diff options
| author | Achilleas Pipinellis <axil@gitlab.com> | 2018-02-08 14:28:51 +0000 |
|---|---|---|
| committer | Achilleas Pipinellis <axil@gitlab.com> | 2018-02-08 14:28:51 +0000 |
| commit | 8a53025d57a34c95b5503ae17ce6622eca5e2372 (patch) | |
| tree | 06fab8d4c91f22f2c82426eb9890668db177dd83 /doc | |
| parent | bbb3e58bc7143df31355baddc970670e1e64503d (diff) | |
| parent | 0ddaaae2fcef62aed3b8f071972455ebda3a03a1 (diff) | |
| download | gitlab-ce-8a53025d57a34c95b5503ae17ce6622eca5e2372.tar.gz | |
Merge branch 'docs-pages-https' into 'master'
Docs: bring important info from blog post to doc
See merge request gitlab-org/gitlab-ce!16837
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/user/project/pages/getting_started_part_three.md | 33 | ||||
| -rw-r--r-- | doc/user/project/pages/index.md | 1 |
2 files changed, 29 insertions, 5 deletions
diff --git a/doc/user/project/pages/getting_started_part_three.md b/doc/user/project/pages/getting_started_part_three.md index 0096f8507d2..a153610c712 100644 --- a/doc/user/project/pages/getting_started_part_three.md +++ b/doc/user/project/pages/getting_started_part_three.md @@ -155,15 +155,40 @@ Certificates are NOT required to add to your custom (sub)domain on your GitLab Pages project, though they are highly recommendable. -The importance of having any website securely served under HTTPS -is explained on the introductory section of the blog post -[Secure GitLab Pages with StartSSL](https://about.gitlab.com/2016/06/24/secure-gitlab-pages-with-startssl/#https-a-quick-overview). +Let's start with an introduction to the importance of HTTPS. +Alternatively, jump ahead to [adding certificates to your project](#adding-certificates-to-your-project). -The reason why certificates are so important is that they encrypt +#### Why should I care about HTTPS? + +This might be your first question. If our sites are hosted by GitLab Pages, +they are static, hence we are not dealing with server-side scripts +nor credit card transactions, then why do we need secure connections? + +Back in the 1990s, where HTTPS came out, [SSL](https://en.wikipedia.org/wiki/Transport_Layer_Security#SSL_1.0.2C_2.0_and_3.0) was considered a "special" +security measure, necessary just for big companies, like banks and shoppings sites +with financial transactions. +Now we have a different picture. [According to Josh Aas](https://letsencrypt.org/2015/10/29/phishing-and-malware.html), Executive Director at [ISRG](https://en.wikipedia.org/wiki/Internet_Security_Research_Group): + +> _We’ve since come to realize that HTTPS is important for almost all websites. It’s important for any website that allows people to log in with a password, any website that [tracks its users](https://www.washingtonpost.com/news/the-switch/wp/2013/12/10/nsa-uses-google-cookies-to-pinpoint-targets-for-hacking/) in any way, any website that [doesn’t want its content altered](http://arstechnica.com/tech-policy/2014/09/why-comcasts-javascript-ad-injections-threaten-security-net-neutrality/), and for any site that offers content people might not want others to know they are consuming. We’ve also learned that any site not secured by HTTPS [can be used to attack other sites](http://krebsonsecurity.com/2015/04/dont-be-fodder-for-chinas-great-cannon/)._ + +Therefore, the reason why certificates are so important is that they encrypt the connection between the **client** (you, me, your visitors) and the **server** (where you site lives), through a keychain of authentications and validations. +How about taking Josh's advice and protecting our sites too? We will be +well supported, and we'll contribute to a safer internet. + +#### Organizations supporting HTTPS + +There is a huge movement in favor of securing all the web. W3C fully +[supports the cause](https://w3ctag.github.io/web-https/) and explains very well +the reasons for that. Richard Barnes, a writer for Mozilla Security Blog, +suggested that [Firefox would deprecate HTTP](https://blog.mozilla.org/security/2015/04/30/deprecating-non-secure-http/), +and would no longer accept unsecured connections. Recently, Mozilla published a +[communication](https://blog.mozilla.org/security/2016/03/29/march-2016-ca-communication/) +reiterating the importance of HTTPS. + ### Issuing Certificates GitLab Pages accepts [PEM](https://support.quovadisglobal.com/kb/a37/what-is-pem-format.aspx) certificates issued by diff --git a/doc/user/project/pages/index.md b/doc/user/project/pages/index.md index 8404d789de6..df245710940 100644 --- a/doc/user/project/pages/index.md +++ b/doc/user/project/pages/index.md @@ -54,7 +54,6 @@ _Blog posts for securing GitLab Pages custom domains with SSL/TLS certificates:_ - [CloudFlare](https://about.gitlab.com/2017/02/07/setting-up-gitlab-pages-with-cloudflare-certificates/) - [Let's Encrypt](https://about.gitlab.com/2016/04/11/tutorial-securing-your-gitlab-pages-with-tls-and-letsencrypt/) (outdated) -- [StartSSL](https://about.gitlab.com/2016/06/24/secure-gitlab-pages-with-startssl/) (deprecated) ## Advanced use |