I see you don't have https yet on your website. You should look into that. Not only to up your security, but to also get rid of this message everyone will have now: [link] (It's dutch for "not secure"). But also because Google will rank you higher if you have https. And just because everyone should nowadays.
You can get free https with [link]
The site is getting popular, you need to convert it to use HTTPS then google will most likely remove the notification.
If you want a free Security Cert you can go here and apply for one:
I had to do this for one of my sites recently, as sites get more popular you run into this from time to time. It's not a conspiracy, it's just normal stuff that web admins deal with daily.
I also see that your site is doing an HTTP redirect, this can cause the phishing scam flag. Get your admin to fix this and quit blaming google for bad practices.
They added IDN support last month.
Fair warning: If you're trying to get a certificate for a domain with a IDN TLD (i.e. example.ак.срб), you'll run into a bug preventing issuance. The fix for that will probably be deployed by the end of next week.
Issuance for something like пример.com works right now.
Not only is she using SSL, she got the cert from Let's Encrypt -- they provide FREE TERRORIST PROTECTIONS and she's supporting them?
It's signed with a 2048bit RSA key?
SSLLabs give her site an "A" rating?
Terrorist! Or maybe gigantic, retarded hypocrite. Depends on your perspective, I guess.
It irks me more that the site isn't https by default. It takes less than 5 minutes to get a Let's Encrypt cert, and I think it's even easier if your site is a static site served out of S3 via CloudFront.
Also, for anyone looking to get an SSL certificate. Don't be scammed by the many companies who charge you for it. Let's Encrypt is a great non-profit organization that provides free SSL certificates and an extremely easy to use program for getting the certificate installed.
Because the https site doesn't have a valid certificate associated with it. Windows has a built in list of "Trusted Root Certification Authorities" firefox and edge use this list, I think chrome maintains it's own list.
Basically if you visit a site and it has a certificate created by one of the trusted CA's, your browser will show the green lock icon.
Just because it shows the green lock doesn't mean that the site won't scam you, it just means that it has a valid certificate and that traffic is encrypted until it reaches the server which has the private key to decrypt the message.
If the scammer wants they can just buy a certificate for their or get a free one from Let's Encrypt.
Here's the own explanation of costs and funding.
> Staffing is our dominant cost. We currently have eight full time employees, plus two full time staff that are employed by other entities (Mozilla and EFF).
> The majority of our administrative support (e.g. HR, payroll, accounting) is provided by the Linux Foundation, so we don’t hire for those roles
> Currently, the majority of our funding comes from corporate sponsorships.
Their Platinum level sponsors include Mozilla, Cisco, the EFF, and "Chrome" (not sure why it says that rather than Google/Alphabet). A couple of notable other sponsors include Facebook and DigitalOcean.
Right now, the major browsers support HTTP/2 only over TLS -> if you want HTTP/2, you'll have to use TLS. And small websites might not want to cough up $$$ just to have a nice certificate.
But the EFF is working on Let’s Encrypt, which will allow everyone to get (trusted) certificates for free!
edit: The EFF is of course happy if you send some bucks their way or buy some merchandise :)
Just to get your site on an SSL. Although there's no login on your site or any input (that I can see anyway), it's always best to secure the site, the link above allows you to do it for free.
Other than that, great work. I agree, parliament's site is a structural mess.
> this isn't an enormous deal.
> There are still plenty of non https websites out there.
This is a big deal. Nexus mods is presenting a login form and accepting passwords in an insecure manner. It's their responsibility to protect their users by forcing encrypted connections.
Encrypting websites is more important than you think. Not just for sites which do your banking or protect your identity, or only sites which have password forms.
>You can't just flip a switch and suddenly your https and everything is great. It takes time and work to implement across your site.
Actually these days its quite trivial. Lets Encrypt offers free certificates (not that it matters in this case, Nexus already has one). Most web frameworks support it natively (which again, doesn't matter in this case because Nexus already has enabled it).
>Https is something that the user needs to be aware of and watch out for. If you're on an insecure site, don't log in unless your on a secure network.
Being on a secure network has nothing to do with it. The data you send and receive is unencrypted for its entire journey from your computer to the host. If the site doesn't offer secure connections, don't log in at all.
Welcome to the real world.
Words of advice/caution:
Don't enable FTP. Just don't. Use STFP, SCP, rsync over SSH, or anything else that is actually secure. Just please don't use FTP, yes it is that bad.
