 Security is a lot of the car insurance. Most people don't want to pay for it. I agree with some people don't So here's the thing for me I don't mind paying for car insurance because it means that if I destroy my car or I get stolen I get you get your money back And then it's fine. It's like it's sort of an investment The thing that I don't like about it is I'm not going to read the massive 50 page long legal document They send you in the process of getting said car insurance That's it like I'm fine with it happening like the payment going out to get it It's everything around it. I never read those agreements I'm not even committed enough to read the itunes license agreement. So and yeah That's basically exactly the same thing as I've done for my site like the whole point of SSL is to keep users secure And like service worker it does actually make a lot of sense Yep, because like you're gonna have something controlling a page in the background And if someone can get in the middle and then like swap out service worker like adiasmindy.com Sash blog could get straight to my site my blog posts I could steal all your ad revenue if anything it would probably be an improvement in content quality not true But the I can understand the main point of it the problem that I have with all of this He's like it's really hard to learn about SSL a like there's tons of old content Yeah, this is how you set up SSL on your site. It's useful, but it's old Yeah, and then secondly there were so many different factors to the whole thing So when I was trying to set this stuff up on my site and it I don't even default to the HTTPS Just yet because there's still like I still don't know how to handle all the mixed content security warnings I'm getting from the third parties. I'm loading like widgets and share buttons in from yeah And it's like all the tooling around this is sort of a minefield to me I find it I find it hard to navigate those waters. So I've literally I've done numerous like steps into how I got It on my site and even then like I've got issues So the first one was like SSL labs You just bang in your URL and it will look at your site and figure out whether like HTTP redirects HTTPS and Just the configuration of HTTPS on your site So if I bang in gauntface.com in SSL labs I was at one point getting a glorious a plus which I was very happy about and now I've been downgraded to a C Have you changed your site a lot? No, so this is their way of So the what's happened is is there was the poodle Fundability yes, and I think that's basically all through SSL 3 and I've still got SSL 3 support on I see on my site So even though everything is actually doing really well like hundred and nineties for like the scores on each like top-level topic They've kept me to a C because of SSL 3 and poodle. I guess it's cool that they're they're keeping it up to date Yeah, so this is a nice thing is you can keep on regularly running through this and it will keep it up to date and track everything Yeah, I'm really nice thing with this is it's really good Like it's a ton of information like possibly too much but the same time it things like protocols It's saying do you support SSL 2? No do you support SSL 3? Yes, it's insecure These are the cypher sweets that you have and it literally if there's one particular thing that it's like This is actually really like a bad practice. It highlights it and then you can at least go and Google and find out the problem So this was the first thing that I found I was like sweet These are all the places that I suck and overall I'm doing bad. Well, or whatever The best thing I found after this Was the Mozilla SSL configuration generator and this thing is a godsend. Is it do all the work for you? Yes, so good. So basically one of the issues that I have was like, how do I know what a good SSL cypher suite is and That's all I have to tell you good bad. The problem is it doesn't necessarily tell you the right names to put in your configuration file Enter a Mozilla SSL config generator. So you can select like a patchy or engine X You can select what sort of browser support you want So you can be like really harsh and be like if there's an old browser that requires XYZ to work you can just basically say, sorry, I'm not gonna support that for security reasons or whatever else and It literally just gives you the config file like everything just set up. That's awesome So I'm looking at it and already the SSL protocols doesn't include SSL 3, which is why I'm now set to poodle So all I have to do is literally copy this back over and I'm good to go then very recently the past week or so Yeah, someone introduced me to HP security report.com. It's just be security report. Okay. What does it do? So it literally is very similar to SSL labs. It's kind of nice because it gives you an even higher level of like overview of where you're doing well on your site But this looks a slightly different things like I've never Considered the content security policy of my site, which is things like if you're pulling in third-party resources like Google Fonts You can basically say if I have a CSP policy which excludes that it won't load even though I called it in on my web page So with your mixed content thing you could sit there and say CSP is just addy as money.com That would all just get shot down which is not what you want But it's an interesting point that I've never even considered as a thing until I use this tool This tool is neat the current default like non-HPS version of my site is getting a very very respectable 17 out of 100 at the moment. That's good. It's it's it's great. I'm getting 17 out of 100 rather than 20 just saying Let's go with that and the the HPS version is getting a solid 51 Nice that that's not too bad like I'm I'm only on 62 So I've got some work to do But the interesting thing with this is it actually picks out things like web framework information And that's things like oh PHP is actually saying this is a version of PHP You support or you're actually on version X of engine X which again I wouldn't have ever thought of looking into because in my head I wouldn't expect those tools to be sharing that kind of information by default. No, let alone it be a security issue anyway But those three things I found immensely helpful when it's I'm using the basic to guide where I spend all my time and effort and work Sounds good