I see you don't have https yet on your website. You should look into that. Not only to up your security, but to also get rid of this message everyone will have now: https://i.imgur.com/dmTOscB.png (It's dutch for "not secure"). But also because Google will rank you higher if you have https. And just because everyone should nowadays.
You can get free https with https://letsencrypt.org/
The site is getting popular, you need to convert it to use HTTPS then google will most likely remove the notification.
If you want a free Security Cert you can go here and apply for one:
https://letsencrypt.org/getting-started/
I had to do this for one of my sites recently, as sites get more popular you run into this from time to time. It's not a conspiracy, it's just normal stuff that web admins deal with daily.
edit:
I also see that your site is doing an HTTP redirect, this can cause the phishing scam flag. Get your admin to fix this and quit blaming google for bad practices.
They added IDN support last month.
Fair warning: If you're trying to get a certificate for a domain with a IDN TLD (i.e. example.ак.срб
), you'll run into a bug preventing issuance. The fix for that will probably be deployed by the end of next week.
Issuance for something like пример.com
works right now.
Not only is she using SSL, she got the cert from Let's Encrypt -- they provide FREE TERRORIST PROTECTIONS and she's supporting them?
It's signed with a 2048bit RSA key?
SSLLabs give her site an "A" rating?
Terrorist! Or maybe gigantic, retarded hypocrite. Depends on your perspective, I guess.
It irks me more that the site isn't https by default. It takes less than 5 minutes to get a Let's Encrypt cert, and I think it's even easier if your site is a static site served out of S3 via CloudFront.
Also, for anyone looking to get an SSL certificate. Don't be scammed by the many companies who charge you for it. Let's Encrypt is a great non-profit organization that provides free SSL certificates and an extremely easy to use program for getting the certificate installed. https://letsencrypt.org
Because the https site doesn't have a valid certificate associated with it. Windows has a built in list of "Trusted Root Certification Authorities" firefox and edge use this list, I think chrome maintains it's own list. Basically if you visit a site and it has a certificate created by one of the trusted CA's, your browser will show the green lock icon.
Just because it shows the green lock doesn't mean that the site won't scam you, it just means that it has a valid certificate and that traffic is encrypted until it reaches the server which has the private key to decrypt the message.
If the scammer wants they can just buy a certificate for their or get a free one from Let's Encrypt.
Here's the own explanation of costs and funding.
> Staffing is our dominant cost. We currently have eight full time employees, plus two full time staff that are employed by other entities (Mozilla and EFF).
> The majority of our administrative support (e.g. HR, payroll, accounting) is provided by the Linux Foundation, so we don’t hire for those roles
-
> Currently, the majority of our funding comes from corporate sponsorships.
Their Platinum level sponsors include Mozilla, Cisco, the EFF, and "Chrome" (not sure why it says that rather than Google/Alphabet). A couple of notable other sponsors include Facebook and DigitalOcean.
Right now, the major browsers support HTTP/2 only over TLS -> if you want HTTP/2, you'll have to use TLS. And small websites might not want to cough up $$$ just to have a nice certificate.
But the EFF is working on Let’s Encrypt, which will allow everyone to get (trusted) certificates for free!
edit: The EFF is of course happy if you send some bucks their way or buy some merchandise :)
Just to get your site on an SSL. Although there's no login on your site or any input (that I can see anyway), it's always best to secure the site, the link above allows you to do it for free.
Other than that, great work. I agree, parliament's site is a structural mess.
> this isn't an enormous deal. > > > > There are still plenty of non https websites out there.
This is a big deal. Nexus mods is presenting a login form and accepting passwords in an insecure manner. It's their responsibility to protect their users by forcing encrypted connections.
Encrypting websites is more important than you think. Not just for sites which do your banking or protect your identity, or only sites which have password forms.
>You can't just flip a switch and suddenly your https and everything is great. It takes time and work to implement across your site.
Actually these days its quite trivial. Lets Encrypt offers free certificates (not that it matters in this case, Nexus already has one). Most web frameworks support it natively (which again, doesn't matter in this case because Nexus already has enabled it).
>Https is something that the user needs to be aware of and watch out for. If you're on an insecure site, don't log in unless your on a secure network.
Being on a secure network has nothing to do with it. The data you send and receive is unencrypted for its entire journey from your computer to the host. If the site doesn't offer secure connections, don't log in at all.
Welcome to the real world.
Words of advice/caution:
Don't enable FTP. Just don't. Use STFP, SCP, rsync over SSH, or anything else that is actually secure. Just please don't use FTP, yes it is that bad.
Don't expose root over SSH
If you are in a shell and are about to run a 'rm -fr' command TRIPLE CHECK your typing. There is no undo.
