Make web page access secure, for free!

Tell me about my awesome forum
Post Reply
Adam
Posts: 2240
Joined: Wed Oct 23, 2013 9:50 pm

Make web page access secure, for free!

Post by Adam »

The Internet Security Research Group has started a project called "Let's Encrypt". It is an automated system for issuing Domain Validation (DV) TLS certificates for free. You can then plug that certificate into Apache or whatever your web server is and support access via https. Hooray!

https://letsencrypt.org/

DV certs are the simplest type of TLS certificates which only assert ownership of a server at a domain. When you (the admin) run the tool, it will put up a special page which the Let's Encrypt servers will access via the Internet. If they can do that, you have proven you control the web server at that domain, so they issue you a certificate. The tool can also automatically incorporate it into you web server configuration for you for the right OS/web server combinations, specifically Debian and Apache.

Instructions here: https://letsencrypt.org/howitworks/
kevm14
Posts: 15201
Joined: Wed Oct 23, 2013 10:28 pm

Re: Make web page access secure, for free!

Post by kevm14 »

Encrypting internet traffic that contains info which will appear on a public forum seems...silly. Or did I miss the point? Is this just something interesting to try?
Adam
Posts: 2240
Joined: Wed Oct 23, 2013 9:50 pm

Re: Make web page access secure, for free!

Post by Adam »

kevm14 wrote:Encrypting internet traffic that contains info which will appear on a public forum seems...silly. Or did I miss the point? Is this just something interesting to try?
You're silly.

But seriously, it is interesting to try. Also, logging in through a non-https connection means anyone on the network you are on could either see your password or grab your session cookie to be you. Not a huge deal as this isn't a bank, but still.
bill25
Posts: 2583
Joined: Thu Oct 31, 2013 2:20 pm

Re: Make web page access secure, for free!

Post by bill25 »

Right, Login and Register pages should always be HTTPS. HTTPS requires a certificate that you can get from Verisign and other reputable certificate companies. It isn't a lot, something like $100 a year. You can set the certificate for a page, or use the * to allow any page in your site to use it. Your links need to be absolute and be: https://www.blah.com/blah.blah for the data to be encrypted. it isn't automatic, your site has to have https in the link.

But yeah, free is better. In this case, it looks like you hold the certificate instead of another company. When I had a website and had any issues, I had to go through the cert company for modifications/tech support/renewal. Maybe a difference is that people have heard of Verisign and have a level of confidence when they see that whereas they may be more critical of this since it is new. Most people don't even know if their stuff is being encrypted.
Adam
Posts: 2240
Joined: Wed Oct 23, 2013 9:50 pm

Re: Make web page access secure, for free!

Post by Adam »

Verisign doesn't hold your certificate, they generate one and give it to you. It doesn't matter who has heard of the certificate authority, as long as they are in your root store the page encryption just works and the whole process is transparent to the page visitor.

Yes a DV certificate asserts less verification than a standard cert or an Extended Validation cert, but that doesn't make the https session any less secure. Any certificate signed by any trusted root allows your browser to set up a secure session with the web server using the most secure cipher both endpoints agree on (which is not tied to the cert type or issuer, but the configuration of the client and server).

Let's Encrypt's root certificate is now in all the major root store's including the one in Windows (used by IE and Chrome) and the one in the Netscape Security Suite that Firefox brings along.

The whole point of this system is there is an automated mechanism to get a free DV cert, which makes it very easy to offer secure access to your page.
Adam
Posts: 2240
Joined: Wed Oct 23, 2013 9:50 pm

Re: Make web page access secure, for free!

Post by Adam »

As far as links go, there are ways to configure the web server to return a secure page if a session already exists, even with a non-https links in addition to forcing all access to any page on the site to be done via https rather than http. That can be done later, the first step is to get a certificate and tell the web server to use it.
bill25
Posts: 2583
Joined: Thu Oct 31, 2013 2:20 pm

Re: Make web page access secure, for free!

Post by bill25 »

Verisign doesn't hold your certificate, they generate one and give it to you. It doesn't matter who has heard of the certificate authority, as long as they are in your root store the page encryption just works and the whole process is transparent to the page visitor.
You are right. I was going through a Cloud hosting company, and since they owned the hardware, they held and managed the cert. I wasn't working directly with VeriSign. Sorry about the misinformation. The tickets went to the Cloud hosting company and they applied the cert and had different pricing for root and specific pages. I did root, so that I could use encryption on any page I felt necessary. We used GearHost. They were pretty good and had pretty decent tech support.

https://www.gearhost.com/

People can see who issued the certificate if they want though. You just click the lock in the browser address bar and it shows the certificate info. For Outlook/Hotmail, it shows VeriSign Class 3 Public Primary Certification Authority. Granted, most people don't check that.
kevm14
Posts: 15201
Joined: Wed Oct 23, 2013 10:28 pm

Re: Make web page access secure, for free!

Post by kevm14 »

I've been using these guys since late 2006 (wow).

https://www.dreamhost.com/
Adam
Posts: 2240
Joined: Wed Oct 23, 2013 9:50 pm

Re: Make web page access secure, for free!

Post by Adam »

cpanel has added one-click integration for Let's Encrypt!

https://blog.cpanel.com/announcing-cpan ... sl-plugin/

Have you done this yet? Or more specifically, has your hosting provider integrated this yet?
Post Reply