https for

In the past, I've complained about banks not using https for login pages and software providers not using https for downloads. Both of these practices put large numbers of users at risk of financial harm through man-in-the-middle attacks, including attacks against unsecured wireless networks.

Starting today, I'm practicing what I preach: sections of my site that offer software, such as Firefox extensions and bookmarklets, are now served using https. I'm using the following .htaccess magic in each of those directories to redirect http requests to the correct https URL:

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

Supporting https will cost me about $65 per year: $17.99/year for a domain validation certificate from GoDaddy and $47.40/year for a unique IP from my web host.

6 Responses to “https for”

  1. Michael Lefevre Says:

    That’s cool, but you now get a broken padlock if you use https on your blog URLs. Maybe you could deal with that by doing the reverse rewrite for the other sections (so that redirects to – although I can’t think of a way to do that quite as neatly as your three rules, as it needs to happen everywhere except in those directories I guess…

  2. Eric Says:

    When I read about your post I emailed the banks about the problem thinking the chances they read your blog was slim.

    Before I read you post I didn’t know the trick of typing the s manually to get https. I figured out you can also type a fake username and password and get to https.

    Some of the banks have fixed this problem. Washington Mutual is one that I know has not.

  3. David Baron Says:

    Firefox now supports a TLS extension that allows HTTPS on a shared IP address. (I’ve forgotten what it’s called.) Then again, other browsers probably don’t, and dreamhost probably doesn’t either.

  4. Jesse Ruderman Says:

    IE7 on Vista supports TLS Server Name Indication, but I get the impression that IE6 and IE7/XP don’t support it. Opera supports it. I don’t know about Safari.

    DreamHost does not support TLS SNI, but they’re tracking requests for it in the “Suggestions” part of the panel as “Use mod_ssl in Apache 2.2 to allow SSL without requiring a unique IP”.

    Why is our bug for supporting TLS SNI still open?

  5. Laurens Holst Says:

    “$47.40/year for a unique IP”, that’s rediculous. Hopefully IPv6 will come soon. It seems to be picking up a little speed recently.

  6. Jesse Ruderman Says:

    DreamHost charges $4/mo for a unique IP address, which is more than most hosts charge. (For example, Pair appears to charge $1/mo.) I’m not sure why they charge so much; it might have something to do with their issues with ARIN.