Adam Langley works at Google with the network stack in Google Chrome and on Google’s HTTPS serving infrastructure. He recently spoke at HOPE Number Nine. Here’s some bits from his talk I found it important to highlight:
Don’t train users to ignore certificate errors:
You should get a real certificate. You probably already have one but, if you don’t, then you’re just training more people to ignore certificate errors and you can’t have HSTS without a real certificate. StartSSL give them away for free. Get one.
Protect your cookies:
HTTP and HTTPS cookie jars are the same. No really: cookies aren’t scoped to a protocol! That means that if you set a Cookie on https://example.com and then make a request to http://example.com, the cookies will be sent in the clear! In order to prevent this, you should be setting secure on your HTTPS cookies. Sadly this is a very easy thing to miss because everything will still work if you omit it, but without the secure tag, attackers can easily steal your cookies.
Forward secrecy, something I haven’t thought much about before I read this:
You should consider forward secrecy. Forward secrecy means that the keys for a connection aren’t stored on disk. You might have limited the amount of information that you log in order to protect the privacy of your users, but if you don’t have forward secrecy then your private key is capable of decrypting all past connections. Someone else might be doing the logging for you.