https certificates?

feedback, comments and suggestions pertaining to the *. forums
User avatar
pau1ie
Posts: 272
Joined: Thu May 10, 2012 9:48 pm
Location: Bedford

https certificates?

Postby pau1ie » Tue Mar 28, 2017 9:28 am

It worries me a little that this website doesn't have a https certificate. This leaves users at risk of session hijacking and possibly password sniffing when they are on wifi hotspots e.g. at meetups.

Have you considered using Let's Encrypt? I set it up on my own website. It is free. Once you get it working, it requires no intervention. There is a cron job which checks if you need a new certificate periodically and updates it automatically if you do.

I found the install script broke my configuration, but this was many months ago so it might be fixed by now. I think it may have been confused because I had already configured https for a purchased certificate. Anyway, it was quite easy to recover and make the changes manually. The automatic update works fine though.
I'm working on http://bbcmicro.co.uk

User avatar
danielj
Posts: 5136
Joined: Thu Oct 02, 2008 4:51 pm
Location: Manchester

Re: https certificates?

Postby danielj » Tue Mar 28, 2017 9:37 am

I'd hope that no one used a password on here that they used on anything important (as it's just a forum). HTTPS did cost money but I'll have a look at what you've suggested there, it looks interesting!

d.

User avatar
1024MAK
Posts: 6678
Joined: Mon Apr 18, 2011 4:46 pm
Location: Looking forward to summer in Somerset, UK...

Re: https certificates?

Postby 1024MAK » Tue Mar 28, 2017 11:47 am

World of Spectrum forums changed to https not long ago.
Worth looking into me thinks.

Mark
For a "Complete BBC Games Archive" visit www.bbcmicro.co.uk NOW!
BeebWiki‬ - for answers to many questions...

Prime
Posts: 2301
Joined: Sun May 31, 2009 11:52 pm

Re: https certificates?

Postby Prime » Tue Mar 28, 2017 12:56 pm

danielj wrote:I'd hope that no one used a password on here that they used on anything important (as it's just a forum). HTTPS did cost money but I'll have a look at what you've suggested there, it looks interesting!

Self signed certificates would work if web browsers didn't try and scare you into thinking that it automatically means the site has been hacked.

Cheers.

Phill.

User avatar
roland
Posts: 2779
Joined: Thu Aug 29, 2013 8:29 pm
Location: Born (NL)
Contact:

Re: https certificates?

Postby roland » Tue Mar 28, 2017 1:15 pm

If setting up the Let's Encrypt certificates on this platform is too much work, I'm willing to donate a Comodo PositiveSSL certificate for three years.
256K + 6502 Inside
MAN WOMAN :shock:

sbadger
Posts: 203
Joined: Mon Mar 25, 2013 1:12 pm
Location: Farnham, Surrey

Re: https certificates?

Postby sbadger » Fri Apr 07, 2017 8:48 am

Just pointing out, lets encrypt might not be the best choice right at the moment. There is a fair chance they could face recovation of trusted root CA in some browers/OSs

https://slashdot.org/story/17/03/25/2222246/over-14k-lets-encrypt-ssl-certificates-issued-to-paypal-phishing-sites
A3020 | BBC B x2 | Electrn | Master | RPi x3
A600 | C64 "breadbox"| C64 C | XB360 | GB | GBC | GBA | GBASP | DS | 3DS XL & new | MD | MS
Atari 7600 | PS1-2-3-4 | PSP | Vita | SNES | GC | N64 | Wii & U | Switch | Jamma Cab | Sony PVMx2

User avatar
BigEd
Posts: 1393
Joined: Sun Jan 24, 2010 10:24 am
Location: West
Contact:

Re: https certificates?

Postby BigEd » Fri Apr 07, 2017 10:20 am

Sounds faintly likely that that news story is promoted by a business which is threatened by Let's Encrypt. It's not at all obvious that Let's Encrypt did anything wrong: it's their job to issue certs to orgs which own domain names, not their job to control which domain names orgs own. (EV certs are a different case, they demand higher standards, but they are not part of this story.)

User avatar
pau1ie
Posts: 272
Joined: Thu May 10, 2012 9:48 pm
Location: Bedford

Re: https certificates?

Postby pau1ie » Fri Apr 07, 2017 5:53 pm

sbadger wrote:There is a fair chance they could face recovation of trusted root CA in some browers/OSs

I can't see any suggestion of that in the story linked to from the slashdot article.
I'm working on http://bbcmicro.co.uk

User avatar
paulv
Posts: 3547
Joined: Tue Jan 25, 2011 6:37 pm
Location: Leicestershire
Contact:

Re: https certificates?

Postby paulv » Fri Apr 07, 2017 8:13 pm

I have several clients that have tried the Let's Encrypt route and all but one has gone back to a more traditional certificate because they've found that many browsers simply aren't happy with the Let's Encrypt certs.

