What Should Every HTTPS Site Owner Do?

You finally got HTTPS running on your web server. Is there anything else you can do? Well, let me tell you about a few (free) things you can do.

Test HTTPS

Probably the most important work you can do when setting up HTTPS is testing all the changes. While you can use curl and “sweat of your brow”, I prefer using SSL Labs. It covers a bunch of stuff and it gets regularly updated with the latest recommendations. If test finds anything needing an improvement, you will get enough information to fix it.

To be sure your setup is not unnecessarily slow, a speed test does come in handy. If you run the same test toward both your HTTP and HTTPS setup, you should except numbers to be very close. While it will become impossible to test HTTP-only speed once you fully activate HTTPS, you can still benefit from “run A” vs “run B” testing.

There is a lot of small fiddly details with HTTPS and testing will prevent you from going at it blind.

Monitor Certificate Expiration

If you are using Let’s Encrypt it’s a pure necessity to monitor expiration of your certificates. Three month validity might seem long but, once everything starts working, you will forget to check and you have inaccessible web site on your hands. Half an hour needed to setup and testing monitoring is well worth it.

Of course, if you are using commercial certificate provider, you can ignore this as they’ll bug you enough.

Monitor Issued Certificates

As you are already monitoring your certificate expiry, you might also want to monitor who is generating them. If you use Cert Spotter, you’ll get an email every time one of your domains gets a new certificate. For 99% sites, including this, this is pure overkill. But that doesn’t mean you shouldn’t sign up. :)

Setup Expect-CT

If you use any decent certificate provider, you can expect them to report all issued certificates to Certificate Transparency project. Armed with this assumption, you can start sending Expect-CT HTTP header. In practice this protects you from man-in-the-middle attacks by certificate authorities already trusted by your computer. Great examples include your company or flight entertainment CA. If they try to fudge your TLS connection, this way you’ll know.

Setup CAA

If you have access to your DNS settings, you should think about setting up CAA. How far can you go depends on your DNS provider. Some of them, like CloudFlare, support only a subset of needed functionality. Realistically, even that is sufficient but for the full compliance to rules, raw DNS access is the best. In theory this will protect you against issuance of certificate by a non-trusted CA. Since this is based on gentlemen’s agreement, the actual enforcement is yet to be proven.

Setup HSTS

Lastly, once you sort everything else, do look into HSTS. It is a bit of work to apply and get certified for entrance into the preload list with multiple consequences. The most obvious one is that your domain will always be loaded in its HTTPS glory instead of the HTTP redirect. However, that pales in comparison to the most important benefit - the bragging rights since your website is explicitly compiled in the every major browser. That and sense of impending doom as any HTTPS mistake will render your website completely inaccessible. I guess this is not for those of weak heart.

Things That Irk Me With Android Devices

After going exclusively for a while with the iSide of mobile phones, I decided to get back with Android. It felt like greeting an old friend again. However, I found some things that annoy the heck out of me with Android devices these days.

The first one is darn “silent switch” - you have it on the side of every iPhone ever. An easy way to check or adjust whether your phone is silenced or not without looking at it. And no, fiddling with volume buttons in your pocket doesn’t count as “normal” Android behavior is to share media and ringtone volume. And reversing silencing also means guessing your ring volume every time. Or simply giving up and using it in either silent or max volume mode. And don’t blame Apple patents for this as there are (rare) Android manufacturers that have it - like OnePlus.

The most curious thing about this physical switch is that I didn’t miss it before I went to Apple. I was OK with volume buttons and got used to their quirks. However, coming back to Android, I gave up on damn volume buttons for anything except volume control. While getting used to silent switch took no time, getting used to life without it takes eternity.

And frankly I could stop here as all other things together don’t annoy me as that simple switch. However, I will mention a few more issues. :)

Lack of headphone jack on new devices might be OK for some but I find it really limiting. Apple successfully removed it first and then everybody just had to follow. I have a feeling if Apple sold a polished turd, other manufacturers would start rubbing their’s too. Yes, I do know Bluetooth exists and I actually have reasonably good wireless headphones. But they are also pricier, have batteries, and I even sometime forget to bring them with me. You know what I always have? Pair or two of cheap 3.5mm headphones that need nothing. I can use them for rare sessions in (non-Pokemon) gym, driving a bike, or while walking through woods. If I lose them - so what?

And whoever mentions headphone dongle first can stuff it where the sun doesn’t shine.