To reiterate, in a shell there is no undo. Get used to triple checking your commands. No doubt you, like everyone else, will learn this from experience (mistakes).
Install iptables and fail2ban to prevent 99% of automated attacks. See https://www.digitalocean.com/community/tutorials/how-to-set-up-a-basic-iptables-firewall-on-centos-6 and https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-centos-6 - yes they are both for CentOS 6 but the principles are the same linux-wide
Check out letsencrypt (https://letsencrypt.org/) for free SSL certs. They are free and the internet is the wild west. Encrypt your traffic already.
I'm not arguing against your point, because it's certainly valid and not every website has a need to be on HTTPS.
But you can get a free cert from startssl.com right now, and then this summer get one from Let's Encrypt
Echoing what /u/kd7eir has said, check the URL options here, as you may need to now manually set them back. If you don't have any sort of access to phpMyAdmin or access to the database directly, we can dig some more to find another way in perhaps...
​
But, once you get those values fixed, it won't be as simple as saying "this site is https now". You'll need an SSL certificate to make your site have a legitimate HTTPS presence. Depending on how the site is set up, Let's Encrypt is a great way to set up SSL. I suggest taking a look there and certainly feel free to ask further questions f they come up.
Traefik supports LetsEncrypt's DNS-01 challenge, which allows you to generate real valid certificates without any hassle (no port forwarding, no CA management). You do need a real domain, but they're only a couple dollars a year.
TBH, I think the complexity of creating (and trusting) my own selfhosted CA on every single device I own just isn't worth it.
They took the graphic from this page, it's about domain validation. Basically they make you create a page and then sign something to verify you own the website.
I feel like the bigger issue is the Android OS. Outdated Android versions gets left behind by apps and services. Websites break because a root certificate in the OS certificate store expires, and apps just stop supporting older OS versions because they added features that need APIs from the newer Android versions.
And phone makers stop pushing updates to their phones after a few years. Many don't even make the effort to upgrade Android.
https://letsencrypt.org/ is a site that will hand out free ssl certificates, including wild card certs. They even write tools that make the process fully automatic. There is no reason for any site to not support encryption these days.
> which will, depending on the CA, need to be internet accessible instead of securely behind a firewall to get that certificate, esp. since Lets Encrypt doesn't offer wildcard certs
You can use DNS validation to get Lets Encrypt certificates for hostnames that are not publicly accessible services (or which may not even be providing any services). Convenient for things like creating certs for email, or for generating real certs for your inside-the-firewall, RFC1918 services.
Also, LE will be doing wildcard certificates real soon now.
All that's orthogonal to your proposal, which I'm not entirely convinced by, as the whole space of UX that encourages security is complex and fragile, and this feels like it could be a bigger change in terms of attack space than it first appears. Needs more thought.
so the title is misleading? looks like let's encrypt root cert didn't just up and expire, it was a planned transition. this is cpanel's fuckup.
Para los que preguntan, está bien que está pensando para gente con pocos conocimientos, pero hoy por hoy es muy fácil y GRATIS sacar certificados SSL para un dominio
Let's Encrypt would be the same - https://letsencrypt.org/docs/certificate-compatibility/
But 30% users with WinXP... It really must be weird niche. XP doesn't even hit 2% on any of my sites, and great majority of them are on SP3.
That is literally not how TLS/SSL works at all. There is zero human oversight to which account gets a cert. You can get them for free from https://letsencrypt.org/. You can absolutely use bogus data/shell corporations to hide your personal information. Please do not trust a website simply because it uses SSL.
Eikä ongelma ole välttämättä pelkästään valtio. Palveluntarjoajan kaulaparrat voivat hyvinkin naureskella sinun kääpiöfemdomfetissille. Toki pelkällä VPN;llä tuo naureskelu voi siirtyä toiselle kaulaparta ryhmälle, joten salaamattomista yhteyksistä pitäisi päästä eroon kokonaan. Toivottavasti tuohon päästään ja Let's Encryptin kanssa sivustoilla ei pitäisi olla mitään tekosyytä olla tarjoamatta salattuja yhteyksiä.
This is literally one of the two reasons why they did 90 day certs - https://letsencrypt.org/2015/11/09/why-90-days.html - automation is good, I'm trying to convince my bosses of this so I can automate the certs for the ~120 small sites that we host.
Nobody gives a shit about that. Really. You've even got free, automated certificate authorities like Let's Encrypt. All you need to do to get a basic Domain Validated Cert is prove that you're the owner of the domain that you're trying to get the cert for.
Nobody cares what you're hosting there, that's not what certs are for.
