SSL Certificates...

[Rick C]

Anyone know about SSL certificates for a web site? I\'m trying to help a friend who had a web site for his non-profit and I don\'t quite understand the details. The web hosting provides a certificate which I copied to Cpanel and it says it is installed, but opening the web page still reports a problem with security.

At this point I\'m guessing this has to do with the fact that the certificate is not issued by an authority, but rather self signed. I found a site that gives out 90 day free certificates and installed one. Just typing the web site URL doesn\'t show a safe site, but typing https: manually does, however the web site doesn\'t work correctly. The initial page has some sort of fancy dancy animated text that doesn\'t work and you can\'t get past that.

I\'ve reached the limits of what I can figure out. Any web page gurus out there who can offer some advice?

The web page is coldwatersafety.org

--

Rick C.

- Get 1,000 miles of free Supercharging
- Tesla referral code - https://ts.la/richard11209

 

[Edward Rawde]

\"Rick C\" <gnuarm.deletethisbit@gmail.com> wrote in message
news:14baaee9-f773-4412-af6c-3ba6fdca97e3n@googlegroups.com...
Anyone know about SSL certificates for a web site? I\'m trying to help a
friend who had a web site for his non-profit and I don\'t quite understand
the details. The web hosting provides a certificate which I copied to
Cpanel and it says it is installed, but opening the web page still reports
a problem with security.

I use https://letsencrypt.org/ but I don\'t use cpanel.

At this point I\'m guessing this has to do with the fact that the
certificate is not issued by an authority, but rather self signed. I found
a site that gives out 90 day free certificates and installed one. Just
typing the web site URL doesn\'t show a safe site, but typing https:
manually does, however the web site doesn\'t work correctly. The initial
page has some sort of fancy dancy animated text that doesn\'t work and you
can\'t get past that.

The server should be configured to redirect http to https. Something like
return 301 https://$host$request_uri; in the vhost file but don\'t ask me
how to do that on cpanel and LiteSpeed is not a web server I\'ve used before.

You might also want to look into why you get an F here:
https://securityheaders.com/?q=https%3A%2F%2Fwww.coldwatersafety.org

I\'ve reached the limits of what I can figure out. Any web page gurus out
there who can offer some advice?

You will likely achieve success only when someone who understands and has
direct access to the web server configuration takes a look. So my advice
would be to ask the web host to do it for you. Most web hosts have people
who know what they\'re doing with ssl and web server configuration and if
they don\'t then find another host.

The web page is >--

Rick C.

 

[Rick C]

On Monday, November 30, 2020 at 10:42:13 PM UTC-5, jeff.li...@gmail.com wrote:

On Mon, 30 Nov 2020 18:15:47 -0800 (PST), Rick C
gnuarm.del...@gmail.com> wrote:

The web page is coldwatersafety.org
https://www.coldwatersafety.org/nccwsRules3.html
It works if I force encryption with https://
Your home page (and entire site) should translate http:// -> https://

However, that\'s not enough because you have parts of the site going
out to insecure web sites. When I click on the \"lock\" icon in
Firefox, it proclaims that:
Connection Secure
Verifired by ZeroSSL
Firefox has blocked parts of this page that are not secure

So basically, what you need to do is check the box on whatever
management interface the web site is using and tell it to translate
*ALL* http:// requests to https:// and I think you\'ll be ok.

SSL check:
https://www.ssllabs.com/ssltest/analyze.html?d=coldwatersafety.org
(The test takes about 7 minutes. Patience).
IPv4 and IPv6 both show that SSL is working \"grade A\".

Also, check TLS with one of these:
https://geekflare.com/ssl-test-certificate/
such as:
https://www.digicert.com/help/
which says you\'re ok. Make sure TLS 1.0 is *NOT* enabled.

Thanks, at this time no one qualified is available to help us with those issues. Maybe I can get the friend who originally designed the site to work on it some more.

--

Rick C.

-- Get 1,000 miles of free Supercharging
-- Tesla referral code - https://ts.la/richard11209

 

[Rick C]

On Monday, November 30, 2020 at 11:05:19 PM UTC-5, Edward Rawde wrote:

\"Rick C\" <gnuarm.del...@gmail.com> wrote in message
news:14baaee9-f773-4412...@googlegroups.com...
Anyone know about SSL certificates for a web site? I\'m trying to help a
friend who had a web site for his non-profit and I don\'t quite understand
the details. The web hosting provides a certificate which I copied to
Cpanel and it says it is installed, but opening the web page still reports
a problem with security.
I use https://letsencrypt.org/ but I don\'t use cpanel.
At this point I\'m guessing this has to do with the fact that the
certificate is not issued by an authority, but rather self signed. I found
a site that gives out 90 day free certificates and installed one. Just
typing the web site URL doesn\'t show a safe site, but typing https:
manually does, however the web site doesn\'t work correctly. The initial
page has some sort of fancy dancy animated text that doesn\'t work and you
can\'t get past that.
The server should be configured to redirect http to https. Something like
return 301 https://$host$request_uri; in the vhost file but don\'t ask me
how to do that on cpanel and LiteSpeed is not a web server I\'ve used before.

