https certificates?

[pau1ie]

It worries me a little that this website doesn't have a https certificate. This leaves users at risk of session hijacking and possibly password sniffing when they are on wifi hotspots e.g. at meetups.

Have you considered using Let's Encrypt? I set it up on my own website. It is free. Once you get it working, it requires no intervention. There is a cron job which checks if you need a new certificate periodically and updates it automatically if you do.

I found the install script broke my configuration, but this was many months ago so it might be fixed by now. I think it may have been confused because I had already configured https for a purchased certificate. Anyway, it was quite easy to recover and make the changes manually. The automatic update works fine though.

[danielj]

I'd hope that no one used a password on here that they used on anything important (as it's just a forum). HTTPS did cost money but I'll have a look at what you've suggested there, it looks interesting!

d.

[1024MAK]

World of Spectrum forums changed to https not long ago.
Worth looking into me thinks.

Mark

[Prime]

I'd hope that no one used a password on here that they used on anything important (as it's just a forum). HTTPS did cost money but I'll have a look at what you've suggested there, it looks interesting!

Self signed certificates would work if web browsers didn't try and scare you into thinking that it automatically means the site has been hacked.

Cheers.

Phill.

[roland]

If setting up the Let's Encrypt certificates on this platform is too much work, I'm willing to donate a Comodo PositiveSSL certificate for three years.

[sbadger]

Just pointing out, lets encrypt might not be the best choice right at the moment. There is a fair chance they could face recovation of trusted root CA in some browers/OSs

https://slashdot.org/story/17/03/25/2222246/over-14k-lets-encrypt-ssl-certificates-issued-to-paypal-phishing-sites

[BigEd]

Sounds faintly likely that that news story is promoted by a business which is threatened by Let's Encrypt. It's not at all obvious that Let's Encrypt did anything wrong: it's their job to issue certs to orgs which own domain names, not their job to control which domain names orgs own. (EV certs are a different case, they demand higher standards, but they are not part of this story.)

[pau1ie]

There is a fair chance they could face recovation of trusted root CA in some browers/OSs

I can't see any suggestion of that in the story linked to from the slashdot article.

[paulv]

I have several clients that have tried the Let's Encrypt route and all but one has gone back to a more traditional certificate because they've found that many browsers simply aren't happy with the Let's Encrypt certs.

I'd be quite happy to chip in to an SSL certificate fund if there was such a thing. These days Comodo certs aren't that expensive for 2 and 3 year time spans.

This brings me onto another related question. Has it ever been considered that a "donate" link is put on the site somewhere in order to allow members to donate funds for the explicit use of hosting and upkeep of the site?

I used to be able to contribute more of my time to the forums and if I could manage it, I still would but these days, contributing to the community in other ways is more practical for me.

Paul

[sweh]

There are no requirements on CAs that issue DV (domain verified) certificates to prevent phishing certs. LetsEncrypt are fully compliant with the CA/B Forum standards. I haven't heard anything about the major browsers planning on untrusting LE.

FWIW, https://www.sweharris.org/post/2017-03- ... nsparency/ explains why I think the CAs _can't_ solve this problem (typosquatting) and sheer size of the attack surface (paypal seems an obvious one, but what about the gazillion of banks and shopping sites?).

I'm not the only security person to think this way; eg Scott Helme (he's a recognised name in the industry) https://scotthelme.co.uk/lets-encrypt-a ... ey-should/

To solve it at the CA level would mean, effectively, that DV certs would need to go away and every cert become an EV (Extended Validation) cert costing many $$$. Over 50% of all traffic is now encrypted ( https://www.troyhunt.com/https-adoption ... ing-point/ ).

The solution needs to be at the browser level where the UI lives; stop using the word "secure" for SSL sites, because the certificate is NOT a proof of entity of the person/company behind the site.

FWIW, most "LE certs are not trusted" issues are due to misconfiguration on the server (eg not including the chaining cert). You can test the server configuration at https://www.ssllabs.com/ssltest/ (I get an A+ for my site; https://www.sweharris.org/post/2016-10-16-ssl-score/ )

LE certs are cross-signed by "DST Root CA X3" which is in most browsers, these days. Some older java systems (java 6!) don't have the cert. Full details at https://community.letsencrypt.org/t/whi ... crypt/4394

[pau1ie]

I use lets encrypt for my family's owncloud installation. We have not noticed any browser that doesn't trust it by default, though I haven't searched extensively. We use it from home and work on several OSes including mobile devices. If you look at the sponsors, they are actually sponsored by at least two browser developers - Chrome and Mozilla, and a number of hosting companies. Also big names like Facebook and Cisco.

For me the big plus of lets encrypt was the automated renewal. Buying a cert is a rather manual process with a hard end date and Murphy dictates it will occur when you are busy for some reason. Lets encrypt I don't have to worry about, the certificate has been changed about three times since I went to them, and I didn't have to do a thing. I wouldn't have even noticed if I hadn't checked the expiration date periodically. I realise people might assume that since it is free you get what you pay for, but I really think it is superior to other options for this reason.

Like paulv I am grateful to those who donate their time and money to keep these forums running. They bring me a lot of pleasure, and I think the role in preserving the history of British Computing can hardly be understated. Thank you!

[paulv]

I should qualify my statement by saying I've not had contact with Let's Encrypt certs for several months so browser support may well have been improved through addition of the CA to the accepted browser lists.

As a software developer, I encountered even more issues with Let's Encrypt users because of Java JVM's not having the CA certs installed in their keystore on production machines so when sites switch over to Let's Encrypt, the CA certs need to be loaded into the relevant keystores. On production machines where there are deployment cycles, this can take *weeks* with some organisations to get sorted because of their insistence on deploying any and all changes to a test site before going to a staging site and finally moving everything into production. Whilst I understand this process is necessary for thorough testing, I tend to think that adding a cert to a key store is one of those things that could be done without too much fuss directly in production environments.

Paul

[pau1ie]

I had the same problem with the JVM not trusting a certificate issued by QuoVadis. I assume Oracle do a half hearted job with the JVM, and the administrators have to sort out the rest. This problem isn't limited to Let's Encrypt. My guess is that browsers are targeted at users who require hand holding, but JVM is targeted at administrators who know what they are doing.