SSL Certificates

Anyone know about SSL certificates for a web site? I'm trying to help a fr iend who had a web site for his non-profit and I don't quite understand the details. The web hosting provides a certificate which I copied to Cpanel and it says it is installed, but opening the web page still reports a probl em with security.

At this point I'm guessing this has to do with the fact that the certificat e is not issued by an authority, but rather self signed. I found a site th at gives out 90 day free certificates and installed one. Just typing the w eb site URL doesn't show a safe site, but typing https: manually does, howe ver the web site doesn't work correctly. The initial page has some sort of fancy dancy animated text that doesn't work and you can't get past that.

I've reached the limits of what I can figure out. Any web page gurus out t here who can offer some advice?

The web page is coldwatersafety.org

--
Rick C. 

- Get 1,000 miles of free Supercharging 
 Click to see the full signature
Reply to
Rick C
Loading thread data ...

OK, you need to create a public and a private key. Then, the keys are placed somewhere where the web server can access it. Then, the web server needs to be given the file paths to these files. Yes, I think most browsers now require an authoritatively signed SSL certificate.

First thing to do is use one of the online SSL checkers. Just Google for "check SSL " and a bunch come up. Click on one and enter the URL and see what it says. Yes, I see it shows as NOT vendor signed. The web page does seem to work on my Firefox system without complaint.

Then, if you want to set up an official signed SSL cert, you will have to choose one of the bigger signing outfits like GoDaddy and pay them an exorbitant fee for a totally automated online service that takes their computer a millisecond to process, every 2 years or so. Yes, it is a scam.

Jon

Reply to
Jon Elson

It works if I force encryption with https:// Your home page (and entire site) should translate http:// -> https://

However, that's not enough because you have parts of the site going out to insecure web sites. When I click on the "lock" icon in Firefox, it proclaims that: Connection Secure Verifired by ZeroSSL Firefox has blocked parts of this page that are not secure

So basically, what you need to do is check the box on whatever management interface the web site is using and tell it to translate

*ALL* http:// requests to https:// and I think you'll be ok.

SSL check: (The test takes about 7 minutes. Patience). IPv4 and IPv6 both show that SSL is working "grade A".

Also, check TLS with one of these: such as: which says you're ok. Make sure TLS 1.0 is *NOT* enabled.

Good luck.

--
Jeff Liebermann     jeffl@cruzio.com 
150 Felker St #D    http://www.LearnByDestroying.com 
 Click to see the full signature
Reply to
Jeff Liebermann

nd

rts

:

ou

t

rs

.

Thanks. Yeah, when I do that it shows as all good, three different sites. Is there some delay in spreading the certificates like when you change nam e servers? Anyway, the other problem remains where entering a simple coldw atersafety.org gives the non-secure access and so browser complaints. Typi ng the https: at the beginning of the url doesn't give the complaints, but the page doesn't function completely.

--
Rick C. 

+ Get 1,000 miles of free Supercharging 
 Click to see the full signature
Reply to
Rick C

You will also need to change all hard coded links, and links to off-site URL's, to https://

Lots of clues on how it's done: This looks tolerable even if it's 5 years old: "How to Migrate from HTTP to HTTPS - Complete Guide"

--
Jeff Liebermann     jeffl@cruzio.com 
150 Felker St #D    http://www.LearnByDestroying.com 
 Click to see the full signature
Reply to
Jeff Liebermann

I use

formatting link
but I don't use cpanel.

The server should be configured to redirect http to https. Something like return 301 https://$host$request_uri; in the vhost file but don't ask me how to do that on cpanel and LiteSpeed is not a web server I've used before.

You might also want to look into why you get an F here:

formatting link

You will likely achieve success only when someone who understands and has direct access to the web server configuration takes a look. So my advice would be to ask the web host to do it for you. Most web hosts have people who know what they're doing with ssl and web server configuration and if they don't then find another host.

Reply to
Edward Rawde

Thanks, at this time no one qualified is available to help us with those issues. Maybe I can get the friend who originally designed the site to work on it some more.

--
Rick C. 

-- Get 1,000 miles of free Supercharging 
 Click to see the full signature
Reply to
Rick C

d

ts

nd

u

re.

This is on my hosting account. I don't know how my provider could afford t o support customers with things like this for the few bucks a month they ar e getting. They have some FAQ pages and such, but they all assume a certai n level of knowledge. Something way beyond my level is going on with the m ain page that the source has the text that is displayed on an overlay that is removed, kinda like a popup on the page, but I can't find the text that is displayed behind the popup which you see once it goes away. So there ar e some links I can't even find.

I wouldn't mind working on this, it could be educational, but I'm slammed w ith work on the ventilator project... which I become more disenchanted with every day. The guy designing the power supply board is starting work on l ayout without having a design review and I know there are functions missing . The project leader doesn't even know what a design review is. He though t it was a document that I could prepare for them. The other board designe r said that we've been reviewing it as each part is added!!!

Whatever. I need to finish the part of the FPGA I'm working on and then I can retire with dignity.

--
Rick C. 

