NPI's Cascadia Advocate

Offering commentary and analysis from Washington, Oregon, and Idaho, The Cascadia Advocate is the Northwest Progressive Institute's unconventional perspective on world, national, and local politics.

Sunday, January 24th, 2016

Browse with confidence: Permanent Defense and Pacific NW Portal have gone HTTPS-only

Last spring, we embarked on an ambitious project to strengthen the security of the Northwest Progressive Institute’s network of websites by making them available only over HTTPS, beginning with this domain, nwprogressive.org, and all the publications housed under it, like the Cascadia Advocate.

Today, we are pleased to announce that we have done the same for two of our oldest projects as well: Permanent Defense and Pacific NW Portal. Both will be celebrating their anniversaries within the next few weeks.

Going HTTPS-only takes work. It involves setting up secure hosting, installing professionally-signed secure certificates, eliminating mixed-content warnings by preventing images, stylesheets, and images from being served over regular ‘ol HTTP, and finally, configuring our servers to seamlessly reroute HTTP requests to HTTPS.

But it’s definitely worth it.

See, when you connect to one of our websites over HTTPS, your session is encrypted. That makes eavesdropping by a third party much more difficult. If you happen to leave a comment or submit a form while visiting one of our sites, the contents of that communication can be scrambled while in transit to our server.

Wikipedia explains:

In its popular deployment on the internet, HTTPS provides authentication of the website and associated web server with which one is communicating, which protects against man-in-the-middle attacks. Additionally, it provides bidirectional encryption of communications between a client and server, which protects against eavesdropping and tampering with and/or forging the contents of the communication. In practice, this provides a reasonable guarantee that one is communicating with precisely the website that one intended to communicate with (as opposed to an impostor), as well as ensuring that the contents of communications between the user and site cannot be read or forged by any third party.

HTTPS cannot hide the address of a website a user is connecting to, or mask the ports being used, due to the nature of the TCP/IP protocols the Internet uses. However, request URLs (specific pages visited by the user), query parameters, headers, and cookies can all be encrypted using HTTPS.

Historically, setting up and operating HTTPS-only websites was expensive, and required the purchase of unique IPs and pricey professionally-signed certificates. But with the advent of Server Name Indication (SNI) and the availability of free professionally-signed certificates from Let’s Encrypt and Amazon Trust Services, it’s easier than it ever has been to go HTTPS-only.

Again, Permanent Defense and Pacific NW Portal are now configured to work only over HTTPS. If you try to connect to either insecurely, your connection will be automatically and seamlessly upgraded to Transport Layer Security by our servers.

Unfortunately, old and crumbly browsers like Microsoft’s Internet Explorer 6/7/8 do not understand how to communicate with hosts using Server Name Indication, and also don’t know to trust certificates authenticated by Let’s Encrypt or Amazon Trust Services, which are new Certificate Authorities (CAs).

We are confident that Pacific NW Portal and Permanent Defense will load correctly, without certificate warnings or other problems, on the following:

  • Mozilla’s Firefox (on any platform, any recent version)
  • Debian Iceweasel (Firefox derivative) on Debian 6 and higher
  • Microsoft’s Internet Explorer 9 and above, on Windows Vista, 7, 8, or 10
  • Microsoft’s Edge (the browser that replaced IE on Windows 10)
  • Apple’s Safari on Mac OS X and iOS (any recent version)
  • Google’s Chrome or open source Chromium (any recent version)
  • Stock browser on Android 4.x (Ice Cream Sandwich) and higher
  • Silk browser on Amazon FireOS, Kindle v3.4.1
  • PlayStation 3

Also see Let’s Encrypt’s fairly comprehensive list of supported platforms.

If you’re still using Windows XP (seriously!? Please plan to upgrade as soon as possible!), you will run into problems connecting to our sites unless you are using Mozilla Firefox. You will also run into problems using…

  • An old version of Android, like Gingerbread (no SNI support)
  • An old version of iOS (no SNI support)
  • BlackBerry 10 (will throw cert error, doesn’t recognize root certificates used by Let’s Encrypt or Amazon Trust Services) and BlackBerry OS 6 or 7
  • Opera or Nokia browsers for Symbian (no SNI support)
  • Nintento 3DS
  • rekonq on GNU/Linux distributions (will throw cert errors)
  • …. Any other OS/browser combination that’s super old

We’ll be getting in touch with BlackBerry tomorrow to ask them to fix the certificate recognition problems on devices running BlackBerry 10, like the Classic, Z30, and Passport. If you use a BB10 device, you can still reach Pacific NW Portal and Permanent Defense — you just have to bypass the scary-looking warning.

When I say “old”, I’m generally referring to any mobile browser that came out more than four years ago, and any desktop browser/operating system combination that is older than ten years. If you’re on something ancient, you really owe it to yourself to upgrade. You don’t have to throw out your old hardware to do this. Even decent computers from the late 1990s are capable of running modern software.

Enjoy the upgraded security on our network!

Adjacent posts