Don't expose root over SSH
If you are in a shell and are about to run a 'rm -fr' command TRIPLE CHECK your typing. There is no undo.
To reiterate, in a shell there is no undo. Get used to triple checking your commands. No doubt you, like everyone else, will learn this from experience (mistakes).
Install iptables and fail2ban to prevent 99% of automated attacks. See [link] and [link] - yes they are both for CentOS 6 but the principles are the same linux-wide
Check out letsencrypt ([link]) for free SSL certs. They are free and the internet is the wild west. Encrypt your traffic already.
I'm not arguing against your point, because it's certainly valid and not every website has a need to be on HTTPS.
But you can get a free cert from startssl.com right now, and then this summer get one from Let's Encrypt
Echoing what /u/kd7eir has said, check the URL options here, as you may need to now manually set them back. If you don't have any sort of access to phpMyAdmin or access to the database directly, we can dig some more to find another way in perhaps...
But, once you get those values fixed, it won't be as simple as saying "this site is https now". You'll need an SSL certificate to make your site have a legitimate HTTPS presence. Depending on how the site is set up, Let's Encrypt is a great way to set up SSL. I suggest taking a look there and certainly feel free to ask further questions f they come up.
They took the graphic from this page, it's about domain validation. Basically they make you create a page and then sign something to verify you own the website.
[link] is a site that will hand out free ssl certificates, including wild card certs. They even write tools that make the process fully automatic. There is no reason for any site to not support encryption these days.
> which will, depending on the CA, need to be internet accessible instead of securely behind a firewall to get that certificate, esp. since Lets Encrypt doesn't offer wildcard certs
You can use DNS validation to get Lets Encrypt certificates for hostnames that are not publicly accessible services (or which may not even be providing any services). Convenient for things like creating certs for email, or for generating real certs for your inside-the-firewall, RFC1918 services.
Also, LE will be doing wildcard certificates real soon now.
All that's orthogonal to your proposal, which I'm not entirely convinced by, as the whole space of UX that encourages security is complex and fragile, and this feels like it could be a bigger change in terms of attack space than it first appears. Needs more thought.
Para los que preguntan, está bien que está pensando para gente con pocos conocimientos, pero hoy por hoy es muy fácil y GRATIS sacar certificados SSL para un dominio
Let's Encrypt would be the same - [link]
But 30% users with WinXP... It really must be weird niche. XP doesn't even hit 2% on any of my sites, and great majority of them are on SP3.
That is literally not how TLS/SSL works at all. There is zero human oversight to which account gets a cert. You can get them for free from [link]. You can absolutely use bogus data/shell corporations to hide your personal information. Please do not trust a website simply because it uses SSL.
Eikä ongelma ole välttämättä pelkästään valtio. Palveluntarjoajan kaulaparrat voivat hyvinkin naureskella sinun kääpiöfemdomfetissille. Toki pelkällä VPN;llä tuo naureskelu voi siirtyä toiselle kaulaparta ryhmälle, joten salaamattomista yhteyksistä pitäisi päästä eroon kokonaan. Toivottavasti tuohon päästään ja Let's Encryptin kanssa sivustoilla ei pitäisi olla mitään tekosyytä olla tarjoamatta salattuja yhteyksiä.
This is literally one of the two reasons why they did 90 day certs - [link] - automation is good, I'm trying to convince my bosses of this so I can automate the certs for the ~120 small sites that we host.
Nobody gives a shit about that. Really. You've even got free, automated certificate authorities like Let's Encrypt. All you need to do to get a basic Domain Validated Cert is prove that you're the owner of the domain that you're trying to get the cert for.
Nobody cares what you're hosting there, that's not what certs are for.
Hell, phishing sites that serve up malware are starting getting certs (mostly from LE) to look more legit. It's that fast and easy. At this point in time, the only reason for not having a cert is laziness.
Extended Validation Certificates are a different pair of shoes, but you don't need those. They're just fancy stuff for more sensitive services, like banks and the like.
With Let's Encrypt eventually providing free SSL certificates to everyone who wants one, we're rapidly going to see a HTTPS-everywhere world become reality. Which is how it should be.
Haha that is awesome and pretty much what I think you should have to do to bypass a security feature. Perhaps it could gradually evolve as ssl certs get easier to get.
[please type a unique essay into the web browser explaining how people can be hurt by bypassing ssl certificates which will be sent to underpaid graduate students for grading]
HTTP can be cached by intermediate proxies, which can help reduce bandwidth consumption.