Hell, phishing sites that serve up malware are starting getting certs (mostly from LE) to look more legit. It's that fast and easy. At this point in time, the only reason for not having a cert is laziness.
Extended Validation Certificates are a different pair of shoes, but you don't need those. They're just fancy stuff for more sensitive services, like banks and the like.
With Let's Encrypt eventually providing free SSL certificates to everyone who wants one, we're rapidly going to see a HTTPS-everywhere world become reality. Which is how it should be.
Haha that is awesome and pretty much what I think you should have to do to bypass a security feature. Perhaps it could gradually evolve as ssl certs get easier to get.
2016 "badidea"
2017 "YesthisisabadideaandIwanttodoitanyway"
2018 [please type a unique essay into the web browser explaining how people can be hurt by bypassing ssl certificates which will be sent to underpaid graduate students for grading]
HTTP can be cached by intermediate proxies, which can help reduce bandwidth consumption.
HTTPS introduces additional administrative overhead (certificate renewal, configuration changes, key distribution, additional servers, additional IP addresses) that may not be worth it.
Certificate authorities suck and it's nice not to have to interact with them. It's especially nice not to have to give them money.
Let's Encrypt should help the latter two enormously. About fucking time.
You should probably use StartSSL for now (free) and then dump it and use EFF's new automated certificate thingy launching this summer (also free).
This is why every website should be using SSL at this point. There's really no reason not to have a secure connection. You can get free SSL certificates from EFF so cost isn't even an issue.
Anyone else seeing an SSL error?
Oh. Well, someone seriously needs to fix this, it's embarrassingly wrong.
> The third constraint brings a problem: indeed, most certificate authorities known by the main browsers charge for their services, which consist in checking various data before generating the holy certificate...
So use this one. It requires nothing other than a cron job to prove that you still control the domain. No money has to change hands, it doesn't even need your real name or anything.
> This habit is pretty common among the groups of ingrained geeks who make the Free Software world, because they already know all that stuff and do not really care about the "identity certification" part.
Only if they don't know what a MITM is.
> HTTP servers cannot choose a different SSL certificate based on the domain name you are trying to reach, simply because they do NOT receive that piece of information BEFORE having to pick a certificate.
This was true once, but hasn't been true for a long time -- SNI is widely supported, certainly by all the browsers throwing up these big scary warnings.
OP, if you run that site, please fix your shit, this is embarrassing. If you don't, maybe link to the http versions, so as to not mislead people into thinking their connection is secure.
Linux distros that don't use HTTPS on their site immediately give me a bad first impression, have you considered getting a free certificate from Let's Encrypt? It's quick, easy, free and requires practically no messing around with configuration.
This sounds like a cool idea, but you're processing user credentials (i.e. letting people sign up for accounts and then signing them in) over HTTP, an insecure connection! Please don't do that!
In 2021 all websites should really use HTTPS, but definitely ones that allow logins need to.
Here is a link to the free LetsEncrypt documentation where you can get a certificate: https://letsencrypt.org/getting-started/
This is pretty interesting and comes at a time when I'm really starting to spin up a lot of internal webservers to do various things for my business. A wildcard certificate on my reverse proxy would make life a whole lot easier.
I haven't played with LetsEncrypt much... does anyone know how well supported IIS is? Can I set up a little Linux server that handles the issuing / renewing of certificates for their "With Shell" instructions, and then push those certificates onto the Windows IIS server in an automated way? Or is there a Windows client that works and is supported?
They do however maintain Certificate Revocation Lists, that most people never use. That in no way consumes an amount of resources equal to what you pay for certs.
But fear not! The Mozilla Foundation agrees with us, it's not yet here, but it is being rolled out and presumably being put in everyone's trusted CA list*. https://letsencrypt.org/
Create a free account at Cloudflare. Maybe it will handle it for a while with this traffic from reddit with cache enabled.
Or create a Github Page, IIRC there's no traffic restriction. I'm not sure why you choose WP for that, but it's not a good choice for high traffic website IMO.
Also consider to be a high target since you've posted to treat it nicely, that's how people react. Let's hope it will be white hats, not black ones.
If you need any help, hit me up on PM.
Also Let's Encrypt, keep the internet secure please if you want to host it yourself.
Someone web cached it though (Thanks man!)
http://webcache.googleusercontent.com/search?q=cache:thelooter.com
Probably posted to the wrong sub by OP, yeah. But I do think that the PHP community should learn about Let's Encrypt and tell the world to embrace it. Hopefully it'll be included by default in many LAMP stacks, just like PHP.
