About two or three years ago, my webmaster sent me some instructions he'd written about how to change my website to use HTTPS and to also acquire a security certificate from Let's Encrypt. I never got around to it and I'd like to try again.
Here are the instructions he wrote out for me. Speaking as someone who taught themselves to write HTML and only flirted with Linux once, these instructions seem very arcane, even knowing that my webmaster knows my exact level of technical knowledge. I'm also looking at the documentation that's available and I'm not entirely certain that it matches the ISRG mission of reducing educational barriers to secure communications.
If you were to rewrite these instructions for clarity to a less tech-savvy user than who is normally installing an LE cert, how would you go about doing it?
These steps are less intimidating than they sound! The only parts that are tricky for you, and that I can’t do, are working on your embeds in Step 1 and thoroughly testing your site in Step 4. Everything else, I can usually handle for you when you say “go."
Step 1: Take a look at how your site uses images, stylesheets, and other embedded content. If you have a page that links to an embed using an “absolute” URL like “http://example.com/images/image.jpg”, most browsers will not render that when the page is accessed over HTTPS. This is a safety feature to avoid “mixed” insecure content on a seemingly secure page. Links like that can be changed to “relative” URLs like “/images/image.jpg” or even “//example.com/images/image.jpg”. (You rarely see that last kind of link, but it does work.)
Step 2: Go ahead and ask me to get your certificate and enable HTTPS. You can then browse through your site, changing the URLs in your browser’s address bar to have the prefix “https://“, to see if things work properly. Some sites will automatically redirect you back to HTTP for every single page; if this happens, I can work with you to figure things out, or you can skip ahead to Step 3.
Step 3: Make your site redirect all HTTP traffic to HTTPS. Some Web applications (like WordPress) can be set up to do this automatically, but this is a manual process for others. If you’re not sure how to do it, just let me know and I’ll help make it happen.
Step 4: Now is when it’s most important (and easiest) to thoroughly test your site and find any embedded content that’s broken, or other problems.
Step 5: After all the bugs have been shaken out, start serving Strict-Transport-Security (HSTS) headers to tell your visitors’ browsers that HTTPS should /always/ be used for your site. Some Web applications can do this, but usually I will do it. Note: There is no going back. This is recommended because an attacker could intercept the visitor’s session with your site /before/ your site serves the redirect to HTTPS, silently remove that redirect, and make everything look like it’s fine despite intercepting the traffic. HSTS negates this attack except on a visitor’s very first visit to your site (ever, or after several months of not visiting).
Step 6: Add your site to the HSTS preload list ( https://hstspreload.org/ ): a list of domains that should always use HTTPS that’s built into most Web browsers. Now even the very first visit to your site is protected.