Notches are my enemy too. Like in the carrot measuring contest (what? you don’t do those?) all manufacturers are trying to have screen to body ratio as high as possible. So they notch the hell out their phones. The more expensive phone the uglier notch (or two) it has to have. Yes, I know, people say you get used to it. Well, I can get also get used to having a screen without notch in the first place. :)

Of course I will complain also about the fingerprint sensor on the back. Not only this allows me to fiddle my phone for an uncomfortable minute before hitting it just right but it also means I need to physically move phone to get under it. Too much work for just a quick glance toward notification.

To continue with “get of my lawn” old man gripes, I find even such inconvenient fingerprint sensor strongly preferred to face unlock. Not only face unlock gives you the same drawback of having to pick up phone to unlock it, but you also cannot share your face with other people (unless you’re Nicholas Cage).

For example my phone at this moment has fingerprints for me, my wife, and both of my kids. My wife’s phone is likewise setup for the whole family. My kids’ phone have my wife and me added as secondary fingerprints as they don’t trust each other. :) And stop yelling privacy concerns as (a) they’re kids, and (b) I don’t actually snoop through their messages nor they snoop over mine (as far as I know :)).

Shared logins are awesome if you play some game together (e.g. Pokemon Go - yes, still) and one of you is not there - no worries, just use your own fingerprint and play on their phone. Or for the admin in the family - i.e. me - when I go over each phone to either setup new app or I need to test something during night and I don’t want to wake everybody up just for login. Yes, I could track their PINs and patterns in password manager but that’s not as friction-free as the good old fingerprint.

I have great hopes for come back of the fingerprint with the new under-the-screen technology but it might be that for the next phone my whole family will have to wear the same mask. :)

PS: And yes, I know that not all these are necessarily just Android faults but general industry trends - especially the damn notch race - but I’m not gonna change title now. :) Maybe some time later I’ll write what I love about Android and why I came back to it to bring balance to the universe.

Removing Line Breaks

Sometime in scripting you don’t get to choose your input format. For example, you might get data in multiple lines when you actually need it all in a single line. For such occasions you can go with:

cat ^^file^^ | awk '{printf "%s", $0}'

Likewise you might want lines separated by a space. Slight modification makes it happen:

cat ^^file^^ | awk '{printf "%s ", $0}'

Lastly, you might want to split a single line into multiple ones (handy for base64 printouts):

cat ^^file^^ | fold -w 72

PS: Check fmt if you need word-aware line splitting.

Extracting Public SSH Key From a Private One

Common key management method seen in Linux scripts is copying private and public SSH key around. While not necessarily the best way to approach things, getting your private SSH key does come in handy when easy automation is needed.

However, there is no need to copy public key if you are already copying the private one. Since private key contains everything, you can use ssh-keygen to extract public key from it:

ssh-keygen -yf ^^~/.ssh/id_rsa^^ > ^^~/.ssh/id_rsa.pub^^

What is the advantage you ask? Isn’t it easier just to copy two files instead of copying one and dealing with shell scripting for second?

Well, yes. However, it is also more error prone as you must always keep private and public key in sync. If you replace one and by accident forget to replace the other, you will be chasing your tail in no time.

Familiar Column Selection in Visual Studio Code

If you ever dealt with any advanced text editor, you are probably aware of column (a.k.a. block selection). You press Shift+Alt and then either use mouse or arrow keys to have a bit unusual block selection. While not needed often, it’s invaluable when it comes to dealing with text in columns.

Visual Studio Code does support it but, of course, there are minor issues. First of all, unlike almost any other editor (including Visual Studio!), shortcut is actually Shift+Ctrl+Alt. Fortunately this can be fixed either by manually remapping key bindings for column selection or by simply installing Visual Studio Keymap extension.

While that sorts out column selection key shortcut, it still leaves one annoying problem - if you move cursor in any direction while multiple lines are selected, you will see multiple cursors move - instead of more usual selection cancellation. Fortunately, you can add a few key bindings in keybindings.json to deal with that issue:

[
    {
        "key": "left",
        "command": "cancelSelection",
        "when": "editorHasMultipleSelections && textInputFocus"
    },
    {
        "key": "right",
        "command": "cancelSelection",
        "when": "editorHasMultipleSelections && textInputFocus"
    },
    {
        "key": "up",
        "command": "cancelSelection",
        "when": "editorHasMultipleSelections && textInputFocus"
    },
    {
        "key": "down",
        "command": "cancelSelection",
        "when": "editorHasMultipleSelections && textInputFocus"
    },
    {
        "key": "pageup",
        "command": "cancelSelection",
        "when": "editorHasMultipleSelections && textInputFocus"
    },
    {
        "key": "pagedown",
        "command": "cancelSelection",
        "when": "editorHasMultipleSelections && textInputFocus"
    }
]

Now you can enjoy block selection that works properly. :)