oliverjam
commented
7 years ago I think understanding SSL is really important, but it's probably beyond the scope of this workshop. Maybe the current link to further reading is fine, but with a section clarifying why Chrome is saying our site is insecure.
It might be worthwhile to explain exactly why we are generating these files. Just a quick overview of encryption and why it's great. Something like:
SSL is for encrypting data transferred between your server and the browser. This is to stop a 3rd party stealing user information by snooping on the network (e.g. over insecure public Wi-Fi).
A certificate is required for your server use encryption. The problem with a "self-signed" certificate (what we're creating) is that there's no guarantee the browser is really connected to your server (rather than a "man-in-the-middle"). This is why browsers show a warning for self-signed certificates.
Usually certificates are "signed" by a 3rd party organisation which verifies that the key belongs to the site you are trying to connect to. E.g. if you get a certificate for an app running at
https://example.coman attacker would not be able to hijack a browser's connection to this server without obtaining a valid certificate forexample.com, which requires proving you own the domain.
It could also be worth linking to the Chrome flag for allowing insecure localhost: chrome://flags/#allow-insecure-localhost
jsms90
Need a proper explanation about what SSL/TLS is.
This could be:
Or, I could just provide a screenshot saying:you will see "this", then click "this", then click "this" in your browser. But telling someone to click on "proceed" when their browser says "not secure", and not explaining why is incredibly unhelpful :sweat:
Any thoughts on how to strike a balance? @PiotrBerebecki @oliverjam