You might also want to look into why you get an F here:
https://securityheaders.com/?q=https%3A%2F%2Fwww.coldwatersafety.org
I\'ve reached the limits of what I can figure out. Any web page gurus out
there who can offer some advice?
You will likely achieve success only when someone who understands and has
direct access to the web server configuration takes a look. So my advice
would be to ask the web host to do it for you. Most web hosts have people
who know what they\'re doing with ssl and web server configuration and if
they don\'t then find another host.

This is on my hosting account. I don\'t know how my provider could afford to support customers with things like this for the few bucks a month they are getting. They have some FAQ pages and such, but they all assume a certain level of knowledge. Something way beyond my level is going on with the main page that the source has the text that is displayed on an overlay that is removed, kinda like a popup on the page, but I can\'t find the text that is displayed behind the popup which you see once it goes away. So there are some links I can\'t even find.

I wouldn\'t mind working on this, it could be educational, but I\'m slammed with work on the ventilator project... which I become more disenchanted with every day. The guy designing the power supply board is starting work on layout without having a design review and I know there are functions missing.. The project leader doesn\'t even know what a design review is. He thought it was a document that I could prepare for them. The other board designer said that we\'ve been reviewing it as each part is added!!!

Whatever. I need to finish the part of the FPGA I\'m working on and then I can retire with dignity.

--

Rick C.

-+ Get 1,000 miles of free Supercharging
-+ Tesla referral code - https://ts.la/richard11209

 

[Edward Rawde]

\"Rick C\" <gnuarm.deletethisbit@gmail.com> wrote in message
news:8ea51ba4-742a-47f6-bd19-34d89de6278cn@googlegroups.com...
On Monday, November 30, 2020 at 11:05:19 PM UTC-5, Edward Rawde wrote:

\"Rick C\" <gnuarm.del...@gmail.com> wrote in message
news:14baaee9-f773-4412...@googlegroups.com...
Anyone know about SSL certificates for a web site? I\'m trying to help a
friend who had a web site for his non-profit and I don\'t quite understand
the details. The web hosting provides a certificate which I copied to
Cpanel and it says it is installed, but opening the web page still
reports
a problem with security.
I use https://letsencrypt.org/ but I don\'t use cpanel.
At this point I\'m guessing this has to do with the fact that the
certificate is not issued by an authority, but rather self signed. I
found
a site that gives out 90 day free certificates and installed one. Just
typing the web site URL doesn\'t show a safe site, but typing https:
manually does, however the web site doesn\'t work correctly. The initial
page has some sort of fancy dancy animated text that doesn\'t work and you
can\'t get past that.
The server should be configured to redirect http to https. Something like
return 301 https://$host$request_uri; in the vhost file but don\'t ask me
how to do that on cpanel and LiteSpeed is not a web server I\'ve used
before.

You might also want to look into why you get an F here:
https://securityheaders.com/?q=https%3A%2F%2Fwww.coldwatersafety.org
I\'ve reached the limits of what I can figure out. Any web page gurus out
there who can offer some advice?
You will likely achieve success only when someone who understands and has
direct access to the web server configuration takes a look. So my advice
would be to ask the web host to do it for you. Most web hosts have people
who know what they\'re doing with ssl and web server configuration and if
they don\'t then find another host.

This is on my hosting account. I don\'t know how my provider could afford
to support customers with things like this for the few bucks a month they
are getting. They have some FAQ pages and such, but they all assume a
certain level of knowledge. Something way beyond my level is going on with
the main page that the source has the text that is displayed on an overlay
that is removed, kinda like a popup on the page, but I can\'t find the text
that is displayed behind the popup which you see once it goes away. So
there are some links I can\'t even find.

In Firefox right click and Inspect Element.

I wouldn\'t mind working on this, it could be educational, but I\'m slammed
with work on the ventilator project... which I become more disenchanted
with every day. The guy designing the power supply board is starting work
on layout without having a design review and I know there are functions
missing. The project leader doesn\'t even know what a design review is. He
thought it was a document that I could prepare for them. The other board
designer said that we\'ve been reviewing it as each part is added!!!

Whatever. I need to finish the part of the FPGA I\'m working on and then I
can retire with dignity.

--

Rick C.

 

[Martin Brown]

On 01/12/2020 02:49, Jon Elson wrote:

Rick C wrote:

Anyone know about SSL certificates for a web site? I\'m trying to help a
friend who had a web site for his non-profit and I don\'t quite understand
the details. The web hosting provides a certificate which I copied to
Cpanel and it says it is installed, but opening the web page still reports
a problem with security.

