Stories about Software


DaedTech Now Brought to You Over SSL

I’ve had an item on DaedTech’s Trello board for a good, long time now.  Switch over to using SSL.  And, fear not those of you who enjoy this blog!  You can now browse confidently, without worrying that some impostor is feeding you misinformation about expert beginners, journeyman idealists, and other random neologisms that come out of my twisted mind.  Take that, internet evildoers.  I can almost sense everyone’s relief from here.

What Does This Actually Mean?

I started to call this header, “How SSL works,” but I got bored before I even finished typing that sentence fragment.  You can read a primer about it, if you’re so inclined.

The 10,000 foot explanation is that it’s a mechanism for making your browsing a private conversation between you and DaedTech.  For instance, say that you were sitting in an airport a week ago, and you browsed to my blog.  Your HTTP request and DaedTech’s response would happen in plain text.  Anyone else in the airport sufficiently motivated to do so could eavesdrop on the back end forth and even execute a man in the middle attack.  As I said before, they could have deliberately fed you misinformation about expert beginners.

Or, perhaps more importantly, they could eavesdrop on your credentials if you had an account on my blog.  That’s really the idea of SSL — it aims to make communication private and not subject to these sorts of interposition and alteration schemes.  By installing SSL on my site, I have now prevented that from happening.  When you browse DaedTech, you now do so over HTTPS, all communication encrypted and my SSL certification verified.  This latter concern means an outside agency says, “you can believe that this is DaedTech and not an impostor.”

Contrary to the green locks and the “secure” wording in the URL bars, however, this does necessarily mean “you’re all good.”  Scott Hanselman summed this up well in a tweet.

Why Would I Do This?

Ours is an industry of identifying The Right Thing ™ and rhetorically bludgeoning those who don’t get on board.  Okay, that might describe humanity in general, but we programmers seem to have an unusual penchant for it.  What kind of self-respecting programmer doesn’t know that you always use StringBuilder when concatenating strings!?

Having an SSL site has become one of those sorts of things.  Google declared it the right answer, and that’s that.  But I most assuredly did not go to all of the effort I did because it’s The Right Thing ™.  I strongly advise against that sort of behavior.

That said, Google has its reasons, and valid ones at that.  And that dovetails nicely into my actual motivations:

  1. Google rewards HTTPS sites with an SEO boost (which means it also penalizes non-compliant sites, relatively speaking).  I sell things through my blog and want to attract readers, so I can always use the boost.
  2. As I’ve mentioned in Developer Hegemony and subsequent posts, I do plan to offer more content around helping software developers break free of the pragmatist shackles.  Some of this might involve membership access.  And if I’m going to start having you login and possibly send money through the site, SSL is imperative.
  3. Given that I’ve started a content marketing business aimed at helping companies with their tech blogs, I should be able to speak intelligently about this recommended step.  (Incidentally, if you’d like to write for us, please feel free to reach out).

How the Switch-Over Went

I won’t give you a blow by blow of the implementation, because even if you love my writing, I just won’t be able to make that entertaining.  So I’ll speak in broader narrative terms.

The switch over went not great because I didn’t plan it especially well.  First, I bought the SSL cert and a dedicated IP from my hosting company last Friday.  I bought the latter because the former requires it.  I planned to make the switch-over happen in the wee hours of Sunday morning or something.  But instead, the hosting company just started it immediately.  Many of you wrote to me about the site being down and I’m sorry about that.

The IP switch went through and everything was fine for a bit.  But when installing the actual SSL certificate, a support tech pointed out that it was a much better deal for me to go to a better hosting package, instead of upgrading ala carte.  I agreed, but this meant yet another migration, causing outages you may have noticed on Tuesday.

By Tuesday night, all of the hosting kinks had disappeared, but the site ran slowly and strangely.  I had a bunch of WordPress plugin maintenance to wrangle, and I only just finally got all of the ducks in a row today.  (I was waiting for an announcement until I’d eradicated all of the issues I’d noted).  So now, the site should be back to normal, but with the “secure” designation and the HTTPS addresses.  Oh, and my old sharing plugin didn’t play nicely with SSL, so I have a new one of those.  Look for the buttons to your left (or at the bottom) on mobile.

In retrospect, I should have done more homework on how much maintenance it would require from me and what the time frames would be.  Live and learn.

Reader Questions to Resume Next Week

I’ve sneaked an announcement post past you in lieu of a reader question.  Don’t worry, I didn’t think I’d fool you.  But I figured this announcement merited a post and my recent site woes an explanation, so I decided to type that instead.

Since I won’t do any more migrations, let’s plan on a reader question next week.  I’ve got a backlog that I’ll keep drawing from, but please submit yours.  You can use the form below.

One last note.  If you notice something weird with the site, please let me know.  I’ve done a good bit of testing, but I can’t cover all of it, particularly with all of the altered settings to make the performance plugins play nicely with SSL.