HTTPS introduces additional administrative overhead (certificate renewal, configuration changes, key distribution, additional servers, additional IP addresses) that may not be worth it.
Certificate authorities suck and it's nice not to have to interact with them. It's especially nice not to have to give them money.
Let's Encrypt should help the latter two enormously. About fucking time.
You should probably use StartSSL for now (free) and then dump it and use EFF's new automated certificate thingy launching this summer (also free).
This is why every website should be using SSL at this point. There's really no reason not to have a secure connection. You can get free SSL certificates from EFF so cost isn't even an issue.
Anyone else seeing an SSL error?
Oh. Well, someone seriously needs to fix this, it's embarrassingly wrong.
> The third constraint brings a problem: indeed, most certificate authorities known by the main browsers charge for their services, which consist in checking various data before generating the holy certificate...
So use this one. It requires nothing other than a cron job to prove that you still control the domain. No money has to change hands, it doesn't even need your real name or anything.
> This habit is pretty common among the groups of ingrained geeks who make the Free Software world, because they already know all that stuff and do not really care about the "identity certification" part.
Only if they don't know what a MITM is.
> HTTP servers cannot choose a different SSL certificate based on the domain name you are trying to reach, simply because they do NOT receive that piece of information BEFORE having to pick a certificate.
This was true once, but hasn't been true for a long time -- SNI is widely supported, certainly by all the browsers throwing up these big scary warnings.
OP, if you run that site, please fix your shit, this is embarrassing. If you don't, maybe link to the http versions, so as to not mislead people into thinking their connection is secure.
Linux distros that don't use HTTPS on their site immediately give me a bad first impression, have you considered getting a free certificate from Let's Encrypt? It's quick, easy, free and requires practically no messing around with configuration.
This is pretty interesting and comes at a time when I'm really starting to spin up a lot of internal webservers to do various things for my business. A wildcard certificate on my reverse proxy would make life a whole lot easier.
I haven't played with LetsEncrypt much... does anyone know how well supported IIS is? Can I set up a little Linux server that handles the issuing / renewing of certificates for their "With Shell" instructions, and then push those certificates onto the Windows IIS server in an automated way? Or is there a Windows client that works and is supported?
They do however maintain Certificate Revocation Lists, that most people never use. That in no way consumes an amount of resources equal to what you pay for certs.
But fear not! The Mozilla Foundation agrees with us, it's not yet here, but it is being rolled out and presumably being put in everyone's trusted CA list*. [link]
Create a free account at Cloudflare. Maybe it will handle it for a while with this traffic from reddit with cache enabled.
Or create a Github Page, IIRC there's no traffic restriction. I'm not sure why you choose WP for that, but it's not a good choice for high traffic website IMO.
Also consider to be a high target since you've posted to treat it nicely, that's how people react. Let's hope it will be white hats, not black ones.
If you need any help, hit me up on PM.
Also Let's Encrypt, keep the internet secure please if you want to host it yourself.
Someone web cached it though (Thanks man!)
Probably posted to the wrong sub by OP, yeah. But I do think that the PHP community should learn about Let's Encrypt and tell the world to embrace it. Hopefully it'll be included by default in many LAMP stacks, just like PHP.
For those interested, here's how it works: [link]
Luckily Mozilla and the EFF are working on solving that. They are working on a new CA that will allow you get a cert for free just by being able to prove you control the website you want the cert for.
All publicly-trusted CAs (which includes Let's Encrypt) have to go through WebTrust (or ETSI) audits annually. Additionally, they do annual third-party reviews of their code and infrastructure (mentioned here).
Their CA software, boulder, also happens to be Open Source.
I think his argument was more along the lines of "If I need to cover a domain for one year with a "regular" CA, that's probably 1 issued certificate (or even less, with 3-year certificates). With Let's Encrypt, that's at least 4 certificates."
That being said, even the number of non-expired certificates is close to two million.
Let's Encrypt exposes an ACME standard API to support automatic renewal. There are many ACME scripts for different servers, environments, and DNS configurations that support automatic renewal and installation of Let's Encrypt certs.
LE offers a list on their site:
> Every browser in every device supports it. Every server in every data center supports it. ...
> Cooperative: Much like the underlying Internet protocols themselves, Let’s Encrypt is a joint effort to benefit the entire community, beyond the control of any one organization.