At this point I\'m guessing this has to do with the fact that the
certificate is not issued by an authority, but rather self signed. I
found a site that gives out 90 day free certificates and installed one.
Just typing the web site URL doesn\'t show a safe site, but typing https:
manually does, however the web site doesn\'t work correctly. The initial
page has some sort of fancy dancy animated text that doesn\'t work and you
can\'t get past that.

That could be a fault in the rewrite rules.

I\'ve reached the limits of what I can figure out. Any web page gurus out
there who can offer some advice?

The web page is coldwatersafety.org

OK, you need to create a public and a private key. Then, the keys are
placed somewhere where the web server can access it. Then, the web server
needs to be given the file paths to these files. Yes, I think most browsers
now require an authoritatively signed SSL certificate.

First thing to do is use one of the online SSL checkers. Just Google for
\"check SSL \" and a bunch come up. Click on one and enter the URL and see
what it says. Yes, I see it shows as NOT vendor signed. The web page does
seem to work on my Firefox system without complaint.

Then, if you want to set up an official signed SSL cert, you will have to
choose one of the bigger signing outfits like GoDaddy and pay them an
exorbitant fee for a totally automated online service that takes their
computer a millisecond to process, every 2 years or so. Yes, it is a scam.

Turns out that you can also do it for free. I don\'t understand the
details (or it is possible that someone else pays for it).

These guys will do you a certificate for a not-for-profit organisation.
I only found out about it because the autorenewal went haywire and the
society I maintain the website for suddenly gave me loads of security
warnings. I didn\'t have to do the renewal myself so I know no more than
the URL where the \"could not renew free certificate error message came
from\":

https://letsencrypt.org

This means that the only thing that https: now guarantees is that no-one
(apart from possibly GCHQ) can read your web traffic - but the other end
may be any scammer at all that has pretended to be a not for profit
group (in addition to whatever criminal enterprise they are up to).

--
Regards,
Martin Brown

 

[David Brown]

On 01/12/2020 10:49, Martin Brown wrote:

On 01/12/2020 02:49, Jon Elson wrote:
Rick C wrote:

Anyone know about SSL certificates for a web site?  I\'m trying to help a
friend who had a web site for his non-profit and I don\'t quite
understand
the details.  The web hosting provides a certificate which I copied to
Cpanel and it says it is installed, but opening the web page still
reports
a problem with security.

At this point I\'m guessing this has to do with the fact that the
certificate is not issued by an authority, but rather self signed.  I
found a site that gives out 90 day free certificates and installed one.
Just typing the web site URL doesn\'t show a safe site, but typing https:
manually does, however the web site doesn\'t work correctly.  The initial
page has some sort of fancy dancy animated text that doesn\'t work and
you
can\'t get past that.

That could be a fault in the rewrite rules.

I\'ve reached the limits of what I can figure out.  Any web page gurus
out
there who can offer some advice?

The web page is coldwatersafety.org

OK, you need to create a public and a private key.  Then, the keys are
placed somewhere where the web server can access it.  Then, the web
server
needs to be given the file paths to these files.  Yes, I think most
browsers
now require an authoritatively signed SSL certificate.

First thing to do is use one of the online SSL checkers.  Just Google for
\"check SSL \" and a bunch come up.  Click on one and enter the URL and see
what it says.  Yes, I see it shows as NOT vendor signed.  The web page
does
seem to work on my Firefox system without complaint.

Then, if you want to set up an official signed SSL cert, you will have to
choose one of the bigger signing outfits like GoDaddy and pay them an
exorbitant fee for a totally automated online service that takes their
computer a millisecond to process, every 2 years or so.  Yes, it is a
scam.

Turns out that you can also do it for free. I don\'t understand the
details (or it is possible that someone else pays for it).

There is no intrinsic cost to making an SSL certificate - it\'s nothing
but a couple of numbers.

There /is/ a cost to checking the identity and details of a person
claiming to represent a company. There is a value in putting a cost on
certificates - it means people will get them if they really want them,
but won\'t make masses of them.

> These guys will do you a certificate for a not-for-profit organisation.

They do free certificates for anyone - businesses too, because their
process is fully automated. They don\'t do the more advanced and higher
level certificates that show a higher level of trust - if you are a
bank, or a website selling something expensive, then Let\'s Encrypt
certificates are not really \"strong\" enough. But they are absolutely
fine for most people.

They avoid the time-consuming checking of people\'s identities by issuing
certificates for a domain name only after they have checked that you
control that domain name.

I only found out about it because the autorenewal went haywire and the
society I maintain the website for suddenly gave me loads of security
warnings. I didn\'t have to do the renewal myself so I know no more than
the URL where the \"could not renew free certificate error message came
from\":

https://letsencrypt.org

 

[Rick C]

On Tuesday, December 1, 2020 at 10:07:34 AM UTC-5, David Brown wrote:

On 01/12/2020 10:49, Martin Brown wrote:
On 01/12/2020 02:49, Jon Elson wrote:
Rick C wrote:

Anyone know about SSL certificates for a web site? I\'m trying to help a
friend who had a web site for his non-profit and I don\'t quite
understand
the details. The web hosting provides a certificate which I copied to
Cpanel and it says it is installed, but opening the web page still
reports
a problem with security.