-+ Get 1,000 miles of free Supercharging 
 Click to see the full signature
Reply to
Rick C

In Firefox right click and Inspect Element.

Reply to
Edward Rawde

That could be a fault in the rewrite rules.

Turns out that you can also do it for free. I don't understand the details (or it is possible that someone else pays for it).

These guys will do you a certificate for a not-for-profit organisation. I only found out about it because the autorenewal went haywire and the society I maintain the website for suddenly gave me loads of security warnings. I didn't have to do the renewal myself so I know no more than the URL where the "could not renew free certificate error message came from":

formatting link

This means that the only thing that https: now guarantees is that no-one (apart from possibly GCHQ) can read your web traffic - but the other end may be any scammer at all that has pretended to be a not for profit group (in addition to whatever criminal enterprise they are up to).

--
Regards, 
Martin Brown
Reply to
Martin Brown

There is no intrinsic cost to making an SSL certificate - it's nothing but a couple of numbers.

There /is/ a cost to checking the identity and details of a person claiming to represent a company. There is a value in putting a cost on certificates - it means people will get them if they really want them, but won't make masses of them.

They do free certificates for anyone - businesses too, because their process is fully automated. They don't do the more advanced and higher level certificates that show a higher level of trust - if you are a bank, or a website selling something expensive, then Let's Encrypt certificates are not really "strong" enough. But they are absolutely fine for most people.

They avoid the time-consuming checking of people's identities by issuing certificates for a domain name only after they have checked that you control that domain name.

Reply to
David Brown

a

e.

ps:

al

or

ee

to

That "level" of effort is to receive an email and past a confirmation numbe r on a web page. That's what I had to do. The security is about assuring comms with the web site are actually with the legit web site rather than wi th some third party. It doesn't validate anything about the identity of th e person requesting the certificate. There may be more done with some cert s than others, but either your cert is "good enough" or it isn't. The site s I checked out charge for and may have more strict verification, but the m ajor difference seems to have to do with size of the blanket the certs prov ide. I didn't go into much detail once I saw the price tags. It would be cheaper to just become a certifying organization. Do you think Google does n't self certify?

How do "levels" of certification work? If your url has "bank" in the name it has to have a different level of cert? Where is any of this enforced?

Yes, there is no verification of the person, just the email account. I use d snipped-for-privacy@coldwatersafety.org. I'm going to try to get the email addres s snipped-for-privacy@google.com. ;-)

--
Rick C. 

+- Get 1,000 miles of free Supercharging 
 Click to see the full signature
Reply to
Rick C

Short answer is that they don't now. You get the same reassuring green padlock that the great unwashed have been told to look out for either way. It used to require the scammers to at least buy an SSL certificate.

I guess it does no harm to use encryption on the web connection. The site I ran into problems with is essentially all hobby images of plants and has absolutely no e-commerce content whatsoever.

The most they can do is send webmaster an email saying that plant name is wrong or asking for a plant ID. Nothing that requires any security.

--
Regards, 
Martin Brown
Reply to
Martin Brown

Check out letsencrypt.org - they run a high-level certificate authority, provide basic web-site certs for free (with an automated install-and-renew feature) and their CA is accepted by modern browsers. A lot of sites use their certificates.

There is one possible down-side to using their certs. Their CA isn't accepted directly by many older browser versions (it didn't exist when those browser versions were released). To work around this, they arranged to have their root certificate cross-signed by another (long-established) certificate authority. However, that cross-signing agreement is going to lapse within the next year, and after that, SSL certs issued by LetsEncrypt may not be accepted by (e.g.) old versions of Android on old phones that are no longer being updated.

Reply to
Dave Platt

Basically all you need to do is delete all the http: and https: from the page. The browser will use the same scheme that it loaded the page with if the reference does not specify a scheme.

--
  Jasen.
Reply to
Jasen Betts

That is almost correct.

Let's encrypt certificates validate that you have control of the domain name. In order to get a certificate, you have to run a small server program on your system and have the domain name resolution, port forwards, etc., point into that server. That means - baring major security c*ck-ups - the person/people running the program to get the certificate also run the real webserver or other server programs. And that's all the certificate and the SSL checking can confirm - it shows that the end user is talking to the site they think they are talking to.

When you get a certificate via a cheap webhosting provider, the level of control is not much different - the owner of the hosted website has an identifying email address, user name and password, and this is used for control of the hosted web page and for issuing the SSL certificate. These providers won't issue a certificate for domain names they do not control, because they can't confirm the identities.

Some certificate authorities also offer "extended validation" certificates. These are "more secure", in that they require a lot more checking and control before they are issued, to make sure that they are only issued to the right people. And they cost much more, making them less attractive to anyone who is not serious about it. These /do/ validate identities, and are appropriate for more demanding use-cases (like banks).

There are different variations of certificates for handling single domains (domain.com), sub-domains

formatting link
multiple sub-domains, wildcards (*.domain.com), etc. Some providers charge different fees for the different variations.

