HTTPS for overt

As of today, all websites served by overt (like this blog itself) are available exclusively via HTTPS, the encrypted version of the protocol used for communication on the web. Woohoo, we’ve got little padlocks in our address bars now!

When I started overt.org 17 years ago, pretty much the only web pages that used HTTPS were ones where you entered your credit card number, and then only if you were lucky. Getting HTTPS meant more complicated configuration on the server, plus paying a certificate authority at least hundreds of dollars a year for the privilege of of a certificate vouching for the identity of your site.

But clearly the web has matured a lot since then, and these days the mantra is “HTTPS everywhere.” That is, we should encrypt all web traffic by default, whether or not you’re handling sensitive information. This has a lot of little benefits, like protecting you from the coffee shop you’re in inserting ads into the web pages you’re viewing, or reading your facebook posts as you type them. Google has even announced that it will penalize non-HTTPs sites in search rankings. And in an age where governments are considering severe limits on encryption, it’s also an important way to take a stand for public access to cryptography in general.

So, I knew that eventually I should get overt.org on board the HTTPS train. But what about the fees for certificates? Enter Let’s Encrypt. Let’s Encrypt is a free, open, automated certificate authority started by the EFF, who have a long tradition of making the internet awesomer (you should be donating to them if you’re fond of the internet!). With this tool, I was able to automatically create free certificates for all of the many sites hosted by overt.

So welcome to the new HTTPS overt. I hope you like the little padlock and feel a bit more warm and fuzzy about your visit!