At this point I\'m guessing this has to do with the fact that the
certificate is not issued by an authority, but rather self signed. I
found a site that gives out 90 day free certificates and installed one.
Just typing the web site URL doesn\'t show a safe site, but typing https:
manually does, however the web site doesn\'t work correctly. The initial
page has some sort of fancy dancy animated text that doesn\'t work and
you
can\'t get past that.

That could be a fault in the rewrite rules.

I\'ve reached the limits of what I can figure out. Any web page gurus
out
there who can offer some advice?

The web page is coldwatersafety.org

OK, you need to create a public and a private key. Then, the keys are
placed somewhere where the web server can access it. Then, the web
server
needs to be given the file paths to these files. Yes, I think most
browsers
now require an authoritatively signed SSL certificate.

First thing to do is use one of the online SSL checkers. Just Google for
\"check SSL \" and a bunch come up. Click on one and enter the URL and see
what it says. Yes, I see it shows as NOT vendor signed. The web page
does
seem to work on my Firefox system without complaint.

Then, if you want to set up an official signed SSL cert, you will have to
choose one of the bigger signing outfits like GoDaddy and pay them an
exorbitant fee for a totally automated online service that takes their
computer a millisecond to process, every 2 years or so. Yes, it is a
scam.

Turns out that you can also do it for free. I don\'t understand the
details (or it is possible that someone else pays for it).

There is no intrinsic cost to making an SSL certificate - it\'s nothing
but a couple of numbers.

There /is/ a cost to checking the identity and details of a person
claiming to represent a company. There is a value in putting a cost on
certificates - it means people will get them if they really want them,
but won\'t make masses of them.

That \"level\" of effort is to receive an email and past a confirmation number on a web page. That\'s what I had to do. The security is about assuring comms with the web site are actually with the legit web site rather than with some third party. It doesn\'t validate anything about the identity of the person requesting the certificate. There may be more done with some certs than others, but either your cert is \"good enough\" or it isn\'t. The sites I checked out charge for and may have more strict verification, but the major difference seems to have to do with size of the blanket the certs provide. I didn\'t go into much detail once I saw the price tags. It would be cheaper to just become a certifying organization. Do you think Google doesn\'t self certify?

These guys will do you a certificate for a not-for-profit organisation.
They do free certificates for anyone - businesses too, because their
process is fully automated. They don\'t do the more advanced and higher
level certificates that show a higher level of trust - if you are a
bank, or a website selling something expensive, then Let\'s Encrypt
certificates are not really \"strong\" enough. But they are absolutely
fine for most people.

How do \"levels\" of certification work? If your url has \"bank\" in the name it has to have a different level of cert? Where is any of this enforced?

They avoid the time-consuming checking of people\'s identities by issuing
certificates for a domain name only after they have checked that you
control that domain name.

Yes, there is no verification of the person, just the email account. I used hostmaster@coldwatersafety.org. I\'m going to try to get the email address hostmaster@google.com. ;-)

--

Rick C.

+- Get 1,000 miles of free Supercharging
+- Tesla referral code - https://ts.la/richard11209

 

[Martin Brown]

On 01/12/2020 16:25, Rick C wrote:

On Tuesday, December 1, 2020 at 10:07:34 AM UTC-5, David Brown
wrote:
On 01/12/2020 10:49, Martin Brown wrote:

These guys will do you a certificate for a not-for-profit
organisation.
They do free certificates for anyone - businesses too, because
their process is fully automated. They don\'t do the more advanced
and higher level certificates that show a higher level of trust -
if you are a bank, or a website selling something expensive, then
Let\'s Encrypt certificates are not really \"strong\" enough. But they
are absolutely fine for most people.

How do \"levels\" of certification work? If your url has \"bank\" in the
name it has to have a different level of cert? Where is any of this
enforced?

Short answer is that they don\'t now. You get the same reassuring green
padlock that the great unwashed have been told to look out for either
way. It used to require the scammers to at least buy an SSL certificate.

They avoid the time-consuming checking of people\'s identities by
issuing certificates for a domain name only after they have checked
that you control that domain name.

Yes, there is no verification of the person, just the email account.
I used hostmaster@coldwatersafety.org. I\'m going to try to get the
email address hostmaster@google.com. ;-)

I guess it does no harm to use encryption on the web connection. The
site I ran into problems with is essentially all hobby images of plants
and has absolutely no e-commerce content whatsoever.

The most they can do is send webmaster an email saying that plant name
is wrong or asking for a plant ID. Nothing that requires any security.

