Evolutionrts.info now redirects all requests to https

[Forboding Angel]

Most people won't give a crap, and that's fine, but Abma expressed some annoyance in the past about it.

My host, inmotionhosting, refuses to support letsencrypt, because they're greedy bastards and don't want to lose SSL business, which is why I'm dropping their sorry asses in December.

I can't afford a proper SSL cert, but I recently set up the site to run through cloudflare, which does actually allow me to use a Cloudflare cert for the site.

The way it works is, my server -> cloudflare's server is not encrypted, but the user is only ever served data from cloudflare and the connection from user -> cloudflare IS encrypted. It's obviously less than idea, but the site doesn't gather any info other than google analytics anyway, so it doesn't really matter. In this case it is the best I can do until I switch servers.

I would love to switch to digital ocean, but I've never run a webserver on *nix and it sounds like a security hole waiting to happen. I could run it from a windows server wamp stack. I'm very good at security on winbloze server, but the problem is that I don't consider windows server to be very secure in general, so therefore I don't particularly want to run a site from a wamp stack on it.
(If someone wants to volunteer to help me with a DO *nix webserver droplet, I'm all ears )

Anyway, I figured it was big enough news on the security front that it was worth mentioning.

[ThinkSome]

Most people won't give a crap, and that's fine, but Abma expressed some annoyance in the past about it.

My host, inmotionhosting, refuses to support letsencrypt, because they're greedy bastards and don't want to lose SSL business, which is why I'm dropping their sorry asses in December.

I've heard that letsencrypt's renewal tools are a security headache.

I can't afford a proper SSL cert, but I recently set up the site to run through cloudflare, which does actually allow me to use a Cloudflare cert for the site.

You might find StartCOM's free SSL certs of use.

The way it works is, my server -> cloudflare's server is not encrypted,

That is not nice

but the user is only ever served data from cloudflare and the connection from user -> cloudflare IS encrypted. It's obviously less than idea, but the site doesn't gather any info other than google analytics anyway, so it doesn't really matter.

Thats ok, Google is surely not evil.

In this case it is the best I can do until I switch servers.

I'm actually not sure if what you've done can be considered as an improvement.

I would love to switch to digital ocean, but I've never run a webserver on *nix and it sounds like a security hole waiting to happen. I could run it from a windows server wamp stack. I'm very good at security on winbloze server, but the problem is that I don't consider windows server to be very secure in general, so therefore I don't particularly want to run a site from a wamp stack on it.
(If someone wants to volunteer to help me with a DO *nix webserver droplet, I'm all ears )

If you are very good with Windows, then perhaps find a Windows VPS (If such a thing exists)?
Or maybe simple web hosting where someone else takes care of updating and other system-related mess? E.g. https://www.gandi.net/hosting/simple

Anyway, I figured it was big enough news on the security front that it was worth mentioning.

"Securely insecure"? I guess I could applaud you on effort here, but you seem to be very far from done.

[Forboding Angel]

The fact of the matter is that the content is cached on cloudflare's servers, so the connection form the site to the user is 100% secure. However, initially the content is originally pulled from my web host to cloudflare over a non-https connection. That sucks, but it's a fucking informational website, it's not that dire.

I've heard that letsencrypt's renewal tools are a security headache.

My tooooootally non-anecdotal experience disagrees. <bernie-sideeye>

You might find StartCOM's free SSL certs of use.

Interesting, but I'm willing to bet that renewal would be a giant headache that I don't want to deal with (yo dawg, I herd u liek anecdotes...).

That is not nice

As previously explained, there is no confidential information passed, and the user->server connection is never exposed to a non-secure source so, frankly, it's fine (but less than ideal because originally the content is pulled via non-ssl, obviously).

Thats ok, Google is surely not evil.

Oh ffs, gtfo. No one (including google) except you cares about your weaboo pr0ns.

