And it’s goodbye to HTTP from this website…

PadlockI wanted to do this months ago, but for reasons too longwinded to go into it was put on a backburner.

But last night, without much fanfare (hence I’m blowing a trumpet now), my site switched from HTTP to HTTPS.

If you look up in your browser bar, you may well see a little padlock denoting that the communication between your computer and the webserver this site runs on is encrypted, and should be warding off snoopers with a flea in their ear.

Of course, certain sections of the site (like the admin dashboard used to post articles) have always been secured with HTTPS to prevent bad guys from sniffing my passwords, but now every article should be similarly resistant to eavesdropping.

Sign up to our free newsletter.
Security news, advice, and tips.

So, you can feel a little more private reading the articles I write now.

HTTPS on grahamcluley.com

Admittedly, this site isn’t one where you can buy goods or that you log into, but increasingly it’s important that better secured webpages become the norm rather than the exception.

Thanks to the managed WordPress-hosting gurus at WP Engine and the SSL certificate whizzkids at DigiCert for sorting this out for me.

Your normal viewing experience of the stories I write shouldn’t be affected, but you will now be that little bit more private. Frankly, it’s only a tiny change in the evolution of this site – hardly earthshattering, but I hope you appreciate it. And I’m happy to be putting my money where my mouth is.

Will the NSA give two hoots about me doing this? I don’t think so one jot. And I doubt that GCHQ cares either, although they may feel miffed by the name of my email newsletter.

Please note that stories I write on third-party sites for other vendors may not have their webpages secured with HTTPS – you will have to take that up with those companies if that’s a concern for you. In addition, it is inevitable that I will link to stories on webpages which aren’t running HTTPS on a frequent basis.

Please let me know if you spot any hiccups with the site following this change, and I’ll do my best to fix them.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

12 comments on “And it’s goodbye to HTTP from this website…”

  1. Jamie

    Hey Graham, this is fantastic. I think the more sites going https-only, the better. You may want to approach your host about modernizing their security configuration, though. The SSL Labs analyzer is currently giving you a B due to no TLS 1.2 support, and no support for Forward Secrecy ciphers.

    https://www.ssllabs.com/ssltest/analyze.html?d=grahamcluley.com

    1. Graham CluleyGraham Cluley · in reply to Jamie

      You're reading my mind Jamie. :). Plan is to improve the setup over time.

      Unfortunately at the moment my hosting provider doesn’t offer TLS 1.1 and 1.2. Cheers!

      1. Scott · in reply to Graham Cluley

        I also host with WP Engine and have noticed them rolling out support for TLS 1.2 among other improvements. I ran your site and you are now (assessed 6/8/15) getting an A-.

        See the improvements here: https://scottontechnology.com/wp-engine-rolling-out-support-for-tls-1-2/

        1. Graham CluleyGraham Cluley · in reply to Scott

          That's great. Thanks for letting me know!

  2. Anon

    Google Chrome (41.0.2272.76 m) considers that this site is "encrypted with obsolete technology" when you click on the padlock. It's part of the new 'feature' to allow users to find out if they're connected to a site using a deprecated cipher suite. Eventually it will flag this connection as insecure.

  3. Anon

    Two more useful features that could be enabled when you get the time – HSTS and DNSSEC. The latter is particularly important I think to prevent cache poisoning: something that wouldn’t be good for a popular blog.

    Good effort for implementing HTTPS; it’s always good when a site get a security facelift.

  4. nat

    Maybe I'm missign something … why would you want to use SSL for a site like this? Seems like overkill to me.

    1. Anon · in reply to nat

      By using SSL (properly speaking TLS) it enables you to visit the content as Graham intended (i.e. by making a man-in-the-middle attack more difficult). It also ensures that a user can determine the original content from any spoofed content providing you have a record of the original thumbprint.

      I now notice that he's using extended validation (full green bar in Internet Explorer) which is very good. It offers bank-grade security and PREVENTS (not just makes more difficult) the MiTM attack – the green bar would disappear. Excellent.

      1. Petererer · in reply to Anon

        So it's impossible for a MITM attacker to have access to keys which could be used to generate a fake EV certificate?

        1. Anon · in reply to Petererer

          With the key material that is not impossible. The way that EV certificates work mean that they can't be made to appear in the same way (by a MiTM) that a standard certificate can. They also prevent employers from snooping on the connection; even with a trusted root certificate: such as we saw with the Superfish debacle.

          Have a read of the following, he explains it well:

          https://www.grc.com/ssl/ev.htm
          https://www.grc.com/fingerprints.htm

          1. Anon2 · in reply to Anon

            Without going into too much technological detail, I can assure you 100% that employers can still 'snoop' on this website with a trusted root certificate. I know this because when I click the padlock and "view certificates", the cert is issued by my employer.

  5. David L

    Hi,

    Thank you for making this a more secure site. More and more,security bloggers are making this switch. If you need a new or better cert,then later this summer Mozilla,EFF,and others are going to help websites get free certs,and comprehensive instructions with real time support to get started.

    Also,if you other people are not using "https everywhere" on your browser,then just google it for more information.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.