> nothing to actually verify the end server is the real/authentic server for the site
Yes it does. If a fake server is trying to impersonate a legit website with a forged cert, your browser will warn you.
> There are plenty of commercial products out there that can forge/intercept certificates
This can only work if the enterprise imported its own CA in their corporate browser. On your own personal non-compromised browser, this can't happen. Your browser will warn you of the forged cert.
Now with the recent introduction of Certificate Transparency, https is technically known as impossible to forge. You can't prove us otherwise with a credible source. Because there are still not even academic research papers demonstrating how this could be done in practice. Technically, as far as we publicly know, it's not even technically feasible for big spy agencies like the NSA to forge https without getting caught right away by the security community before any damage is done.
> his whole "SSL all the things" trend is nothing more than another way to sell something
But it's free now! What are you talking about? Check out Let's Encrypt
> This HTTPS nonsense is an annoying "evolution" of the web
It's not annoying, it's an indispensable necessity. Browsing the web through http is dangerous. Not only for the eavesdropping, but also because the packets can be tampered with on the fly to inject malicious code in the page you are viewing, or malware in the binary files you downloaded, then infect your computer because you thought you were browsing a trustable website.
Everything should be https already. There is no legitimate reason not to. The only reason everything is not https already is because some people are still not aware of it, or dragging their feet and taking too long to https everything, or the "anti-vaxxers" of the web like you giving shitty advises based on misguided beliefs.
Yes, SMTP and HTTPS (TLS) use the same type (x.509) of cert. You can get one cert and use it for both services at the same time, even reference the same file.
You can buy one if you really want but have you heard of our lord and savior Lets Encrypt?
It takes a bit more setup but you can get a free cert and have it auto renew for free from an awesome CA.
Actually if you read the entire article, you will see in the section titled "HTTPS Excuses Defeated", free certificates can be obtained from [link] and in mid-2015, [link].
There is no valid reason to delay switching to HTTPS. The security of your users should be prioritized. This costs your organization nothing but moments of your time.
Start with forwarding traffic to port 443, getting a valid Let’s Encrypt certificate and removing <filename>.php from URLs.
>Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. Let’s Encrypt is a service provided by the Internet Security Research Group (ISRG).
>The key principles behind Let’s Encrypt are:
>* Free: Anyone who owns a domain name can use Let’s Encrypt to obtain a trusted certificate at zero cost.
>* Automatic: Software running on a web server can interact with Let’s Encrypt to painlessly obtain a certificate, securely configure it for use, and automatically take care of renewal.
>* Secure: Let’s Encrypt will serve as a platform for advancing TLS security best practices, both on the CA side and by helping site operators properly secure their servers.
>* Transparent: All certificates issued or revoked will be publicly recorded and available for anyone to inspect.
>* Open: The automatic issuance and renewal protocol will be published as an open standard that others can adopt.
>* Cooperative: Much like the underlying Internet protocols themselves, Let’s Encrypt is a joint effort to benefit the community, beyond the control of any one organization.
You have a fundamental misunderstanding of how Let's Encrypt works.
They do not generate, see, or store the private keys for the certificates they issue. The only private key that they have is their own, that they use to sign certificates (requested by clients) with.
Should that key be leaked, anyone could impersonate Let's Encrypt. However, the same can be said of literally every CA vendor out there today: should their private key be leaked, their CA certificate would have to be revoked, leading to a mass outage of certificates.
In reality, LE (and others) actually keep their root key fully offline for day to day operations. Instead, they create a subordinate certificate authority, and use that to sign end user certificates.
You can read more about the keys that LE uses here.
A post from 2012...why do we want to do this when we now have the likes of Let's Encrypt?
I can see this way being OK for 100% internal systems, but if anything is part of an extranet or even public-facing, then it's going to be less palatable.
Although you can issue longer-lived certs and wildcards. Hrm...think I just answered my own question.
The plan is to automate verifiable SSL certificates (for free). There will still be a need for CAs that do more than just check the domain name, but a basic level of "encrypt everything even if you still don't trust the operator" is better than "pay up or serve plaintext"
They have some pretty big players as donors. I think they are covered for a while.
Since this is a non-profit can we actually see how well they are off money wise?
It's been mentioned already by /u/bezelbumpython, but it begs repeating that MITM attacks are hilariously easy these days. While HTTPS redirect attacks can still affect users who don't use HTTPS Everywhere (or who follow old HTTP links to a site), it's still better security than not using HTTPS at all.
