The future is encrypted

hpkp
Do you know the new hotness in TLS/SSL security regarding webservers? Try HPKP (RFC draft). What's that again? Certificate pinning for your webserver/vhost. Imagine a government or rogue CA creating a valid certificate for your domain and eavesdropping on connections to your server (for whatever specific reason). You can mitigate that by telling visitors of your page (aka their browsers) which certificate to expect. There's a great link to a mozilla developer site that explains it in detail. For short: You extract the fingerprint of your public key you used for the certificate and put that into your http header.Actually HPKP checking is already in Chrome and enabled by default. For FF I see it planned for Jan/2015. Sure, one obstacle remains: Using that technique you rely on "trusted first visit". Well, maybe also consider introducing DNSSEC in your domain(s). But that's another story.