For those interested, here's how it works: https://letsencrypt.org/howitworks/
Luckily Mozilla and the EFF are working on solving that. They are working on a new CA that will allow you get a cert for free just by being able to prove you control the website you want the cert for.
I think his argument was more along the lines of "If I need to cover a domain for one year with a "regular" CA, that's probably 1 issued certificate (or even less, with 3-year certificates). With Let's Encrypt, that's at least 4 certificates."
That being said, even the number of non-expired certificates is close to two million.
uhm....you can google search for free ssl cert......ive used https://letsencrypt.org/ before , it works for google ads ssl cert verification (most stringent i have bumped into) and it is free
Let's Encrypt exposes an ACME standard API to support automatic renewal. There are many ACME scripts for different servers, environments, and DNS configurations that support automatic renewal and installation of Let's Encrypt certs.
LE offers a list on their site:
> Every browser in every device supports it. Every server in every data center supports it. ...
> Cooperative: Much like the underlying Internet protocols themselves, Let’s Encrypt is a joint effort to benefit the entire community, beyond the control of any one organization.
source: https://letsencrypt.org/2014/11/18/announcing-lets-encrypt.html
I read an article recently and they run the entire db on a crazy high spec single server
https://letsencrypt.org/2021/01/21/next-gen-database-servers.html
“We run the CA against a single database in order to minimize complexity”
N'achète aucun certificat, utilise Let's encrypt à la place, c'est gratuit.
C'est un outil qui te donne un certificat aux trois mois. Une fois en place, c'est pas mal un set and forget.
Just a tip for your website, it is not over HTTPS which means a lot of people navigating to it will get a security warning and might not visit. You can setup https pretty easily at let’s encrypt.
Edit: link to the correct website
> nothing to actually verify the end server is the real/authentic server for the site
Yes it does. If a fake server is trying to impersonate a legit website with a forged cert, your browser will warn you.
> There are plenty of commercial products out there that can forge/intercept certificates
This can only work if the enterprise imported its own CA in their corporate browser. On your own personal non-compromised browser, this can't happen. Your browser will warn you of the forged cert.
Now with the recent introduction of Certificate Transparency, https is technically known as impossible to forge. You can't prove us otherwise with a credible source. Because there are still not even academic research papers demonstrating how this could be done in practice. Technically, as far as we publicly know, it's not even technically feasible for big spy agencies like the NSA to forge https without getting caught right away by the security community before any damage is done.
> his whole "SSL all the things" trend is nothing more than another way to sell something
But it's free now! What are you talking about? Check out Let's Encrypt
> This HTTPS nonsense is an annoying "evolution" of the web
It's not annoying, it's an indispensable necessity. Browsing the web through http is dangerous. Not only for the eavesdropping, but also because the packets can be tampered with on the fly to inject malicious code in the page you are viewing, or malware in the binary files you downloaded, then infect your computer because you thought you were browsing a trustable website.
Everything should be https already. There is no legitimate reason not to. The only reason everything is not https already is because some people are still not aware of it, or dragging their feet and taking too long to https everything, or the "anti-vaxxers" of the web like you giving shitty advises based on misguided beliefs.
Yes, SMTP and HTTPS (TLS) use the same type (x.509) of cert. You can get one cert and use it for both services at the same time, even reference the same file.
You can buy one if you really want but have you heard of our lord and savior Lets Encrypt?
It takes a bit more setup but you can get a free cert and have it auto renew for free from an awesome CA.
Actually if you read the entire article, you will see in the section titled "HTTPS Excuses Defeated", free certificates can be obtained from https://www.startssl.com and in mid-2015, https://letsencrypt.org.
Hey nice website! It's really interesting to see how much food costs per week. I would really add HTTPS to it though as it would make the website look a lot more professional! https://letsencrypt.org/
There is no valid reason to delay switching to HTTPS. The security of your users should be prioritized. This costs your organization nothing but moments of your time.
Start with forwarding traffic to port 443, getting a valid Let’s Encrypt certificate and removing <filename>.php from URLs.
From https://letsencrypt.org/about/
>Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. Let’s Encrypt is a service provided by the Internet Security Research Group (ISRG).
>The key principles behind Let’s Encrypt are:
>* Free: Anyone who owns a domain name can use Let’s Encrypt to obtain a trusted certificate at zero cost. >* Automatic: Software running on a web server can interact with Let’s Encrypt to painlessly obtain a certificate, securely configure it for use, and automatically take care of renewal. >* Secure: Let’s Encrypt will serve as a platform for advancing TLS security best practices, both on the CA side and by helping site operators properly secure their servers. >* Transparent: All certificates issued or revoked will be publicly recorded and available for anyone to inspect. >* Open: The automatic issuance and renewal protocol will be published as an open standard that others can adopt. >* Cooperative: Much like the underlying Internet protocols themselves, Let’s Encrypt is a joint effort to benefit the community, beyond the control of any one organization.