Plus, given you can quickly and easily get a free, high-quality cert from LetsEncrypt, there's absolutely no reason not to be serving HTTPS-only sites.
For anyone reading this, if you have full control over the Ops-side of things as well, this is a perfect example of why you should use Let's Encrypt if it fits your stack (e.g. don't absolutely need a Wildcard (till next year :D ) or EV certificate).
Automatic renewals can be configured.
Whoa whoa whoa.
You need to get Let's Encrypt and set up SSL on your website now.
You just advertised a website on Reddit that has login features but isn't protected by SSL.
Your admin page isn't even protected by SSL.
Do you want your site to get hacked? Because that's how you get your site hacked.
Seriously, Let's Encrypt is 100% free, lots of hosts supply it now, or you can install it yourself if you have SSH access to the server you use.
LetsEncrypt Windows Clients - [link]
> even if it doesn't the time cost of doing this every 60 days is prohibitive
You honestly think LetsEncrypt users are manually renewing certificates every 90 days?
But whatever, it's your money.
It's cross-signed by IdenTrust, which means it's supported on IE on Windows XP SP3 and later. (Older versions of XP don't support SHA-256 certificates, which means that basically all of the internet is broken.)
danas mislim da svaki sajt treba da ima https, i oni na kojima se ništa ne unosi :) sa [link] je to besplatno i relativno jednostavno, ali ako si na nekom shared hostingu oni moraju da ga podržavaju da bi funkcionisalo. Ja lično izbegavam bilo kakve podatke da unosim a da nije enkriptovano, al ja sam malo lud ;)
Click sponsors>become a sponsor>Donate
DONATE (direct link)
As are others too(as the blog post you linked shows). Chrome is planning on it too: blink-dev › Intent to deprecate: Insecure usage of powerful features
And at the same time, Mozilla is working to make it easier for website owners to deploy HTTPS with Let's Encrypt.
This is all very good.
You're going to need a certificate, which you can get for free from Let's Encrypt.
Unfortunately I can't help you with hyper because I've never used it, but in general you'd tell your server to enable TLS and point it to your certificates. This might just be what you need.
> The address (Example: WoodFurniture.tk) It will have to end .tk to keep it free.
/u/bravom9 - It's much better to pay the $10-15/year for a domain name (eg. .com, .co.uk, .de) for legal ownership and rights, SEO (search engine optimization), and also brand recognition and trustworthiness (customers probably won't recognize '.tk' as a trusted domain).
The same applies to hosting, pay the additional ~$50/year.
PS. Get an SSL certificate, which is represented by the green 'lock' icon in the top-left of most browsers. It's more secure, and also better for SEO and trust. Google (Chrome) and Mozilla (Firefox) are pushing for this, too, so better start now.
Your calculation assumes that they've had a constant 5 million active certs for the last 3 years.
We don't have to guess at this; they have a public stats page which shows something very different from those numbers. [link]
This is 100% free and widely used: [link]
I use to purchase paid certificates from these guys: [link] Great rates, and their website explains the different types and their cost differences.
Also, I wouldn't pay anyone more than $120-$160 to set up a certificate if you wanted to go that route.
I will most certanly check it out at home, added this link to my Pocket, looks good so far, but i have a one major complaint: Your site does not have https enabled, thus not only possibly compromising your visitors who want to leave a feedback by exposing their email on the Internet, but endangering you login page (which is an easily detectable Wordpress), especially if you administrating this site form, for example, a public Wi-Fi. You should look at least at letsencrypt to get a free SSL certificate, or get a free/paid certificate from one of the many CAs out there. I'd suggest sticking with letsnecrypt for your purpose though :)
Feel free to PM me if you have questions about securing your website. SSL configuration is dependent on a hosting you choose, so i can't really provide step-by-step instructions for your case.
Many organizations are pushing for making HTTPS the default because it provides better security and privacy.
Google now gives higher SEO priority to sites using HTTPS so they can rank higher on the search.
Google Chrome is going to mark plain HTTP sites insecure the the future.
SSL certificates also cheaper and easier to deploy with Let's Encrypt which is a free certificate authority.
When we started the project we had no idea that so many people would write ACME clients. We're thrilled! It shows that lots of people in a diverse set of environments want to use Let's Encrypt, and that using a standardized protocol which allows for client diversity was the right move.
We document the client we recommend for most people, Certbot, pretty clearly on the client page at [link], so we're not too worried about confusion on that point.
