24 August 2018

Verifying HTTPS

I hope this is my last post about migrating my web site to HTTPS. In the previous post, Testing HTTPS, I wrote,

I have a number of other tasks to perform:-
(A) Investigate why the security certificate (issued by Let's Encrypt 'Free SSL/TLS Certificates') is only valid for three months, to 15 October 2018.
(B) Examine the impact on the site's stat logs.
(C) Flag the HTTPS change to Google search.

(A) Certificate: From How It Works - Let's Encrypt - Free SSL/TLS Certificates:-

The objective of Let’s Encrypt and the ACME protocol is to make it possible to set up an HTTPS server and have it automatically obtain a browser-trusted certificate, without any human intervention. This is accomplished by running a certificate management agent on the web server. [...] There are two steps to this process. First, the agent proves to the CA that the web server controls a domain. Then, the agent can request, renew, and revoke certificates for that domain.

The key word there is 'renew'. I'll come back to the subject in mid-October, and I hope it won't require a blog post.

(B) Stats: The first thing I noticed was the size of the daily logs, which started getting larger the day I activated HTTPS across the site. Is this related or just a coincidence? When I examined the log file for that day I saw some files logged twice -- once with a 301 redirect code and a small file size followed by a 200 code and a large file size -- indicating that a redirect had occurred. My own activity ('Testing HTTPS') was traceable, which gave me an anchor point. The stat summaries showed a huge number of 301 redirects, which were negligible in previous months. Will this decline over time, as external requests include the HTTPS, or will it be constant? Since the files are aggregated by month, it will take a few months to see the effect.

(C) Google search: I was happy to see that Google search results include the HTTPS, outlined in red in the following image.

Google search: 'site:mark-weeks.com'

One casualty of the migration was Google Adsense. The ads are missing, e.g. on the index page for the World Chess Championship, and the browser warns of mixed content. The code that calls an ad currently uses 'HTTP'. If I want the ads back I'll need to change the code on all pages, but it might be better to replace Adsense with something else in that space.

All things considered, I was happy with the results of the migration to HTTPS. What will Google force me to do next to keep the site operational?

No comments: