SSL is an important part of the infrastucture of the Internet. It provides three assurances: The computer you're talking to is the one you meant to talk to, the message you're reading was really sent by the computer you're talking to, and the message you're reading hasn't been read by anyone else. I've mentioned before that I think increasing the cryptographic noise floor is important, so I thought I'd write a bit about what SSL does and how to put together a strong webserver configuration.
Posts tagged ssl
I have this app Catsnap that I use to organize my photos (as well as gifs I pick up around the internet). It stores the images on Amazon S3, and has a cloudfront distribution attached for OMGFAST load times. The cloudfront distro has an ugly domain, though--"d5hwde6hzncg6.cloudfront.net". The links don't look like something you should click.
So, this problem has a trivial solution, right? Just make a CNAME pointing e.g. cdn.erincall.com to d5whatever.cloudfront.net? Yes, BUT: I'd no longer be able to use SSL/TLS. The SSL/TLS model ties certificates to particular domain names, so the certificate Amazon has for *.cloudfront.net is invalid for cdn.erincall.com (or any domains other than *.cloudfront.net). I think using SSL/TLS is important, so that wasn't acceptable.
Fortunately, the SNI extension to TLS offers a fix for this, and since March 2014, Cloudfront supports it. Let's get into setting it up!