Personally, for your internal services, I would set up an NGINX VM, configure it as a reverse proxy, get a free SSL certificate from LetsEncrypt, and enable HTTP auth. Then you can expose a single port to the internet and still access all of your internal web services. I expose port 443 for HTTPS and use Muximux as an interface for all of my internal services (Plex, OwnCloud, CouchPotato, Sonarr, etc.).
If you have public facing websites, I'd still secure them behind SSL (it's free) and reverse proxy them.
Mozilla's working on a free SSL certificate system, called Let's Encrypt. It has some software component and one of it's features is that it will keep track of when your certificate is going to expire and automatically renew it.
The problem with wildcard certs is that if any of your machines gets compromised they have the same cert as all the other machines which then causes a lot of hazzle when you have to revoke all your certificates and get a new one. I would love to get a wildcard CA cert for my domains but those are almost impossible to get a hold of. It is just silly that different certificates have different prices when the validation steps are the same. The vendor is actually doing the same job for different costs which is just wrong.
I can not wait until Let's encrypt gets going as that will solve a lot of the hazzle with certificate handling today. Just imagine getting a new certificate within seconds and without a human in the loop.
Some suggestions and advice based on experience...
I suggest you buy a domain and create a sub of that domain. There will never be any doubt it is your location and you will not have trouble buying certificates in the future. For example, I own [familyname].family and my home domain is home.[familyname].family. This affords me some stability to host a web server on the web (https://[familyname].family) for public access, email and basic web page and at the same time, have a sub domain that is valid and rightfully mine but on premise and firewalled off.
It has been mentioned here that 'internal' and 'external' are good ideas. That may be the case when you have split networking or split DNS but with IPv6, nobody is going to be NATing in the future, so this is not necessary and who wants to maintain split networks or split DNS - just make one network and firewall it off as you desire.
'home' is generic and looks okay in AD ('[email protected]' or 'home\username') or LDAP. If you go with something trendy and cool, like dictator.domain.name it is hard to change when the joke becomes old.
I strongly advise not to use a made up domain and definitely don't create a domain with a generic TLD such as .lab or .local or .home... In some cases these TLDs are controlled by RFCs or they are actually owned by somebody. Using a domain name even in part, that belongs to another party is enough to lose control by hijacking and there have been some demonstrations of this attack vector.
1Q2018 LetsEncrypt will be offering wildcard certs. If you have a valid domain name system, it will be easy to implement a cert that is valid for your entire lab: [link]
I hope this helps, cheers.
Serious question, what would the benefit of HTTPS be on my programming blog? I've considered switching (particularly now Let's Encrypt provides free certs) but can't really see the point.
Just wanted to chime in since no one else has said it. "Free certificates" is NOT why LetsEncrypt is a big deal. There have been free trusted certs, e.g. with StartSSL, for a very long time. The revolution that LetEncrypt is starting is really that they automated the process of giving out certificates. This is the key step that has been missing from all the other free (or even non-free) cert providers. In the past, setting up HTTPS has been an honest to goodness nightmare to do, taking even an experienced sysadmin over an hour to do. LetsEncrypt replaces all that fuss with a single command, which can be run as a cronjob for renewals, that makes a cert, gets it signed, and installs it for your webserver, all in one go. Even a first time user will have no trouble. That is why LetsEncrypt is revolutionary, and you can certainly see it from their statistics. [link]
Considering that https certificates are practically free nowadays there is really no excuse to not have the entire website run over https (or at the very least the registration/login). This should be the number one priority fix in my opinion and it makes me question how secure the rest of the system really is...
I don't want to sound like I'm super paranoid or anything, but is there a reason you don't use SSL on the site? Considering the fact that the site is dealing with the Steam API I imagine someone's session ID being sniffed and hijacked could have some not so nice consequences. If you need a SSL certificate, there's some really easy ways to get them for free, notably Let's Encrypt.
Guys, what are your thoughts about Let's Encrypt?
My firm recently bought a wildcard SSL cert for a LOT of money. I really think that Let's Encrypt could pave the way here compared to the current SSL cert providers.
Many interactive websites use Cache-Control: no-cache, so that loading a page will always return the most recent version of a page. Apparently, 14 years ago, Firefox was strongarmed by banks into breaking the back button for https pages that use no-cache.
