NPI's Cascadia Advocate

Offering commentary and analysis from Washington, Oregon, and Idaho, The Cascadia Advocate is the Northwest Progressive Institute's unconventional perspective on world, national, and local politics.

Sunday, January 24th, 2016

Browse with confidence: Permanent Defense and Pacific NW Portal have gone HTTPS-only

Last spring, we embarked on an ambi­tious project to strength­en the secu­ri­ty of the North­west Pro­gres­sive Insti­tute’s net­work of web­sites by mak­ing them avail­able only over HTTPS, begin­ning with this domain, nwprogressive.org, and all the pub­li­ca­tions housed under it, like the Cas­ca­dia Advo­cate.

Today, we are pleased to announce that we have done the same for two of our old­est projects as well: Per­ma­nent Defense and Pacif­ic NW Por­tal. Both will be cel­e­brat­ing their anniver­saries with­in the next few weeks.

Going HTTPS-only takes work. It involves set­ting up secure host­ing, installing pro­fes­sion­al­ly-signed secure cer­tifi­cates, elim­i­nat­ing mixed-con­tent warn­ings by pre­vent­ing images, stylesheets, and images from being served over reg­u­lar ‘ol HTTP, and final­ly, con­fig­ur­ing our servers to seam­less­ly reroute HTTP requests to HTTPS.

But it’s def­i­nite­ly worth it.

See, when you con­nect to one of our web­sites over HTTPS, your ses­sion is encrypt­ed. That makes eaves­drop­ping by a third par­ty much more dif­fi­cult. If you hap­pen to leave a com­ment or sub­mit a form while vis­it­ing one of our sites, the con­tents of that com­mu­ni­ca­tion can be scram­bled while in tran­sit to our serv­er.

Wikipedia explains:

In its pop­u­lar deploy­ment on the inter­net, HTTPS pro­vides authen­ti­ca­tion of the web­site and asso­ci­at­ed web serv­er with which one is com­mu­ni­cat­ing, which pro­tects against man-in-the-mid­dle attacks. Addi­tion­al­ly, it pro­vides bidi­rec­tion­al encryp­tion of com­mu­ni­ca­tions between a client and serv­er, which pro­tects against eaves­drop­ping and tam­per­ing with and/or forg­ing the con­tents of the com­mu­ni­ca­tion. In prac­tice, this pro­vides a rea­son­able guar­an­tee that one is com­mu­ni­cat­ing with pre­cise­ly the web­site that one intend­ed to com­mu­ni­cate with (as opposed to an impos­tor), as well as ensur­ing that the con­tents of com­mu­ni­ca­tions between the user and site can­not be read or forged by any third par­ty.

HTTPS can­not hide the address of a web­site a user is con­nect­ing to, or mask the ports being used, due to the nature of the TCP/IP pro­to­cols the Inter­net uses. How­ev­er, request URLs (spe­cif­ic pages vis­it­ed by the user), query para­me­ters, head­ers, and cook­ies can all be encrypt­ed using HTTPS.

His­tor­i­cal­ly, set­ting up and oper­at­ing HTTPS-only web­sites was expen­sive, and required the pur­chase of unique IPs and pricey pro­fes­sion­al­ly-signed cer­tifi­cates. But with the advent of Serv­er Name Indi­ca­tion (SNI) and the avail­abil­i­ty of free pro­fes­sion­al­ly-signed cer­tifi­cates from Let’s Encrypt and Ama­zon Trust Ser­vices, it’s eas­i­er than it ever has been to go HTTPS-only.

Again, Per­ma­nent Defense and Pacif­ic NW Por­tal are now con­fig­ured to work only over HTTPS. If you try to con­nect to either inse­cure­ly, your con­nec­tion will be auto­mat­i­cal­ly and seam­less­ly upgrad­ed to Trans­port Lay­er Secu­ri­ty by our servers.

Unfor­tu­nate­ly, old and crumbly browsers like Microsoft­’s Inter­net Explor­er 6/7/8 do not under­stand how to com­mu­ni­cate with hosts using Serv­er Name Indi­ca­tion, and also don’t know to trust cer­tifi­cates authen­ti­cat­ed by Let’s Encrypt or Ama­zon Trust Ser­vices, which are new Cer­tifi­cate Author­i­ties (CAs).