--
Regards,
Martin Brown

 

[Dave Platt]

In article <TJmdncRgPvSoMljCnZ2dnUU7-TXNnZ2d@giganews.com>,
Jon Elson <elson@pico-systems.com> wrote:

First thing to do is use one of the online SSL checkers. Just Google for
\"check SSL \" and a bunch come up. Click on one and enter the URL and see
what it says. Yes, I see it shows as NOT vendor signed. The web page does
seem to work on my Firefox system without complaint.

Then, if you want to set up an official signed SSL cert, you will have to
choose one of the bigger signing outfits like GoDaddy and pay them an
exorbitant fee for a totally automated online service that takes their
computer a millisecond to process, every 2 years or so. Yes, it is a scam.

Check out letsencrypt.org - they run a high-level certificate
authority, provide basic web-site certs for free (with an automated
install-and-renew feature) and their CA is accepted by modern
browsers. A lot of sites use their certificates.

There is one possible down-side to using their certs. Their CA isn\'t
accepted directly by many older browser versions (it didn\'t exist when
those browser versions were released). To work around this, they
arranged to have their root certificate cross-signed by another
(long-established) certificate authority. However, that cross-signing
agreement is going to lapse within the next year, and after that, SSL
certs issued by LetsEncrypt may not be accepted by (e.g.) old versions
of Android on old phones that are no longer being updated.

 

[Jasen Betts]

On 2020-12-01, Jeff Liebermann <jeffl@cruzio.com> wrote:

On Mon, 30 Nov 2020 19:42:00 -0800, Jeff Liebermann <jeffl@cruzio.com
wrote:

So basically, what you need to do is check the box on whatever
management interface the web site is using and tell it to translate
*ALL* http:// requests to https:// and I think you\'ll be ok.

You will also need to change all hard coded links, and links to
off-site URL\'s, to https://

Lots of clues on how it\'s done:
https://www.google.com/search?q=convert+http+to+https+on+server
This looks tolerable even if it\'s 5 years old:
\"How to Migrate from HTTP to HTTPS - Complete Guide\"
https://www.keycdn.com/blog/http-to-https

Basically all you need to do is delete all the http: and https: from
the page. The browser will use the same scheme that it loaded the page
with if the reference does not specify a scheme.

--
Jasen.

 

[David Brown]

On 01/12/2020 17:25, Rick C wrote:

On Tuesday, December 1, 2020 at 10:07:34 AM UTC-5, David Brown
wrote:
On 01/12/2020 10:49, Martin Brown wrote:
On 01/12/2020 02:49, Jon Elson wrote:
Rick C wrote:

Anyone know about SSL certificates for a web site? I\'m trying
to help a friend who had a web site for his non-profit and I
don\'t quite understand the details. The web hosting provides
a certificate which I copied to Cpanel and it says it is
installed, but opening the web page still reports a problem
with security.

At this point I\'m guessing this has to do with the fact that
the certificate is not issued by an authority, but rather
self signed. I found a site that gives out 90 day free
certificates and installed one. Just typing the web site URL
doesn\'t show a safe site, but typing https: manually does,
however the web site doesn\'t work correctly. The initial page
has some sort of fancy dancy animated text that doesn\'t work
and you can\'t get past that.

That could be a fault in the rewrite rules.

I\'ve reached the limits of what I can figure out. Any web
page gurus out there who can offer some advice?

The web page is coldwatersafety.org

OK, you need to create a public and a private key. Then, the
keys are placed somewhere where the web server can access it.
Then, the web server needs to be given the file paths to these
files. Yes, I think most browsers now require an
authoritatively signed SSL certificate.

First thing to do is use one of the online SSL checkers. Just
Google for \"check SSL \" and a bunch come up. Click on one and
enter the URL and see what it says. Yes, I see it shows as NOT
vendor signed. The web page does seem to work on my Firefox
system without complaint.

Then, if you want to set up an official signed SSL cert, you
will have to choose one of the bigger signing outfits like
GoDaddy and pay them an exorbitant fee for a totally automated
online service that takes their computer a millisecond to
process, every 2 years or so. Yes, it is a scam.

Turns out that you can also do it for free. I don\'t understand
the details (or it is possible that someone else pays for it).

There is no intrinsic cost to making an SSL certificate - it\'s
nothing but a couple of numbers.

There /is/ a cost to checking the identity and details of a person
claiming to represent a company. There is a value in putting a
cost on certificates - it means people will get them if they really
want them, but won\'t make masses of them.

That \"level\" of effort is to receive an email and past a confirmation
number on a web page. That\'s what I had to do. The security is
about assuring comms with the web site are actually with the legit
web site rather than with some third party. It doesn\'t validate
anything about the identity of the person requesting the certificate.

That is almost correct.