I'd be quite happy to chip in to an SSL certificate fund if there was such a thing. These days Comodo certs aren't that expensive for 2 and 3 year time spans.

This brings me onto another related question. Has it ever been considered that a "donate" link is put on the site somewhere in order to allow members to donate funds for the explicit use of hosting and upkeep of the site?

I used to be able to contribute more of my time to the forums and if I could manage it, I still would but these days, contributing to the community in other ways is more practical for me.

Paul

User avatar
sweh
Posts: 1833
Joined: Sat Mar 10, 2012 12:05 pm
Location: New York, New York
Contact:

Re: https certificates?

Postby sweh » Sat Apr 08, 2017 12:36 pm

There are no requirements on CAs that issue DV (domain verified) certificates to prevent phishing certs. LetsEncrypt are fully compliant with the CA/B Forum standards. I haven't heard anything about the major browsers planning on untrusting LE.

FWIW, https://www.sweharris.org/post/2017-03- ... nsparency/ explains why I think the CAs _can't_ solve this problem (typosquatting) and sheer size of the attack surface (paypal seems an obvious one, but what about the gazillion of banks and shopping sites?).

I'm not the only security person to think this way; eg Scott Helme (he's a recognised name in the industry) https://scotthelme.co.uk/lets-encrypt-a ... ey-should/

To solve it at the CA level would mean, effectively, that DV certs would need to go away and every cert become an EV (Extended Validation) cert costing many $$$. Over 50% of all traffic is now encrypted ( https://www.troyhunt.com/https-adoption ... ing-point/ ).

The solution needs to be at the browser level where the UI lives; stop using the word "secure" for SSL sites, because the certificate is NOT a proof of entity of the person/company behind the site.

FWIW, most "LE certs are not trusted" issues are due to misconfiguration on the server (eg not including the chaining cert). You can test the server configuration at https://www.ssllabs.com/ssltest/ (I get an A+ for my site; https://www.sweharris.org/post/2016-10-16-ssl-score/ )

LE certs are cross-signed by "DST Root CA X3" which is in most browsers, these days. Some older java systems (java 6!) don't have the cert. Full details at https://community.letsencrypt.org/t/whi ... crypt/4394
Rgds
Stephen

User avatar
pau1ie
Posts: 272
Joined: Thu May 10, 2012 9:48 pm
Location: Bedford

Re: https certificates?

Postby pau1ie » Sat Apr 08, 2017 6:20 pm

I use lets encrypt for my family's owncloud installation. We have not noticed any browser that doesn't trust it by default, though I haven't searched extensively. We use it from home and work on several OSes including mobile devices. If you look at the sponsors, they are actually sponsored by at least two browser developers - Chrome and Mozilla, and a number of hosting companies. Also big names like Facebook and Cisco.

For me the big plus of lets encrypt was the automated renewal. Buying a cert is a rather manual process with a hard end date and Murphy dictates it will occur when you are busy for some reason. Lets encrypt I don't have to worry about, the certificate has been changed about three times since I went to them, and I didn't have to do a thing. I wouldn't have even noticed if I hadn't checked the expiration date periodically. I realise people might assume that since it is free you get what you pay for, but I really think it is superior to other options for this reason.

Like paulv I am grateful to those who donate their time and money to keep these forums running. They bring me a lot of pleasure, and I think the role in preserving the history of British Computing can hardly be understated. Thank you!
I'm working on http://bbcmicro.co.uk

User avatar
paulv
Posts: 3547
Joined: Tue Jan 25, 2011 6:37 pm
Location: Leicestershire
Contact:

Re: https certificates?

Postby paulv » Sun Apr 09, 2017 8:56 am

I should qualify my statement by saying I've not had contact with Let's Encrypt certs for several months so browser support may well have been improved through addition of the CA to the accepted browser lists.

As a software developer, I encountered even more issues with Let's Encrypt users because of Java JVM's not having the CA certs installed in their keystore on production machines so when sites switch over to Let's Encrypt, the CA certs need to be loaded into the relevant keystores. On production machines where there are deployment cycles, this can take *weeks* with some organisations to get sorted because of their insistence on deploying any and all changes to a test site before going to a staging site and finally moving everything into production. Whilst I understand this process is necessary for thorough testing, I tend to think that adding a cert to a key store is one of those things that could be done without too much fuss directly in production environments.

Paul

User avatar
pau1ie
Posts: 272
Joined: Thu May 10, 2012 9:48 pm
Location: Bedford

Re: https certificates?

Postby pau1ie » Sun Apr 09, 2017 9:04 pm

I had the same problem with the JVM not trusting a certificate issued by QuoVadis. I assume Oracle do a half hearted job with the JVM, and the administrators have to sort out the rest. This problem isn't limited to Let's Encrypt. My guess is that browsers are targeted at users who require hand holding, but JVM is targeted at administrators who know what they are doing.
I'm working on http://bbcmicro.co.uk


Return to “stardot.org.uk”

Who is online

Users browsing this forum: No registered users and 1 guest