Most people won't give a crap, and that's fine, but Abma expressed some annoyance in the past about it.
My host, inmotionhosting, refuses to support letsencrypt, because they're greedy bastards and don't want to lose SSL business, which is why I'm dropping their sorry asses in December.
I can't afford a proper SSL cert, but I recently set up the site to run through cloudflare, which does actually allow me to use a Cloudflare cert for the site.
The way it works is, my server -> cloudflare's server is not encrypted, but the user is only ever served data from cloudflare and the connection from user -> cloudflare IS encrypted. It's obviously less than idea, but the site doesn't gather any info other than google analytics anyway, so it doesn't really matter. In this case it is the best I can do until I switch servers.
I would love to switch to digital ocean, but I've never run a webserver on *nix and it sounds like a security hole waiting to happen. I could run it from a windows server wamp stack. I'm very good at security on winbloze server, but the problem is that I don't consider windows server to be very secure in general, so therefore I don't particularly want to run a site from a wamp stack on it.
(If someone wants to volunteer to help me with a DO *nix webserver droplet, I'm all ears )
Anyway, I figured it was big enough news on the security front that it was worth mentioning.
Evolutionrts.info now redirects all requests to https
Moderator: Moderators
- Forboding Angel
- Evolution RTS Developer
- Posts: 14673
- Joined: 17 Nov 2005, 02:43
Re: Evolutionrts.info now redirects all requests to https
I've heard that letsencrypt's renewal tools are a security headache.Forboding Angel wrote:Most people won't give a crap, and that's fine, but Abma expressed some annoyance in the past about it.
My host, inmotionhosting, refuses to support letsencrypt, because they're greedy bastards and don't want to lose SSL business, which is why I'm dropping their sorry asses in December.
You might find StartCOM's free SSL certs of use.Forboding Angel wrote:I can't afford a proper SSL cert, but I recently set up the site to run through cloudflare, which does actually allow me to use a Cloudflare cert for the site.
That is not niceForboding Angel wrote:The way it works is, my server -> cloudflare's server is not encrypted,
Thats ok, Google is surely not evil.Forboding Angel wrote:but the user is only ever served data from cloudflare and the connection from user -> cloudflare IS encrypted. It's obviously less than idea, but the site doesn't gather any info other than google analytics anyway, so it doesn't really matter.
I'm actually not sure if what you've done can be considered as an improvement.Forboding Angel wrote:In this case it is the best I can do until I switch servers.
Forboding Angel wrote:I would love to switch to digital ocean, but I've never run a webserver on *nix and it sounds like a security hole waiting to happen. I could run it from a windows server wamp stack. I'm very good at security on winbloze server, but the problem is that I don't consider windows server to be very secure in general, so therefore I don't particularly want to run a site from a wamp stack on it.
(If someone wants to volunteer to help me with a DO *nix webserver droplet, I'm all ears )
If you are very good with Windows, then perhaps find a Windows VPS (If such a thing exists)?
Or maybe simple web hosting where someone else takes care of updating and other system-related mess? E.g. https://www.gandi.net/hosting/simple
"Securely insecure"? I guess I could applaud you on effort here, but you seem to be very far from done.Forboding Angel wrote:Anyway, I figured it was big enough news on the security front that it was worth mentioning.
- Forboding Angel
- Evolution RTS Developer
- Posts: 14673
- Joined: 17 Nov 2005, 02:43
Re: Evolutionrts.info now redirects all requests to https
The fact of the matter is that the content is cached on cloudflare's servers, so the connection form the site to the user is 100% secure. However, initially the content is originally pulled from my web host to cloudflare over a non-https connection. That sucks, but it's a fucking informational website, it's not that dire.
My tooooootally non-anecdotal experience disagrees. <bernie-sideeye>I've heard that letsencrypt's renewal tools are a security headache.
Interesting, but I'm willing to bet that renewal would be a giant headache that I don't want to deal with (yo dawg, I herd u liek anecdotes...).You might find StartCOM's free SSL certs of use.
As previously explained, there is no confidential information passed, and the user->server connection is never exposed to a non-secure source so, frankly, it's fine (but less than ideal because originally the content is pulled via non-ssl, obviously).That is not nice
Oh ffs, gtfo. No one (including google) except you cares about your weaboo pr0ns.Thats ok, Google is surely not evil.
It's more the fact that when it comes to windows server, there tend to be a lot of security holes. Granted, with a competent admin and competent firewall setup it can be mostly, if not completely, mitigated. That said, dealing with windows server security is kind of a pita.If you are very good with Windows, then perhaps find a Windows VPS (If such a thing exists)?
Or maybe simple web hosting where someone else takes care of updating and other system-related mess? E.g. https://www.gandi.net/hosting/simple
<bernie side-eye>"Securely insecure"? I guess I could applaud you on effort here, but you seem to be very far from done.
Re: Evolutionrts.info now redirects all requests to https
bad idea! very likely startcom will loose trust from mozilla, apple, etc.ThinkSome wrote:You might find StartCOM's free SSL certs of use.
i.e.
http://arstechnica.com/security/2016/09 ... -security/
http://www.pcworld.com/article/3127627/ ... ority.html
still +1 for the partly encrypted traffic! :)
i missed the link https://evolutionrts.info/ in this thread!
