About HTTPS on this site
This site is also viewable encrypted through https.
I finally decided to shell out some real money for this, so for the next two years there's no snag. See here.
There's a snag though:
Browsers do not (by default) "trust" the certificate authority I'm using.
Because this "trust" must be bought, and the certificate authority I have chosen does not pay this money (and neither do I).
It's called CAcert, and this is what they say about themselves:
CAcert.org is a community-driven Certificate Authority that issues certificates to the public at large for free.
Go to the root certificate page and click on Root Certificate and allow it to identify websites. Then click on Intermediate Certificate and don't check any of the boxes (do not allow to identify anything) but click OK nevertheless.
I have chosen the PEM format for this, but the other formats probably also work.
If for some reason this should not work:
Download the files. For some reason the usual "right-click => save as" did not work for me, had to use the command line:
wget https://www.cacert.org/certs/root_X0F.crt https://www.cacert.org/certs/class3_X0E.crt
Then, for Firefox, go to:
Preferences => Privacy & Security, scroll all the way down => View Certificates => Authorities => Import both files
However you do it, in the end it should look like this.
Something similar should be possible on all major browsers. See here for more information.
Clicking the root certitifcate link should also work on your Android-based smartphone's browser.
If you want it system-wide you need to download the ceritificate first, then tap the downloaded file, that should pop up a system settings dialog.
If it doesn't work, have a look here or try this app (not tested).
That's all, you can now navigate to https://dt.iki.fi and browse this site not only encrypted but also "trusted".
Before you start, make a test:
curl https://dt.iki.fi should give an error and not download the page.
With the previously downloaded root certificate (and only that one) try:
sudo trust anchor root_X0F.crt
Repeat the curl command; it should work now (download a load of HTML).
This is still effective after a reboot, but I'm not sure if some software update couldn't revert this eventually. We will see.
So why don't you just use letsencrypt like everybody else?
I guess I'm a little sceptical of them and it all reminds me of that time ~10 years ago when Gmail seemed like the best thing that happened to the internet, ever. For free!
And eventually everybody found themselves being sucked dry and violated by a data mining behemoth.
But there's more palpable reasons for my rejection of letsencrypt.
Using it requires me to agree to some things which, without going into detail (IANAL), amounts to making a contract with a company in the USA, under US law, and willingly providing them with personal data to be stored on servers in the USA that aren't protected by any privacy laws to speak of.
Now why would I do that when I live in a country with much better privacy laws and went out of my way to not willingly store any data on any servers in the US of A?
Secondly, when I tried it once it asked me to run a python script that did all sorts of things to my system (obviously it needs root privileges).
I like to have just a little more control over things.
And why is the certificate valid only 90 days? Seems a little shifty to provide free certificates, throw them at the public, then force people to renew them in such short intervals, more or less forcing them into using the provided software (because constantly keeping an eye on it and doing it manually every other month or so certainly isn't fun).
All my site does is set a cookie in your browser (PHP does that automatically and I see no reason to switch that off) and, of course, store the connection in the server logs (i.e. time, originating IP and the browser's user agent string). That's the only information about you that travels through the web, apart from the fact that you are visiting the site at all. Now if you feel you need to hide that then good luck using the regular web.
If on the other hand you wanted to contact me and send some sensitive information (like an email address so I can get back to you) I would indeed recommend to use a secure connection.