Let\'s encrypt certificates validate that you have control of the domain
name. In order to get a certificate, you have to run a small server
program on your system and have the domain name resolution, port
forwards, etc., point into that server. That means - baring major
security cock-ups - the person/people running the program to get the
certificate also run the real webserver or other server programs. And
that\'s all the certificate and the SSL checking can confirm - it shows
that the end user is talking to the site they think they are talking to.

When you get a certificate via a cheap webhosting provider, the level of
control is not much different - the owner of the hosted website has an
identifying email address, user name and password, and this is used for
control of the hosted web page and for issuing the SSL certificate.
These providers won\'t issue a certificate for domain names they do not
control, because they can\'t confirm the identities.

Some certificate authorities also offer \"extended validation\"
certificates. These are \"more secure\", in that they require a lot more
checking and control before they are issued, to make sure that they are
only issued to the right people. And they cost much more, making them
less attractive to anyone who is not serious about it. These /do/
validate identities, and are appropriate for more demanding use-cases
(like banks).

There may be more done with some certs than others, but either your
cert is \"good enough\" or it isn\'t. The sites I checked out charge
for and may have more strict verification, but the major difference
seems to have to do with size of the blanket the certs provide. I
didn\'t go into much detail once I saw the price tags. It would be
cheaper to just become a certifying organization. Do you think
Google doesn\'t self certify?

There are different variations of certificates for handling single
domains (domain.com), sub-domains (www.domain.com), multiple
sub-domains, wildcards (*.domain.com), etc. Some providers charge
different fees for the different variations.

For the solid majority of use-cases, Let\'s Encrypt is all you need - and
it is entirely free. You get the certificate for the domains and
sub-domains you pick, assuming you control those domains and can run the
Let\'s Encrypt scripts. You don\'t get wildcard certificates, but if you
want to add a new subdomain to your list, you just add it and re-run the
program - it\'s a few minutes effort.

These guys will do you a certificate for a not-for-profit
organisation.
They do free certificates for anyone - businesses too, because
their process is fully automated. They don\'t do the more advanced
and higher level certificates that show a higher level of trust -
if you are a bank, or a website selling something expensive, then
Let\'s Encrypt certificates are not really \"strong\" enough. But they
are absolutely fine for most people.

How do \"levels\" of certification work? If your url has \"bank\" in the
name it has to have a different level of cert? Where is any of this
enforced?

No, there is no connection to the domain name - nor are there any
requirements or enforcements here. Some browsers (unfortunately not
all) give an indication in the address bar, or \"padlock icon\", of
different certificate levels. Other than that you have to check the
details yourself, which of course loses the point a little. (It\'s
usually very easy to see that a certificate is self-signed, and
therefore effectively worthless.)

They avoid the time-consuming checking of people\'s identities by
issuing certificates for a domain name only after they have checked
that you control that domain name.

Yes, there is no verification of the person, just the email account.
I used hostmaster@coldwatersafety.org. I\'m going to try to get the
email address hostmaster@google.com. ;-)

Good luck with that one!

 

[David Brown]

On 01/12/2020 17:38, Martin Brown wrote:

On 01/12/2020 16:25, Rick C wrote:
On Tuesday, December 1, 2020 at 10:07:34 AM UTC-5, David Brown
wrote:
On 01/12/2020 10:49, Martin Brown wrote:

These guys will do you a certificate for a not-for-profit
organisation.
They do free certificates for anyone - businesses too, because
their process is fully automated. They don\'t do the more advanced
and higher level certificates that show a higher level of trust -
if you are a bank, or a website selling something expensive, then
Let\'s Encrypt certificates are not really \"strong\" enough. But they
are absolutely fine for most people.

How do \"levels\" of certification work?  If your url has \"bank\" in the
name it has to have a different level of cert?   Where is any of this
enforced?

Short answer is that they don\'t now. You get the same reassuring green
padlock that the great unwashed have been told to look out for either
way. It used to require the scammers to at least buy an SSL certificate.

Let\'s Encrypt don\'t know who you are, but they know you have control of
the domain name and therefore any services connected to it. Does it
matter if you are who you say you are, if you already have control of
the domain? (When you buy a domain name, you have to pay for it, and
you have to register it - with a contact name, address, telephone
number, etc., as well as an email address.)

A normal (i.e., not an extended) SSL certificate only confirms that you
are accessing the site you think you are. It confirms that when you
point your browser at \"www.coldwatersafety.org\", the communication is
encrypted and the end point is the address pointed at by the DNS
resolution for that address (or something forwarded internally after
that). You know it is not someone using a man-in-the-middle attack with
a proxy that is hijacking the traffic.

Let\'s Encrypt does that job fine.

