SSL/TLS Certificates

Read this document for a brief overview of SSL/TLS certificates in the scope of GitLab Pages, for beginners in web development.

Every GitLab Pages project on GitLab.com will be available under HTTPS for the default Pages domain (*.gitlab.io). Once you set up your Pages project with your custom (sub)domain, if you want it secured by HTTPS, you will have to issue a certificate for that (sub)domain and install it on your project.

Note: Certificates are NOT required to add to your custom (sub)domain on your GitLab Pages project, though they are highly recommendable.

Let’s start with an introduction to the importance of HTTPS.

Why should I care about HTTPS?

This might be your first question. If our sites are hosted by GitLab Pages, they are static, hence we are not dealing with server-side scripts nor credit card transactions, then why do we need secure connections?

Back in the 1990s, where HTTPS came out, SSL was considered a “special” security measure, necessary just for big companies, like banks and shoppings sites with financial transactions. Now we have a different picture. According to Josh Aas, Executive Director at ISRG:

We’ve since come to realize that HTTPS is important for almost all websites. It’s important for any website that allows people to log in with a password, any website that tracks its users in any way, any website that doesn’t want its content altered, and for any site that offers content people might not want others to know they are consuming. We’ve also learned that any site not secured by HTTPS can be used to attack other sites.

Therefore, the reason why certificates are so important is that they encrypt the connection between the client (you, me, your visitors) and the server (where you site lives), through a keychain of authentications and validations.

How about taking Josh’s advice and protecting our sites too? We will be well supported, and we’ll contribute to a safer internet.

Organizations supporting HTTPS

There is a huge movement in favor of securing all the web. W3C fully supports the cause and explains very well the reasons for that. Richard Barnes, a writer for Mozilla Security Blog, suggested that Firefox would deprecate HTTP, and would no longer accept unsecured connections. Recently, Mozilla published a communication reiterating the importance of HTTPS.

Issuing Certificates

GitLab Pages accepts certificates provided in the PEM format, issued by Certificate Authorities (CAs) or as self-signed certificates. Note that self-signed certificates are typically not used for public websites for security reasons and to ensure that browsers trust your site’s certificate.

There are various kinds of certificates, each one with a certain security level. A static personal website will not require the same security level as an online banking web app, for instance.

There are some certificate authorities that offer free certificates, aiming to make the internet more secure to everyone. The most popular is Let’s Encrypt, which issues certificates trusted by most of browsers, it’s open source, and free to use. See GitLab Pages integration with Let’s Encrypt to enable HTTPS on your custom domain.

Similarly popular are certificates issued by CloudFlare, which also offers a free CDN service. Their certs are valid up to 15 years. See the tutorial on how to add a CloudFlare Certificate to your GitLab Pages website.