Tim's Blog

Information, Technology, Security, and other stuff.

HTTPS-Enabling my Blog

Published 2014-09-25

I just enabled HTTPS on my blog.

But rather than pay the ~$50/year cost of an SSL certificate, I instead opted to just use a self-signed certificate.

As somebody who works in the field of PKI, this would almost be blasphemy, but I did this for 3 reasons:

  • The blog will be normally presented via HTTP. HTTPS is unnecessary for the content. It's just a blog after all. The HTTPS capability is purely for the administration portal.
  • I trust the self-signed certificate on my machine. If somebody attempts to intervene and present a different one, I'll get the standard certificate mistrust warning, so I'll know something's up.
  • I've spent enough money this month.

I can revoke the certificate any time, simply by removing trust.

PKI is designed to allow others to trust me via some trusted authority, and vice-versa. In this instance I am the trusted authority, and after all, I'm simply just trying to ensure my connection is private for authentication purposes, and I don't need others to have trust.

I may purchase a certificate in the future, simply to allow for protecting my external content from manipulation, but I don't really see that as a threat at this stage.