Let’s encrypts old root expired on sep 30. Clients that are using older OS and software/devices that don’t have the new root will experience problems.
More info here: https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/
You can find a list here: https://letsencrypt.org/docs/certificate-compatibility/
You have a fundamental misunderstanding of how Let's Encrypt works.
They do not generate, see, or store the private keys for the certificates they issue. The only private key that they have is their own, that they use to sign certificates (requested by clients) with.
Should that key be leaked, anyone could impersonate Let's Encrypt. However, the same can be said of literally every CA vendor out there today: should their private key be leaked, their CA certificate would have to be revoked, leading to a mass outage of certificates.
In reality, LE (and others) actually keep their root key fully offline for day to day operations. Instead, they create a subordinate certificate authority, and use that to sign end user certificates.
You can read more about the keys that LE uses here.
A post from 2012...why do we want to do this when we now have the likes of Let's Encrypt?
I can see this way being OK for 100% internal systems, but if anything is part of an extranet or even public-facing, then it's going to be less palatable.
Although you can issue longer-lived certs and wildcards. Hrm...think I just answered my own question.
The plan is to automate verifiable SSL certificates (for free). There will still be a need for CAs that do more than just check the domain name, but a basic level of "encrypt everything even if you still don't trust the operator" is better than "pay up or serve plaintext"
There are plenty out there.
Linux - dehydrated and certbot are good ACME clients.
Windows - Certify the Web
You can find most is the clients listed here. https://letsencrypt.org/docs/client-options/
Atropos just posted this to the Discord:
[Ongoing Event] Connectivity Failure for Self-Hosted Foundry VTT with the Foundry Website
======================================================================
Hi u/everyone, I'm sorry for the ping, but there is a widespread and ongoing event currently which has broken connectivity between the Foundry VTT self-hosted (Electron) application and the foundryvtt.com website. This impacts a number of features including module installation and license key signature.
Who is Impacted
You are impacted if you self-host Foundry VTT using the installed Electron application. If you host Foundry VTT using Node.js, or through one of our premium hosting service providers you are not impacted.
Some Technical Details
The issue is caused by a change in the LetsEncrypt root certificate, the provisioning authority that we use for the foundryvtt.com website (https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/). This change was not expected to have any impact for us, so we have been unfortunately suprised to learn that Electron's implementation of OpenSSL does not trust the new root certificate.
Estimated Resolution Time
We are working to understand the process for generating a different certificate which uses an alternative chain that should still be trusted by Electron. There will be some research required in order for us to verify the correct process for this. My current expectation is that we can have these features restored within the next 5 hours, hopefully sooner but there are several unknowns here. Further updates to follow as we make progress.
Thank you for your understanding and patience. I apologize for the disruption of this
They have some pretty big players as donors. I think they are covered for a while.
Since this is a non-profit can we actually see how well they are off money wise?
It's been mentioned already by /u/bezelbumpython, but it begs repeating that MITM attacks are hilariously easy these days. While HTTPS redirect attacks can still affect users who don't use HTTPS Everywhere (or who follow old HTTP links to a site), it's still better security than not using HTTPS at all.
Plus, given you can quickly and easily get a free, high-quality cert from LetsEncrypt, there's absolutely no reason not to be serving HTTPS-only sites.
For anyone reading this, if you have full control over the Ops-side of things as well, this is a perfect example of why you should use Let's Encrypt if it fits your stack (e.g. don't absolutely need a Wildcard (till next year :D ) or EV certificate).
Automatic renewals can be configured.
Whoa whoa whoa.
You need to get Let's Encrypt and set up SSL on your website now.
You just advertised a website on Reddit that has login features but isn't protected by SSL.
Your admin page isn't even protected by SSL.
Do you want your site to get hacked? Because that's how you get your site hacked.
Seriously, Let's Encrypt is 100% free, lots of hosts supply it now, or you can install it yourself if you have SSH access to the server you use.
Probably due to LetsEncrpyt root cert expiring recently. If I'm at home and my browser is able to update off the internet, everything still works. Where I work we have a more locked down proxy and the browser updates have to be manually vetted by security, so I'm getting errors due to this on all kinds of common websites.
LetsEncrypt Windows Clients - https://letsencrypt.org/docs/client-options/
> even if it doesn't the time cost of doing this every 60 days is prohibitive
lrn2automate
You honestly think LetsEncrypt users are manually renewing certificates every 90 days?