If you are very good with Windows, then perhaps find a Windows VPS (If such a thing exists)?
Or maybe simple web hosting where someone else takes care of updating and other system-related mess? E.g. https://www.gandi.net/hosting/simple

It's more the fact that when it comes to windows server, there tend to be a lot of security holes. Granted, with a competent admin and competent firewall setup it can be mostly, if not completely, mitigated. That said, dealing with windows server security is kind of a pita.

"Securely insecure"? I guess I could applaud you on effort here, but you seem to be very far from done.

<bernie side-eye>

[abma]

You might find StartCOM's free SSL certs of use.

bad idea! very likely startcom will loose trust from mozilla, apple, etc.

i.e.
http://arstechnica.com/security/2016/09 ... -security/
http://www.pcworld.com/article/3127627/ ... ority.html



still +1 for the partly encrypted traffic! :)

i missed the link https://evolutionrts.info/ in this thread!

[AF]

Setting up Certbot should only need to be done once then fully automated afterwards, I've got it running on a cron job on my own server to auto-renew certificates.

Startcom shouldn't be trusted either, and Cloudflare HTTPS isn't really proper HTTPS, I'd move away from your host now rather than waiting for the hosting to end

For digital ocean you could go for something like Server Pilot to manage that for you, remember to have your package updates run on Cron, and I can send you over Nginx configs for WP and others

[Forboding Angel]

TIL money really does grow on trees.

[Itept]

Hey FA, great to see you are still around!

Firstly, I agree, having SSL is not really required, however you can fix this 'issue' easily - Just stick a self-signed certificate between CloudFlare and your box - that way you get full end-to-end encryption.

Once it is in place, just enable Full SSL (not strict) on CF and you should be fine - you do not need to buy an SSL certificate if you are confident you can manage your self-signed one - you don't need cron jobs and the like, it will only expire once a year - just set a reminder.

To clear up some misunderstandings:

1) It is unfair to say that 'Cloudflare HTTPS isn't really proper HTTPS' - it is fine, the variant you are using (non end-to-end) is frowned upon however and is misleading to the user.

2) it does not matter what SSL certificate you get, you could pay for a 1000 quid per month one if you wanted - it will never be presented to the user if you continue to use CF, and I would recommend using them, so either buy a super cheap (verified) one, or just self-sign - there is no security difference assuming you are able to keep the private key and other associated private signing info unavailable to the public.

3) As far as i can tell for this website, the only reason you would want SSL is to increase your google ranking - so the whole thing is super academic, and if you had not told anyone that this was not end-to-end SSL, no one would know

Much Love

[Forboding Angel]

Hey FA, great to see you are still around!

Joined:Tue Nov 01, 2016 5:42 pm
???

Firstly, I agree, having SSL is not really required, however you can fix this 'issue' easily - Just stick a self-signed certificate between CloudFlare and your box - that way you get full end-to-end encryption.

Once it is in place, just enable Full SSL (not strict) on CF and you should be fine - you do not need to buy an SSL certificate if you are confident you can manage your self-signed one - you don't need cron jobs and the like, it will only expire once a year - just set a reminder.

Not necessary and pointless considering that I'm switching hosts in a little over a month.

To clear up some misunderstandings:

1) It is unfair to say that 'Cloudflare HTTPS isn't really proper HTTPS' - it is fine, the variant you are using (non end-to-end) is frowned upon however and is misleading to the user.

For obvious reasons.

2) it does not matter what SSL certificate you get, you could pay for a 1000 quid per month one if you wanted - it will never be presented to the user if you continue to use CF, and I would recommend using them, so either buy a super cheap (verified) one, or just self-sign - there is no security difference assuming you are able to keep the private key and other associated private signing info unavailable to the public.

The main reason I wanted to try CF was because of the uptime and the fast cdn. This is a good reason as well.

3) As far as i can tell for this website, the only reason you would want SSL is to increase your google ranking - so the whole thing is super academic, and if you had not told anyone that this was not end-to-end SSL, no one would know

Much Love

Less worried about the ranking (although, yes it was on my mind), and more having to do with the fact that when linking to resources from ssl enabled sites, it's annoying to have the resources either not show up at all or prompt the user with an insecure content warning.