I’ve waited YEARS to roll out 🙂
Those devices aren’t used very much with this site and they still have the option of browsing over HTTP, exactly the same as they did yesterday.
SNI is the only option for offering HTTPS on nakedsecurity.sophos.com so we had a straight choice between offering it for no people or offering it for most people.
Are you considering redirecting all traffic to HTTPS?
Eventually yes. To begin we’re offering it as an option with HTTP as the default. We’ll see what sort of problems crop up with HTTPS first and take it from there.
The instructions given are not user friendly at all! I’ve followed the instructions to find where to add the XML file, but the data given in the link for the rules is not an XML file but a few lines of code! We need a complete file that we can copy/paste into the appropriate Profiles location for Firefox. (I run 29.0.1)
I’m not a code-wise geek so cannot see what people need to do. Will you please provide the details in a form that mere users can manage?
Thanks
No, you’re right, they aren’t. The instructions are the best cross-platform instructions I could find unfortunately.
Firefox users should save the file to the HTTPSEverywhereUserRules subdirectory of their Firefox profile folder (which you can locate by following these instructions http://kb.mozillazine.org/Profile_folder_-_Firefox#Navigating_to_the_profile_folder).
Once you’ve done that restart Firefox.
The linked file is an XML file. If you’ve having trouble getting it right click the link and choose ‘Save’.
The linked page shows only text, I presume that is the code that is supposed to be embedded in the XML file. But as it’s not a file you can’t copy it into the Profiles folder! That is the problem that needs be solved. If someone with the skills can create the XML file for everyone to use that will be a great help.
The linked page is the XML file. If it doesn’t download when you click on it just come back to this page, right click on the link and choose ‘save’.
Hi Mark,
Thank you very much for providing this option. I’ve downloaded “HTTPS Everywhere” to Firefox and Chrome, but apparently it is unavailable for Safari just yet.
I also tried your link “download our HTTPS Everywhere ruleset” near the end of your newsletter, but the following text appeared:
This XML file does not appear to have any style information associated with it. The document tree is shown below.
Thanks again,
Peter
Ok, great! Encouraging HTTPS and still sending HTTP in your daily email.
HTTP is our default right now and, whilst it’s new, HTTPS is an option. If you want to force HTTPS for Naked Security I encourage you to use HTTPS Everywhere.
FWIW, the HTTPS Everywhere plugin for Firefox works in SeaMonkey.
Good news… thanks, Pete!
Awesome guys! I installed the plugin (which I *should* have done a long time ago) and put in your ruleset. Works great and now I get https on all the Naked Security pages!
So beautiful it brings a tear to my eye…
Lol! so you want me to install “a plugin” and spent time configuring? common guys! do it right… user just want to type URL and HTTPS should be ON by default, period.
So just go ahead and just type the URL in. The links between pages and to dependencies like images and libraries will adopt whatever protocol you typed so if you switch to https you’ll stay on https.
Uhmm… funny. What about those of us who didn’t know about your https? and have bookmarked the old-one without the “s” … ON by default thats all dude.
I was answering the question you asked about installing a plugin.
Once we know things are working well for the early adopter crowd we’ll make HTTPS available more widely.
The HTTPS Everywhere plugin doesn’t work for IE. Zscaler Tools has an ALPHA version that is supposed to work through IE 10 for some websites. How about just putting both the http and https links in your daily newsletters?
I think as soon as we iron out the kinks in our HTTPS implementation (some kinks you just can’t find before a full roll-out) we’ll just go ahead and switch the newsletter to HTTPS.
How about making NakedSecurity an STS site which forces HTTPS ….