But whatever, it's your money.
It's cross-signed by IdenTrust, which means it's supported on IE on Windows XP SP3 and later. (Older versions of XP don't support SHA-256 certificates, which means that basically all of the internet is broken.)
danas mislim da svaki sajt treba da ima https, i oni na kojima se ništa ne unosi :) sa https://letsencrypt.org/ je to besplatno i relativno jednostavno, ali ako si na nekom shared hostingu oni moraju da ga podržavaju da bi funkcionisalo. Ja lično izbegavam bilo kakve podatke da unosim a da nije enkriptovano, al ja sam malo lud ;)
Click sponsors>become a sponsor>Donate
https://letsencrypt.org/become-a-sponsor/
DONATE (direct link)
As are others too(as the blog post you linked shows). Chrome is planning on it too: blink-dev › Intent to deprecate: Insecure usage of powerful features
And at the same time, Mozilla is working to make it easier for website owners to deploy HTTPS with Let's Encrypt.
This is all very good.
You're going to need a certificate, which you can get for free from Let's Encrypt.
Unfortunately I can't help you with hyper because I've never used it, but in general you'd tell your server to enable TLS and point it to your certificates. This might just be what you need.
> The address (Example: WoodFurniture.tk) It will have to end .tk to keep it free.
/u/bravom9 - It's much better to pay the $10-15/year for a domain name (eg. .com, .co.uk, .de) for legal ownership and rights, SEO (search engine optimization), and also brand recognition and trustworthiness (customers probably won't recognize '.tk' as a trusted domain).
The same applies to hosting, pay the additional ~$50/year.
PS. Get an SSL certificate, which is represented by the green 'lock' icon in the top-left of most browsers. It's more secure, and also better for SEO and trust. Google (Chrome) and Mozilla (Firefox) are pushing for this, too, so better start now.
Your calculation assumes that they've had a constant 5 million active certs for the last 3 years.
We don't have to guess at this; they have a public stats page which shows something very different from those numbers. https://letsencrypt.org/stats/
This is 100% free and widely used: https://letsencrypt.org/
I use to purchase paid certificates from these guys: https://www.ssls.com/ Great rates, and their website explains the different types and their cost differences.
Also, I wouldn't pay anyone more than $120-$160 to set up a certificate if you wanted to go that route.
I will most certanly check it out at home, added this link to my Pocket, looks good so far, but i have a one major complaint: Your site does not have https enabled, thus not only possibly compromising your visitors who want to leave a feedback by exposing their email on the Internet, but endangering you login page (which is an easily detectable Wordpress), especially if you administrating this site form, for example, a public Wi-Fi. You should look at least at letsencrypt to get a free SSL certificate, or get a free/paid certificate from one of the many CAs out there. I'd suggest sticking with letsnecrypt for your purpose though :)
Feel free to PM me if you have questions about securing your website. SSL configuration is dependent on a hosting you choose, so i can't really provide step-by-step instructions for your case.
Further read:
Many organizations are pushing for making HTTPS the default because it provides better security and privacy.
Google now gives higher SEO priority to sites using HTTPS so they can rank higher on the search.
Google Chrome is going to mark plain HTTP sites insecure the the future.
SSL certificates also cheaper and easier to deploy with Let's Encrypt which is a free certificate authority.
When we started the project we had no idea that so many people would write ACME clients. We're thrilled! It shows that lots of people in a diverse set of environments want to use Let's Encrypt, and that using a standardized protocol which allows for client diversity was the right move.
We document the client we recommend for most people, Certbot, pretty clearly on the client page at https://letsencrypt.org/docs/client-options/, so we're not too worried about confusion on that point.
-Jacob (Engineering)
Personally, for your internal services, I would set up an NGINX VM, configure it as a reverse proxy, get a free SSL certificate from LetsEncrypt, and enable HTTP auth. Then you can expose a single port to the internet and still access all of your internal web services. I expose port 443 for HTTPS and use Muximux as an interface for all of my internal services (Plex, OwnCloud, CouchPotato, Sonarr, etc.).
If you have public facing websites, I'd still secure them behind SSL (it's free) and reverse proxy them.
Mozilla's working on a free SSL certificate system, called Let's Encrypt. It has some software component and one of it's features is that it will keep track of when your certificate is going to expire and automatically renew it.
The problem with wildcard certs is that if any of your machines gets compromised they have the same cert as all the other machines which then causes a lot of hazzle when you have to revoke all your certificates and get a new one. I would love to get a wildcard CA cert for my domains but those are almost impossible to get a hold of. It is just silly that different certificates have different prices when the validation steps are the same. The vendor is actually doing the same job for different costs which is just wrong.
