EGGER APPS

The Egger Apps Blog

02 Oct 2013

SSL Support

If you're reading this blog post on eggerapps.at, you might have noticed there's a small lock icon in your browser's location bar now. That's because my website is now served exclusively via HTTPS.

Why HTTPS is important

When using HTTPS instead of HTTP, all data is transferred via an SSL connection. SSL has two advantages. First of all, it encrypts all data in transit, so that it is impossible for attackers to listen on the network. Encryption is of limited importance for eggerapps.at. Everything here is public, and I don't store any private information.

The second advantage of SSL is that all transferred data is digitally signed with a certificate. This guarantees that no one is changing data in transit, and no one else is pretending to be eggerapps.at. And that is very important because it guarantees authenticity when you download one of my apps.

If you download an application using HTTP, you have no guarantee that the app wasn't tampered with in transit. An attacker could run a proxy server that sends you a manipulated copy of the app! The app could contain a backdoor that spies on you, or allows an attacker to remote control your computer.

Limitations of HTTPS

HTTPS uses a private key stored on the web server. If someone breaks into my web server, and steals the private key, they can pretend to be eggerapps.at. In this case I could revoke the corresponding certificate. But if I don't detect the intrusion, no one would know that someone can impersonate me.

Additionally, you need to trust the certificate authority (CA) that issued my server certificate. CAs guard their private keys closely, but more than one CA has been breached in the past.

HTTPS doesn't protect you against governments; they could force CAs under their jurisdiction to issue fake certificates. Or maybe they could convince my hosting company to send them a copy of my private key.

Last but not least, you still have to trust me. Even with HTTPS, I could simply include an evil back door in my software myself.

Technical details

If you connect to my server via HTTP, the server will redirect you to HTTPS. I am using Strict Transport Security to prevent SSL stripping attacks. The certificate is a full business validation certificate, even though many people claim that is unnecessary.

The Egger Apps Blog is written by Jakob Egger. Topics may include software development, marketing, and anything else related to running a small software business. Correspondence is welcome! Reach me at jakob@eggerapps.at.