With the now-pubic hard evidence of the NSA's activities, many are pushing for websites to use encryption. The Let's Encrypt initiative, for example. But even though modern computers are fast enough that the overhead of encryption is negligible, in Firefox https websites, such as Reddit, are much slower than http websites, because the back button spends a substantial fraction of a second reloading the page from the network. (Or several seconds, for slow connections and mobile devices.)
The rationale for the previous decision was that https indicated that a page contained especially sensitive information, and that, if the back button were allowed to reload no-cache https pages from the bfcache, people would access these especially sensitive pages on public computers, log out of the website, and not close the tab or the window, and then nefarious actors would be able to hit the back button and see the sensitive information.
But this is a very unusual scenario. It only affects people who access sensitive websites on public computers and refuse to follow best practices even when they are frequently reminded by the logout page itself. And even then, my experience with banking websites is that the information they contain is not particularly sensitive (unless you consider your account balance to be sensitive). Account numbers and credit card number are only shown in the last 2 or 4 digits, and actual actions, such as funds transfers or password changes, are not possible.
I do not think Firefox should be degrading the user experience of the vast majority in order to protect a tiny fraction of people who are using their computers incorrectly.
Check out Let's Encrypt. It should be available this year and makes certs pretty trivial. I've been using StartSSL and Comodo certs for SPDY for a while and I can't wait to migrate.
What technologies are you using?
Did you create a Github repository? If it is opensource, you could have more help from others.
For https cert you can use https://letsencrypt.org/, it's free and very easy to use if you are hosting on a linux server.
[[link] website doesn't look clean.)
Get yourself a free SSL certificate. That way, people might feel a bit better while giving out their personal info.
That just doesn't look clean. Also clean that logo a bit I guess.
3, Obviously, ditch the "Book now", and those call buttons as they are now.
Indeed really crazy asking you to enter all that info in free text over the toobs.
Revolut site admins, if you're watching, [link] offers you free certificates if money is tight.
I personally run a raspberry pi that I use as my internal gateway for these services. I have nginx installed as a reverse proxy and I use letsencrypt.org to get my certs with certbot-auto as the client.
This solution can be used to front many services as a passthrough which offloads SSL.
Can we get a Valid cert please? The website does have a login. So it should have SSL at LEAST on the login page. It's 2018 signed certs are free [link]
edit: referring to the forums. I and many others on the interwebs refuse to signup/login via clear text.
Private key. I don't really see the use case, though – Let's Encrypt allows revoking certs without the private key, so if for whatever reason you don't like what Github is doing you can nuke their cert.
I doubt they will in the future, either. From their FAQ:
>Let’s Encrypt offers Domain Validation (DV) certificates. We do not offer Organization Validation (OV) or Extended Validation (EV) primarily because we cannot automate issuance for those types of certificates.
So took a look after your comment, since I didn't remember seeing it, and found this for anyone else curious:
Wildcard certificates will be free and available globally just like our other certificates. We are planning to have a public test API endpoint up by January 4, and we’ve set a date for the full launch: Tuesday, February 27.
There are several ACME clients for Windows. [link]
I have never heard of browsers dropping them. Since Mozilla and Google are both large sponsors of them, it seems very, very unlikely.
funofficepools.com does not offer secure (encrypted) communications so please don't use a password/username combination you use on other sites since its not being encrypted before being sent across the internet. Or maybe we can get them to fix this ([link] offers free certs).
EDIT: for those that want to know. I reached out to them and they have already made the switch to https, but have a few things left to do to get it fixed up. You may still see some errors on the page until its completely done.
god damnit you beat me to it! Have an upvote, Here is the direct tweet, and here is the blog post from LE.
Every site needs SSL and then this is fairly moot (although I don't agree with this legislation at all, I think everybody should be encrypting all of their traffic anyways).
SSL Certs are free nowadays anyways. [link]
DO NOT CREATE AN ACCOUNT UNLESS IT'S WITH A 100% BURNER EMAIL/PASSWORD. This site, although appreciative that it was made, does not utilize TLS. Creating an account will result in password being sent plaintext over the web. Colblitz, consider [link] if you are going to encourage users to register/sign up, and be sure to be hashing passwords also.
All of our infrastructure is heavily secured, both physically and virtually.
Our root key material is kept offline in an unplugged HSM, stored in a tamper-evident bag, inside a strong safe, inside a secure dual-control room, inside another secure room, inside another secure room, inside a secure building. Backup copies are similarly secured. The passwords and keys to access the material are also stored safely.