I can not wait until Let's encrypt gets going as that will solve a lot of the hazzle with certificate handling today. Just imagine getting a new certificate within seconds and without a human in the loop.
We had a ton of issues as well. We checked https://letsencrypt.org/docs/certificate-compatibility/ in advance and saw that Debian > 8 would be fine so we did not expect any issues, but a ton of stuff broke:
Debian 9 servers required the mozilla/DST_Root_CA_X3.crt
the be removed from /etc/ca-certificates.conf
. Debian 10 servers did not. Otherwise stuff like apt-get update
to apt-repo's that used LE certs broke.
Ruby applications connecting to sites with LE certs would no longer connect on Debian 9 and 10. We were able to fix this by having acme.sh
use Preferred-chain
to the XRSG X1
cert
Python applications connecting to sites with LE certs partially work. Debian 10 (Python 3.7) seems okay-ish now but on Debian 9 (Python 3.5) we had certifi
and urllib
installed through pip3 globally and these versions had issues. Removing them and replacing with the apt packages fixed that. However there are still a bunch of Ansible modules (i.e. the unarchive
module and get_url
module) that still wont work on debian 9 servers. Still haven't found a fix for that and we had to disable SSL validation for now...
Really sad about this; did not expect so many issues especially since the Compatability list on the LE site suggested everything would be fine :/
I don't think you really need to support the whole own PKI infrastructure for this. For testing purpose, you can create some self-signed chain easily, using openssl for example.
If you want your server to be public, letsencrypt.org is the first place to look for the certificate, It's free and relatively easy depite some domain validation dancing.
>If I understand this correctly, the only reason this is needed it, so that I can use Let's Encrypt, which needs to be tied to a domain, right? Or is there another reason to hide behind a domain (the IP is still visible regardless), except it being easier to type?
The domain name offers HTTPS, which is transport layer encryption. This encrypts all of your traffic over the internet to your server.
If you access something via IP rather than HTTPS://domain.name then the encryption will not work. HTTPS is tied to the domain.
​
>Despite reading like 10 articles on "reverse proxy" I still don't think I quite understand what it is
I know the feeling!
The 1 line explanation is that when you buy a domain, you usually route the domain & all subdomains to one place. A Reverse Proxy is a magic box that takes those subdomain (eg: mumble.your.domain OR otherservice.your.domain) and redirects them inside your network (both internal IP & specific ports). This means you only need port 443 & port 80 open (yes it's fine to keep port 80 open, see this: https://letsencrypt.org/docs/allow-port-80/), regardless of what port the service actually runs on.
​
This means you don't need to expose 1 port per service and that somebody actually CAN'T use your IP to get to those services as you're only exposing your reverse proxy, and that will throw out any request by IP.
Pas besoin d'information d'entreprise pour un certificat de base. Les certificats "extended validation" servent a rien de toute manière vu que les navigateurs ont tour à tour retiré tous les indicateurs visuels qui les marquaient.
C'est gratuit.
Some suggestions and advice based on experience...
I suggest you buy a domain and create a sub of that domain. There will never be any doubt it is your location and you will not have trouble buying certificates in the future. For example, I own [familyname].family and my home domain is home.[familyname].family. This affords me some stability to host a web server on the web (https://[familyname].family) for public access, email and basic web page and at the same time, have a sub domain that is valid and rightfully mine but on premise and firewalled off.
It has been mentioned here that 'internal' and 'external' are good ideas. That may be the case when you have split networking or split DNS but with IPv6, nobody is going to be NATing in the future, so this is not necessary and who wants to maintain split networks or split DNS - just make one network and firewall it off as you desire.
'home' is generic and looks okay in AD ('username@home' or 'home\username') or LDAP. If you go with something trendy and cool, like dictator.domain.name it is hard to change when the joke becomes old.
I strongly advise not to use a made up domain and definitely don't create a domain with a generic TLD such as .lab or .local or .home... In some cases these TLDs are controlled by RFCs or they are actually owned by somebody. Using a domain name even in part, that belongs to another party is enough to lose control by hijacking and there have been some demonstrations of this attack vector.
1Q2018 LetsEncrypt will be offering wildcard certs. If you have a valid domain name system, it will be easy to implement a cert that is valid for your entire lab: https://letsencrypt.org/2017/07/06/wildcard-certificates-coming-jan-2018.html
I hope this helps, cheers.
Serious question, what would the benefit of HTTPS be on my programming blog? I've considered switching (particularly now Let's Encrypt provides free certs) but can't really see the point.
