HTTP is dead, long live HTTPS

"FTP is deprecated, HTTP is deprecated, at least it should be now that we have secure replacements"

Really not sure where I read that quote. One of the traps of being in the industry so long. It might have been on a security mailing list back in the early naughties. I remember vehemently nodding in agreement... I've been sad for years that my own site was still not running SSL/TLS. I've endeavored a number of times to get it up to HTTPS. But see I am cheap, and I use Bloggers free service for my domain (blogger for your domain), so HTTPS wasn't available.
Well it is now, and I thought I'd do a quick how to, for those that also have blogger.

It is really simple, like blogger has been for all those years. But it looks to be a beta feature (how long did google stay in beta for...). So you need to visit https://draft.blogger.com. If you are already logged in to blogger, you'll be logged in here too.

Now simply click on settings and scroll down to the HTTPS section. Change the first drop-down to: "Yes".
Now wait about 20minutes as google generate you a https://letsencrypt.org certificate and apply it your site. Come back to this section and change the HTTPS redirect to "Yes" as well. And if like me you have multiple blogs, go through each and change them all to the same.

Obviously not a super technical post this time, but good to see even free (as in beer) services get security features of sorts.
Of course, if you have any other kind of hosting, get a letsencrypt cert and use it, the future is encrypted.

SSL is dead, long live TLS1.0, er 1.1, er 1.x

So I thought I would post this as I couldn't find a definitive answer anywhere; how to enable HTTPS Strict Transport Security, or HSTS on IIS 7.5 on Windows 2008 r2. It is really, really simple.
Open the iis manager, navigate to the site and go to HTTP Response headers. Add a new HTTP Response header with name of Strict-Transport-Security and Value of max-age=300 like the below;

Then click ok, you will more than likely need to restart iis to get this to work from my experience.

I also thought I might mention how to enable TLS 1.1 and TLS 1.2, save the below as a .reg file and do the old regedit /s file.reg from an elevated prompt to get it imported, then reboot.

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000

Another awesome page I found during my travels that needs more publicity is by Qualys, it does a full SSL/TLS implementation test and tells you how you fared;
https://www.ssllabs.com/ssltest/
After this you may want to change your cipher suites, which now in 2008r2 can be done in gpedit. Anyway that is for this quick brain dump.