For the solid majority of use-cases, Let's Encrypt is all you need - and it is entirely free. You get the certificate for the domains and sub-domains you pick, assuming you control those domains and can run the Let's Encrypt scripts. You don't get wildcard certificates, but if you want to add a new subdomain to your list, you just add it and re-run the program - it's a few minutes effort.

No, there is no connection to the domain name - nor are there any requirements or enforcements here. Some browsers (unfortunately not all) give an indication in the address bar, or "padlock icon", of different certificate levels. Other than that you have to check the details yourself, which of course loses the point a little. (It's usually very easy to see that a certificate is self-signed, and therefore effectively worthless.)

Good luck with that one!

Reply to
David Brown

Let's Encrypt don't know who you are, but they know you have control of the domain name and therefore any services connected to it. Does it matter if you are who you say you are, if you already have control of the domain? (When you buy a domain name, you have to pay for it, and you have to register it - with a contact name, address, telephone number, etc., as well as an email address.)

A normal (i.e., not an extended) SSL certificate only confirms that you are accessing the site you think you are. It confirms that when you point your browser at "

formatting link
", the communication is encrypted and the end point is the address pointed at by the DNS resolution for that address (or something forwarded internally after that). You know it is not someone using a man-in-the-middle attack with a proxy that is hijacking the traffic.

Let's Encrypt does that job fine.

Reply to
David Brown

And the checking on that data by most hosting organisations is precisely nil so long as your dollars are green and in the right quantities.

Some you can even pay anonymously via Paypal or Bitcoin.

Oh yes. But the way the general public have been told is that only legitimate retailers will have the green padlock. This is not true and never has been the case. Legitimate retailers *will* have a secure website but then so will any reasonably sophisticated scammer.

One thing that search engines should be forced to do is where there is a hit in the .gov hierarchy no paid for scam adverts on the same keywords should be allowed to sit above it in the search results.

That would stop the fake HMRC, visa waiver sites etc. in their tracks. Too many people get ripped off by these sites selling access to free government websites (or worse taking the money and doing nothing).

--
Regards, 
Martin Brown
Reply to
Martin Brown

Again - it does not /matter/. If I try to register

formatting link
or perhaps
formatting link
or
formatting link
there is no checking. That is normal for the way the internet and domain names work. If Rick's company is big enough that these things matter to them, then it is up to them to register lots of domain names that people might use to access the site. If it is /really/ big, then it will sue people who have tried to register related names in order to con people or confuse them.

If I have a domain name hosted at a provider, that provider will sell me an SSL certificate for that domain name. The provider will /not/ sell me a certificate for a domain name that they don't know I own.

Any provider that does not do such basic checking - matching the customer name and email addresses they have on register to the domain name they handle, or checking that the domain name is hosted by that provider, will quickly get abused by someone trying to buy an SSL certificate for "

formatting link
". And this will quickly lead to the provider's own certificates being revoked, thus invalidating every certificate they have issued, and putting them out of business. That's how the "chain of trust" works.

So, again - if you own a domain name, you can easily get an SSL certificate for that domain (free from Let's Encrypt and a couple of other sources, paid-for from many places). If you do not own the domain in question, you cannot easily get an SSL certificate for it. (You can make a self-signed one, but anyone who meets the certificate will get big warnings from their browser.) The system is not full-proof, and mistakes happen through incompetence, accident, and hacking. But on the whole it works pretty well.

A sophisticated scammer can easily get a green padlock for a domain name that looks like the one they are scamming - but not for the real name. So users need to check that the address is "

formatting link
" and not "
formatting link
". The point of SSL certificates is not to stop that kind of scamming (since it's basically impossible), but to ensure the scammer can't put their own site intercepting "
formatting link
" without the user noticing the lack of a green padlock. (Browsers complain loudly when the certificate is not valid and signed.)

SSL certificates do not magically make the internet a safe place. But they do solve one part of the problem, reasonably simply and efficiently.

So if there is a government site (whose government, by the way? .gov is primarily used by the US government, not other countries) that deals with cars, that should take precedence over all other websites if you have a search involving the word "car"? There will surely be dozens of such government-related sites that trigger on "car", even if you only count a single country. Yet you want them all to fill the search results page for "where can I buy a new car?" ?

I appreciate what you are trying to suggest here, but I don't think there is a simple or practical solution.

I agree this is a bad thing. I don't think it can be stopped by search engines like this - at least not as a general rule. (Perhaps specific rules could be used for specific cases.)

Reply to
David Brown

They ensure that no-one can interpret the data exchanged between a browser and an encrypted platform (GCHQ/NSA possibly excluded).

They could do a lot more to prevent this sort of thing:

I could do the same sort of search for ETSA Visa Waiver and get the same:

OK it does say "Ad" in small letters but a scammer site is at #1. First that most people know that they have been had is when they are denied boarding on a flight to the USA. I don't know offhand if the current top advert is one that merely overcharges or takes the money and runs. The latter do get taken down *eventually* but it must be profitable or they wouldn't do it.

--
Regards, 
Martin Brown
Reply to
Martin Brown

ElectronDepot website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.