 

[Martin Brown]

On 02/12/2020 09:45, David Brown wrote:

On 01/12/2020 17:38, Martin Brown wrote:
On 01/12/2020 16:25, Rick C wrote:
On Tuesday, December 1, 2020 at 10:07:34 AM UTC-5, David Brown
wrote:
On 01/12/2020 10:49, Martin Brown wrote:

These guys will do you a certificate for a not-for-profit
organisation.
They do free certificates for anyone - businesses too, because
their process is fully automated. They don\'t do the more advanced
and higher level certificates that show a higher level of trust -
if you are a bank, or a website selling something expensive, then
Let\'s Encrypt certificates are not really \"strong\" enough. But they
are absolutely fine for most people.

How do \"levels\" of certification work?  If your url has \"bank\" in the
name it has to have a different level of cert?   Where is any of this
enforced?

Short answer is that they don\'t now. You get the same reassuring green
padlock that the great unwashed have been told to look out for either
way. It used to require the scammers to at least buy an SSL certificate.

Let\'s Encrypt don\'t know who you are, but they know you have control of
the domain name and therefore any services connected to it. Does it
matter if you are who you say you are, if you already have control of
the domain? (When you buy a domain name, you have to pay for it, and
you have to register it - with a contact name, address, telephone
number, etc., as well as an email address.)

And the checking on that data by most hosting organisations is precisely
nil so long as your dollars are green and in the right quantities.
Typically under £100 for starter hosting with enough capabilities.

Some you can even pay anonymously via Paypal or Bitcoin.

A normal (i.e., not an extended) SSL certificate only confirms that you
are accessing the site you think you are. It confirms that when you
point your browser at \"www.coldwatersafety.org\", the communication is
encrypted and the end point is the address pointed at by the DNS
resolution for that address (or something forwarded internally after
that). You know it is not someone using a man-in-the-middle attack with
a proxy that is hijacking the traffic.

Let\'s Encrypt does that job fine.

Oh yes. But the way the general public have been told is that only
legitimate retailers will have the green padlock. This is not true and
never has been the case. Legitimate retailers *will* have a secure
website but then so will any reasonably sophisticated scammer.

One thing that search engines should be forced to do is where there is a
hit in the .gov hierarchy no paid for scam adverts on the same keywords
should be allowed to sit above it in the search results.

That would stop the fake HMRC, visa waiver sites etc. in their tracks.
Too many people get ripped off by these sites selling access to free
government websites (or worse taking the money and doing nothing).

--
Regards,
Martin Brown

 

[David Brown]

On 02/12/2020 15:12, Martin Brown wrote:

On 02/12/2020 09:45, David Brown wrote:
On 01/12/2020 17:38, Martin Brown wrote:
On 01/12/2020 16:25, Rick C wrote:
On Tuesday, December 1, 2020 at 10:07:34 AM UTC-5, David Brown
wrote:
On 01/12/2020 10:49, Martin Brown wrote:

These guys will do you a certificate for a not-for-profit
organisation.
They do free certificates for anyone - businesses too, because
their process is fully automated. They don\'t do the more advanced
and higher level certificates that show a higher level of trust -
if you are a bank, or a website selling something expensive, then
Let\'s Encrypt certificates are not really \"strong\" enough. But they
are absolutely fine for most people.

How do \"levels\" of certification work?  If your url has \"bank\" in the
name it has to have a different level of cert?   Where is any of this
enforced?

Short answer is that they don\'t now. You get the same reassuring green
padlock that the great unwashed have been told to look out for either
way. It used to require the scammers to at least buy an SSL certificate.

Let\'s Encrypt don\'t know who you are, but they know you have control of
the domain name and therefore any services connected to it.  Does it
matter if you are who you say you are, if you already have control of
the domain?  (When you buy a domain name, you have to pay for it, and
you have to register it - with a contact name, address, telephone
number, etc., as well as an email address.)

And the checking on that data by most hosting organisations is precisely
nil so long as your dollars are green and in the right quantities.
Typically under £100 for starter hosting with enough capabilities.

Again - it does not /matter/. If I try to register
www.coldwatersecurity.org, or perhaps www.coldwatersecurity.com, or
www.coldwatersecurty.org, there is no checking. That is normal for the
way the internet and domain names work. If Rick\'s company is big enough
that these things matter to them, then it is up to them to register lots
of domain names that people might use to access the site. If it is
/really/ big, then it will sue people who have tried to register related
names in order to con people or confuse them.

If I have a domain name hosted at a provider, that provider will sell me
an SSL certificate for that domain name. The provider will /not/ sell
me a certificate for a domain name that they don\'t know I own.

Any provider that does not do such basic checking - matching the
customer name and email addresses they have on register to the domain
name they handle, or checking that the domain name is hosted by that
provider, will quickly get abused by someone trying to buy an SSL
certificate for \"www.bigbank.com\". And this will quickly lead to the
provider\'s own certificates being revoked, thus invalidating every
certificate they have issued, and putting them out of business. That\'s
how the \"chain of trust\" works.