Re: Evolutionrts.info now redirects all requests to https
Setting up Certbot should only need to be done once then fully automated afterwards, I've got it running on a cron job on my own server to auto-renew certificates.
Startcom shouldn't be trusted either, and Cloudflare HTTPS isn't really proper HTTPS, I'd move away from your host now rather than waiting for the hosting to end
For digital ocean you could go for something like Server Pilot to manage that for you, remember to have your package updates run on Cron, and I can send you over Nginx configs for WP and others
Startcom shouldn't be trusted either, and Cloudflare HTTPS isn't really proper HTTPS, I'd move away from your host now rather than waiting for the hosting to end
For digital ocean you could go for something like Server Pilot to manage that for you, remember to have your package updates run on Cron, and I can send you over Nginx configs for WP and others
- Forboding Angel
- Evolution RTS Developer
- Posts: 14673
- Joined: 17 Nov 2005, 02:43
Re: Evolutionrts.info now redirects all requests to https
TIL money really does grow on trees.
Re: Evolutionrts.info now redirects all requests to https
Hey FA, great to see you are still around!
Firstly, I agree, having SSL is not really required, however you can fix this 'issue' easily - Just stick a self-signed certificate between CloudFlare and your box - that way you get full end-to-end encryption.
Once it is in place, just enable Full SSL (not strict) on CF and you should be fine - you do not need to buy an SSL certificate if you are confident you can manage your self-signed one - you don't need cron jobs and the like, it will only expire once a year - just set a reminder.
To clear up some misunderstandings:
1) It is unfair to say that 'Cloudflare HTTPS isn't really proper HTTPS' - it is fine, the variant you are using (non end-to-end) is frowned upon however and is misleading to the user.
2) it does not matter what SSL certificate you get, you could pay for a 1000 quid per month one if you wanted - it will never be presented to the user if you continue to use CF, and I would recommend using them, so either buy a super cheap (verified) one, or just self-sign - there is no security difference assuming you are able to keep the private key and other associated private signing info unavailable to the public.
3) As far as i can tell for this website, the only reason you would want SSL is to increase your google ranking - so the whole thing is super academic, and if you had not told anyone that this was not end-to-end SSL, no one would know
Much Love
Firstly, I agree, having SSL is not really required, however you can fix this 'issue' easily - Just stick a self-signed certificate between CloudFlare and your box - that way you get full end-to-end encryption.
Once it is in place, just enable Full SSL (not strict) on CF and you should be fine - you do not need to buy an SSL certificate if you are confident you can manage your self-signed one - you don't need cron jobs and the like, it will only expire once a year - just set a reminder.
To clear up some misunderstandings:
1) It is unfair to say that 'Cloudflare HTTPS isn't really proper HTTPS' - it is fine, the variant you are using (non end-to-end) is frowned upon however and is misleading to the user.
2) it does not matter what SSL certificate you get, you could pay for a 1000 quid per month one if you wanted - it will never be presented to the user if you continue to use CF, and I would recommend using them, so either buy a super cheap (verified) one, or just self-sign - there is no security difference assuming you are able to keep the private key and other associated private signing info unavailable to the public.
3) As far as i can tell for this website, the only reason you would want SSL is to increase your google ranking - so the whole thing is super academic, and if you had not told anyone that this was not end-to-end SSL, no one would know
Much Love
- Forboding Angel
- Evolution RTS Developer
- Posts: 14673
- Joined: 17 Nov 2005, 02:43
Re: Evolutionrts.info now redirects all requests to https
Joined:Tue Nov 01, 2016 5:42 pmItept wrote:Hey FA, great to see you are still around!
???
Not necessary and pointless considering that I'm switching hosts in a little over a month.Itept wrote:Firstly, I agree, having SSL is not really required, however you can fix this 'issue' easily - Just stick a self-signed certificate between CloudFlare and your box - that way you get full end-to-end encryption.
Once it is in place, just enable Full SSL (not strict) on CF and you should be fine - you do not need to buy an SSL certificate if you are confident you can manage your self-signed one - you don't need cron jobs and the like, it will only expire once a year - just set a reminder.
For obvious reasons.Itept wrote:To clear up some misunderstandings:
1) It is unfair to say that 'Cloudflare HTTPS isn't really proper HTTPS' - it is fine, the variant you are using (non end-to-end) is frowned upon however and is misleading to the user.
The main reason I wanted to try CF was because of the uptime and the fast cdn. This is a good reason as well.Itept wrote:2) it does not matter what SSL certificate you get, you could pay for a 1000 quid per month one if you wanted - it will never be presented to the user if you continue to use CF, and I would recommend using them, so either buy a super cheap (verified) one, or just self-sign - there is no security difference assuming you are able to keep the private key and other associated private signing info unavailable to the public.
Less worried about the ranking (although, yes it was on my mind), and more having to do with the fact that when linking to resources from ssl enabled sites, it's annoying to have the resources either not show up at all or prompt the user with an insecure content warning.Itept wrote:3) As far as i can tell for this website, the only reason you would want SSL is to increase your google ranking - so the whole thing is super academic, and if you had not told anyone that this was not end-to-end SSL, no one would know
Much Love