Just wanted to chime in since no one else has said it. "Free certificates" is NOT why LetsEncrypt is a big deal. There have been free trusted certs, e.g. with StartSSL, for a very long time. The revolution that LetEncrypt is starting is really that they automated the process of giving out certificates. This is the key step that has been missing from all the other free (or even non-free) cert providers. In the past, setting up HTTPS has been an honest to goodness nightmare to do, taking even an experienced sysadmin over an hour to do. LetsEncrypt replaces all that fuss with a single command, which can be run as a cronjob for renewals, that makes a cert, gets it signed, and installs it for your webserver, all in one go. Even a first time user will have no trouble. That is why LetsEncrypt is revolutionary, and you can certainly see it from their statistics. https://letsencrypt.org/stats/
Considering that https certificates are practically free nowadays there is really no excuse to not have the entire website run over https (or at the very least the registration/login). This should be the number one priority fix in my opinion and it makes me question how secure the rest of the system really is...
I don't want to sound like I'm super paranoid or anything, but is there a reason you don't use SSL on the site? Considering the fact that the site is dealing with the Steam API I imagine someone's session ID being sniffed and hijacked could have some not so nice consequences. If you need a SSL certificate, there's some really easy ways to get them for free, notably Let's Encrypt.
Guys, what are your thoughts about Let's Encrypt?
My firm recently bought a wildcard SSL cert for a LOT of money. I really think that Let's Encrypt could pave the way here compared to the current SSL cert providers.
Many interactive websites use Cache-Control: no-cache, so that loading a page will always return the most recent version of a page. Apparently, 14 years ago, Firefox was strongarmed by banks into breaking the back button for https pages that use no-cache.
With the now-pubic hard evidence of the NSA's activities, many are pushing for websites to use encryption. The Let's Encrypt initiative, for example. But even though modern computers are fast enough that the overhead of encryption is negligible, in Firefox https websites, such as Reddit, are much slower than http websites, because the back button spends a substantial fraction of a second reloading the page from the network. (Or several seconds, for slow connections and mobile devices.)
The rationale for the previous decision was that https indicated that a page contained especially sensitive information, and that, if the back button were allowed to reload no-cache https pages from the bfcache, people would access these especially sensitive pages on public computers, log out of the website, and not close the tab or the window, and then nefarious actors would be able to hit the back button and see the sensitive information.
But this is a very unusual scenario. It only affects people who access sensitive websites on public computers and refuse to follow best practices even when they are frequently reminded by the logout page itself. And even then, my experience with banking websites is that the information they contain is not particularly sensitive (unless you consider your account balance to be sensitive). Account numbers and credit card number are only shown in the last 2 or 4 digits, and actual actions, such as funds transfers or password changes, are not possible.
I do not think Firefox should be degrading the user experience of the vast majority in order to protect a tiny fraction of people who are using their computers incorrectly.
Check out Let's Encrypt. It should be available this year and makes certs pretty trivial. I've been using StartSSL and Comodo certs for SPDY for a while and I can't wait to migrate.
Caddy uses Let's Encrypt, which is just one of the CAs it supports. (Caddy supports any ACME-compatible CA.)
I'd recommend:
What technologies are you using?
​
Did you create a Github repository? If it is opensource, you could have more help from others.
​
For https cert you can use https://letsencrypt.org/, it's free and very easy to use if you are hosting on a linux server.
[https://a.uguu.se/ZRwz6cRhEmzk.png](The website doesn't look clean.)
Get yourself a free SSL certificate. That way, people might feel a bit better while giving out their personal info.
That just doesn't look clean. Also clean that logo a bit I guess.
3, Obviously, ditch the "Book now", and those call buttons as they are now.
Indeed really crazy asking you to enter all that info in free text over the toobs.
Revolut site admins, if you're watching, https://letsencrypt.org offers you free certificates if money is tight.
I personally run a raspberry pi that I use as my internal gateway for these services. I have nginx installed as a reverse proxy and I use letsencrypt.org to get my certs with certbot-auto as the client.
​
This solution can be used to front many services as a passthrough which offloads SSL.
Can we get a Valid cert please? The website does have a login. So it should have SSL at LEAST on the login page. It's 2018 signed certs are free https://letsencrypt.org/
edit: referring to the forums. I and many others on the interwebs refuse to signup/login via clear text.
Private key. I don't really see the use case, though – Let's Encrypt allows revoking certs without the private key, so if for whatever reason you don't like what Github is doing you can nuke their cert.
>(yet)
I doubt they will in the future, either. From their FAQ: >Let’s Encrypt offers Domain Validation (DV) certificates. We do not offer Organization Validation (OV) or Extended Validation (EV) primarily because we cannot automate issuance for those types of certificates.