Let’s Encrypt

Most of you probably didn’t notice but over the weekend I changed this blog over to Let’s Encrypt. There really aren’t any changes for you but this is a project that I’ve been planning to do for a while now.

Since I changed this site over to HTTPS only, I’ve been using StartSSL certificates. However, when it was announced that StartCom, the owner of StartSSL, was bought by WoSign I was wary to renew my certificates through them. When it was later announced that StartCom and WoSign were backdating certificates to get around the SHA-1 depreciation deadline I knew it was time to move on. The good news is that Let’s Encrypt is far easier than StartSSL was. Setting it up took a bit of time because Nginx support in Let’s Encrypt is still experimental and the other options for pulling certificates without shutting down the server required some server customizations. But once everything was setup it was simple to pull certificates.

While I was changing over my certificates I also took the opportunity to implement a Content Security Policy (CSP). Now when you load my page your browser is given a whitelist of locations content can come from. This reduces the threat of potential code injection attacks. Unfortunately, due to WordPress, I had to enable some unsafe options such as executing inline JavaScript and eval() statements. I’ll be looking for ways to get rid of those in the future though.

So you can breathe easy knowing that you browsing experience is even safer now than it was before.