Technology in terms you understand. Sign up for my weekly newsletter, "Confident Computing", for more solutions you can use to make your life easier. Click here.

Why SSL?

Ask Leo! recently switched to being provided over a secure “https” connection, or SSL.

There’s an assortment of reasons I elected to do this, ranging from my own curiosity to making a statement.

Become a Patron of Ask Leo! and go ad-free!

SSL & https & Ask Leo!

If you’re viewing this on the Ask Leo! web site1 you should see that the address bar is showing you that this is a secure, or at least partially secure, connection. I’ll talk about the “partially” part shortly.

Much like your bank, or Paypal or Google or many other sites, your connection to the Ask Leo! server is now:

  • confirmed to be to the Ask Leo! server, and not some impostor
  • encrypted

This is actually true for newsletter.askleo.com as well as almost all other askleo.com sites. It’s nothing you have to remember – if you go to the old unencrypted URL starting with http, I’ve set it up to automatically redirect to the SSL version starting with https.

https and sslThe statement

There’s a movement afoot called “encrypt the web“.

The idea is that by encrypting connections to all web sites, your traffic exchange with those web sites cannot be monitored or sniffed. This protects you from a number of privacy- related issues that could relate to those sites.

Now, I know that Ask Leo! has nothing that’s truly sensitive. I don’t ask for login or personal information – and in fact I remove personal information from comments when people try to leave it posted publicly.

But that’s not the point.

The point, and the statement, is that your exchange with any web site should be between you and that website, without outside eyes watching what you say, or what you read.

It does improve privacy, even here

Now, while I don’t collect personal information, it’s been shown that a lot can be determined about someone by what they search for and what they read.

Ask Leo! won’t be adding to that information. What you read here is between you and me. What you ask is between you and me.

Now, what you search for – well, since I use Google to perform the site search, they’re involved. And of course when you leave a comment you’re leaving a comment for the whole world to see – that’s the point of comments.

It’s not a huge thing, but it’s a thing. I hope to see more and more web sites moving in this direction, and I wanted to make my little corner of the web a part of that.

And I’m a geek

The other reason I wanted to do this was to see how it was done. I mean, to a guy like me, this is kinda fun!

I’ve done https before: my wife’s doll shop, back in the day, took credit card information over a secure connection, so you can bet that was over a secured SSL connection.

While I don’t take credit cards directly (my store hands that off to a third party processor), Ask Leo! is significantly more complex than the doll shop ever was. It’s been interesting to see what issues would arise, and where:

  • Setting up my content delivery network to be able to do SSL.
  • Ensuring that the ads displayed on Ask Leo! would be SSL friendly.
  • Working with my email service provider to move the newsletter sign-up forms to SSL-friendly forms.
  • Changing that on-site Google search to an SSL friendly equivalent. (Hat tip to Bob Rankin who figured that one out first and provided the tip. 🙂 ).

You get the idea. There are a lot of little issues that crop up when making a change like this that’s site-wide. I now know how to deal with more of them. That means it’ll be easier for me the next time, and it’s information I can share with friends and clients that I support.

It’s probably not finished

There’s a good chance that there are still a few “mixed content” warnings floating around the site. Those are situations where something on the page references a picture or script using plain old http even though the page is supposed to be completely https.

That’s a slow game of incremental improvement over time.

Since I don’t take really personal information on Ask Leo!, it’s less important that the SSL implementation be absolutely perfect. I’ll fix those things as I become aware of them.

SSL wasn’t enough

While I had the site “cracked open” for a major change, I elected to also make another – hopefully something that you didn’t or won’t notice.

The “theme” or underlying look-and-feel has been re-implemented. That, too, is a major change – perhaps even more major than the SSL change – but my goal was that it retain the current look of the site.

There are two reasons for the change:

  • Same look and feel, at 1/4 the size (some of which results in less information being transmitted to your machine when you view an Ask Leo! page).
  • It’s easier for me to make changes.

So it’s a little faster to download (partly making up for the SSL overhead added by the https work), and I get to make improvements to the site more easily.

And, yes, there are changes planned – smaller than what this article is about, but nonetheless an assortment of small changes and tweaks to make the site run more smoothly, or to provide more information more easily.

And, yeah, that was all kinda fun too. It’s who I am. 🙂

Podcast audio

Play

Footnotes & references

1: askleo.com only – the older ask-leo.com (with the dash) will remain http not https.

4 comments on “Why SSL?”

  1. Nice job!

    You might want to add HSTS and set the “Secure” cookie attribute.

    Also, why does everyone keep saying “SSL” when referring to TLS? SSL is broken and outdated. It’s so annoying!

  2. Probably because https ends in s, which is what ssl begins with. It also rolls more easily off the tongue and is what we’ve been training people to say for years. The technical differences between SSL and TLS are meaningless to most.

Leave a reply:

Before commenting please:

  • Read the article. Comments indicating you've not read the article will be removed.
  • Comment on the article. New question? Start with search, at the top of the page. Off-topic comments will be removed.
  • No personal information. Email addresses, phone numbers and such will be removed.
  • Add to the discussion. Comments that do not — typically off-topic or content-free comments — will be removed.

All comments containing links will be moderated before publication. Anything that looks the least bit like spam will be removed.

I want comments to be valuable for everyone, including those who come later and take the time to read.