How to Deploy HTTPS Correctly

Bruce Morton

I came across ‘How to Deploy HTTPS Correctly’ written by Chris Palmer of the Electronic Frontier Foundation. Chris does a great job  explaining why web site operators should use HTTPS versus just HTTP. He points out a couple of good practices that were not previously addressed in my blog post, ‘SSL Deployment Mistakes’:

  • Scope sensitive cookies to the secure origin to avoid cookie “leak” to potentially less secure hosts in the same domain.
  • Use HTTP Strict Transport Security (HSTS), see my blog post for more details.

Chris concludes, “HTTPS provides the baseline of safety for web application users, and there is no performance- or cost-based reason to stick with HTTP. Web application providers undermine their business models when, by continuing to use HTTP, they enable a wide range of attackers anywhere on the internet to compromise users’ information.”

I wholly endorse Chris’ recommendations and conclusions. If you are in the need of deploying HTTPS, please read his paper. Of course if you need SSL certificates, please contact Entrust.

Bruce Morton
Bruce Morton
Director, Certificate Technology & Standards

Bruce Morton has worked in the public key infrastructure and digital certificate industry for more than 15 years and has focused on SSL and other publicly trusted certificates since 2005. He has been an active member of the CA/Browser Forum that released guidelines for extended validation (EV) certificates and Baseline Requirements for SSL certificates. Bruce oversees the governance and compliance of Entrust’s publicly trusted PKI.


Add to the Conversation