Intermediate signing keys have similar protections but are obviously online rather than offline since they are signing certs and OCSP responses constantly. A lot of work goes into virtually securing the online signing HSMs.
We offer transparency regarding legal requests. We publish Legal Transparency Reports two times annually. To date, we have never received a request or demand of any kind from any government agency anywhere in the world for specialized or limited access. Here's our most recent Legal Transparency Report, published October 1, 2016:
--Josh (Executive Director)
Right. Anyway, Let's encrypt relies on Identrust root certificate, which is widely supported so our free certificates will work anywhere. That's what they say [link]
I'm guessing they were in a rush to compete with LetsEncrypt and got sloppy.
I can't tell what's worse, making such a blunder of a knockoff or attempting to retroactively steal your competition's brand.
Okay this may seem like a silly or pointless question, but what else are moronic mondays for?
I'm wondering if there's a meaning behind some of the letters in the names of the roots / intermediates of public certificate authorties. For example, G2 in "Google Internet Authority G2", X1 in "Let's Encrypt Authority X1" or EC1 in "Entrust Root Certification Authority - EC1"?
Are the letters solely for the purpose of making it possible to distinguish one certificate from another without comparing thumbprints? Do those letters have some meaning to any of the people responsible for including roots in their trusted root bundles?
> let me know what you guys think!
On it. Roll initiative.
Made it hot, so very hot http://cardinalsandcaverns.com/
Also its 2018, you're doing this for a resume, get thee an SSL cert. [link]
You seem to have things set up OK. One easy mistake to make early on is to over categorize your subforums. With a small set of users, it makes the place look empty.
Put some stuff on the calendar. Even if thats a "meet and greet" for 15 minutes every Tuesday at the student union (or whatever the fuck its called these days) when you're there for lunch anyway. It makes it look like you have content and big things happening.
I hope that is constructive feedback. I used to play D&D, I review resumes in IT, and I've also run forums. Good luck!
[link] my dude
My company had to deal with that Symantec shit since all our certs were from GeoTrust. Not using Lets Encrypt for our corporate sites, but it's a pretty cool project I discovered out of the ordeal. They now issue more than 50% of certs on the web, IIRC.
Gee ... I wonder who would do that.
> "We're on a march towards HTTPS everywhere. Almost 70% of web traffic today is encrypted"
On a side note, my hosting service offers HTTPS, but for a fee. Does anybody else know a way to use Let's Encrypt on a hosting service?
Read about this:
Basically, Mozilla, Google, and a bunch of other companies (listed on the site) come together to make Let's Encrypt possible. Having https is free and easy mostly due to Let's Encrypt.
You can download and install the let's encrypt root CA.
On your device. go to [link]
download all the .der files, you probably wont need all of them
go to settings -> security and privacy -> Certificates -> import
navigate to your downloads folder select one of the .der files, import
repeat for all the der files
you should be good to go
Letsencrypt does not allow a wildcard cert, but it does allow for multiple domains on one certificate. Just use multiple -d switches.
You can see in their one of their examples that it is possible:
letsencrypt certonly --webroot -w /var/www/example -d example.com -d www.example.com -w /var/www/thing -d thing.is -d m.thing.is
This command will obtain a single cert for example.com, www.example.com, thing.is, and m.thing.is; it will place files below /var/www/example to prove control of the first two domains, and under /var/www/thing for the second pair.
No comment on the code, but the layout of your site is kind of breaking on my laptop: image. Chrome 47.0.2526.106, on arch linux. I can only see about 40 characters per line of the code without scrolling.
Also, small note, https for your domain returns a cert with CN for "*.inmotionhosting.com" and then 404s. I assume this is an artifact of your host, but if you are unaware, ssl certs are now free via Let's Encrypt. I realize you aren't really transporting anything necessarily requiring encryption, but if it's free, why not, right?
Ok, I've gotten this to compile on clang 3.7.0. But I had to change uint32 -> uint32_t. I'm not sure where 'uint32' is supposed to be defined. The type from "cstdint" (which isn't included) is uint32_t.
Falls sich die Bohnen kein SSL Zertifikat kaufen wollen, gibt es demnächst eine kostenlose Zertifizierungsstelle Let's Encrypt. Die Zertifizierungsstelle ist auch von allen Browsern bereits anerkannt, da Let's Encrypt sich von einer anderen Zertifizierungsstelle (IdenTrust) zertifizieren lassen hat. Am 3. Dezember startet Let's Encrypt auch in die offene Beta.