We are con­fi­dent that Pacif­ic NW Por­tal and Per­ma­nent Defense will load cor­rect­ly, with­out cer­tifi­cate warn­ings or oth­er prob­lems, on the fol­low­ing:

  • Mozil­la’s Fire­fox (on any plat­form, any recent ver­sion)
  • Debian Iceweasel (Fire­fox deriv­a­tive) on Debian 6 and high­er
  • Microsoft­’s Inter­net Explor­er 9 and above, on Win­dows Vista, 7, 8, or 10
  • Microsoft­’s Edge (the brows­er that replaced IE on Win­dows 10)
  • Apple’s Safari on Mac OS X and iOS (any recent ver­sion)
  • Google’s Chrome or open source Chromi­um (any recent ver­sion)
  • Stock brows­er on Android 4.x (Ice Cream Sand­wich) and high­er
  • Silk brows­er on Ama­zon Fire­OS, Kin­dle v3.4.1
  • PlaySta­tion 3

Also see Let’s Encryp­t’s fair­ly com­pre­hen­sive list of sup­port­ed plat­forms.

If you’re still using Win­dows XP (seri­ous­ly!? Please plan to upgrade as soon as pos­si­ble!), you will run into prob­lems con­nect­ing to our sites unless you are using Mozil­la Fire­fox. You will also run into prob­lems using…

  • An old ver­sion of Android, like Gin­ger­bread (no SNI sup­port)
  • An old ver­sion of iOS (no SNI sup­port)
  • Black­Ber­ry 10 (will throw cert error, does­n’t rec­og­nize root cer­tifi­cates used by Let’s Encrypt or Ama­zon Trust Ser­vices) and Black­Ber­ry OS 6 or 7
  • Opera or Nokia browsers for Sym­bian (no SNI sup­port)
  • Nin­ten­to 3DS
  • rekonq on GNU/Linux dis­tri­b­u­tions (will throw cert errors)
  • .… Any oth­er OS/browser com­bi­na­tion that’s super old

We’ll be get­ting in touch with Black­Ber­ry tomor­row to ask them to fix the cer­tifi­cate recog­ni­tion prob­lems on devices run­ning Black­Ber­ry 10, like the Clas­sic, Z30, and Pass­port. If you use a BB10 device, you can still reach Pacif­ic NW Por­tal and Per­ma­nent Defense — you just have to bypass the scary-look­ing warn­ing.

When I say “old”, I’m gen­er­al­ly refer­ring to any mobile brows­er that came out more than four years ago, and any desk­top browser/operating sys­tem com­bi­na­tion that is old­er than ten years. If you’re on some­thing ancient, you real­ly owe it to your­self to upgrade. You don’t have to throw out your old hard­ware to do this. Even decent com­put­ers from the late 1990s are capa­ble of run­ning mod­ern soft­ware.

Enjoy the upgrad­ed secu­ri­ty on our net­work!

Adjacent posts

  • Enjoyed what you just read? Make a donation


    Thank you for read­ing The Cas­ca­dia Advo­cate, the North­west Pro­gres­sive Insti­tute’s jour­nal of world, nation­al, and local pol­i­tics.

    Found­ed in March of 2004, The Cas­ca­dia Advo­cate has been help­ing peo­ple through­out the Pacif­ic North­west and beyond make sense of cur­rent events with rig­or­ous analy­sis and thought-pro­vok­ing com­men­tary for more than fif­teen years. The Cas­ca­dia Advo­cate is fund­ed by read­ers like you and trust­ed spon­sors. We don’t run ads or pub­lish con­tent in exchange for mon­ey.

    Help us keep The Cas­ca­dia Advo­cate edi­to­ri­al­ly inde­pen­dent and freely avail­able to all by becom­ing a mem­ber of the North­west Pro­gres­sive Insti­tute today. Or make a dona­tion to sus­tain our essen­tial research and advo­ca­cy jour­nal­ism.

    Your con­tri­bu­tion will allow us to con­tin­ue bring­ing you fea­tures like Last Week In Con­gress, live cov­er­age of events like Net­roots Nation or the Demo­c­ra­t­ic Nation­al Con­ven­tion, and reviews of books and doc­u­men­tary films.

    Become an NPI mem­ber Make a one-time dona­tion