So, again - if you own a domain name, you can easily get an SSL
certificate for that domain (free from Let\'s Encrypt and a couple of
other sources, paid-for from many places). If you do not own the domain
in question, you cannot easily get an SSL certificate for it. (You can
make a self-signed one, but anyone who meets the certificate will get
big warnings from their browser.) The system is not full-proof, and
mistakes happen through incompetence, accident, and hacking. But on the
whole it works pretty well.

Some you can even pay anonymously via Paypal or Bitcoin.

A normal (i.e., not an extended) SSL certificate only confirms that you
are accessing the site you think you are.  It confirms that when you
point your browser at \"www.coldwatersafety.org\", the communication is
encrypted and the end point is the address pointed at by the DNS
resolution for that address (or something forwarded internally after
that).  You know it is not someone using a man-in-the-middle attack with
a proxy that is hijacking the traffic.

Let\'s Encrypt does that job fine.

Oh yes. But the way the general public have been told is that only
legitimate retailers will have the green padlock. This is not true and
never has been the case. Legitimate retailers *will* have a secure
website but then so will any reasonably sophisticated scammer.

A sophisticated scammer can easily get a green padlock for a domain name
that looks like the one they are scamming - but not for the real name.
So users need to check that the address is \"www.bigbank.com\" and not
\"www.biggbank.com\". The point of SSL certificates is not to stop that
kind of scamming (since it\'s basically impossible), but to ensure the
scammer can\'t put their own site intercepting \"www.bigbank.com\" without
the user noticing the lack of a green padlock. (Browsers complain
loudly when the certificate is not valid and signed.)

SSL certificates do not magically make the internet a safe place. But
they do solve one part of the problem, reasonably simply and efficiently.

One thing that search engines should be forced to do is where there is a
hit in the .gov hierarchy no paid for scam adverts on the same keywords
should be allowed to sit above it in the search results.

So if there is a government site (whose government, by the way? .gov is
primarily used by the US government, not other countries) that deals
with cars, that should take precedence over all other websites if you
have a search involving the word \"car\"? There will surely be dozens of
such government-related sites that trigger on \"car\", even if you only
count a single country. Yet you want them all to fill the search
results page for \"where can I buy a new car?\" ?

I appreciate what you are trying to suggest here, but I don\'t think
there is a simple or practical solution.

That would stop the fake HMRC, visa waiver sites etc. in their tracks.
Too many people get ripped off by these sites selling access to free
government websites (or worse taking the money and doing nothing).

I agree this is a bad thing. I don\'t think it can be stopped by search
engines like this - at least not as a general rule. (Perhaps specific
rules could be used for specific cases.)

 

[Martin Brown]

On 02/12/2020 15:00, David Brown wrote:

On 02/12/2020 15:12, Martin Brown wrote:

SSL certificates do not magically make the internet a safe place. But
they do solve one part of the problem, reasonably simply and efficiently.

They ensure that no-one can interpret the data exchanged between a
browser and an encrypted platform (GCHQ/NSA possibly excluded).

One thing that search engines should be forced to do is where there is a
hit in the .gov hierarchy no paid for scam adverts on the same keywords
should be allowed to sit above it in the search results.


So if there is a government site (whose government, by the way? .gov is
primarily used by the US government, not other countries) that deals
with cars, that should take precedence over all other websites if you
have a search involving the word \"car\"? There will surely be dozens of
such government-related sites that trigger on \"car\", even if you only
count a single country. Yet you want them all to fill the search
results page for \"where can I buy a new car?\" ?

I appreciate what you are trying to suggest here, but I don\'t think
there is a simple or practical solution.

That would stop the fake HMRC, visa waiver sites etc. in their tracks.
Too many people get ripped off by these sites selling access to free
government websites (or worse taking the money and doing nothing).

I agree this is a bad thing. I don\'t think it can be stopped by search
engines like this - at least not as a general rule. (Perhaps specific
rules could be used for specific cases.)

They could do a lot more to prevent this sort of thing:

<https://www.bing.com/search?q=companies+house+filing+accounts&src=IE-TopResult&FORM=IETR02&conversationid=&pc=EUPP_>

I could do the same sort of search for ETSA Visa Waiver and get the same:

<https://www.google.com/search?client=opera&q=US+visa+waiver&sourceid=opera&ie=UTF-8&oe=UTF-8>

OK it does say \"Ad\" in small letters but a scammer site is at #1.
First that most people know that they have been had is when they are
denied boarding on a flight to the USA. I don\'t know offhand if the
current top advert is one that merely overcharges or takes the money and
runs. The latter do get taken down *eventually* but it must be
profitable or they wouldn\'t do it.

--
Regards,
Martin Brown

 

[David Brown]

On 02/12/2020 20:22, Martin Brown wrote:

On 02/12/2020 15:00, David Brown wrote:
On 02/12/2020 15:12, Martin Brown wrote:

SSL certificates do not magically make the internet a safe place.  But
they do solve one part of the problem, reasonably simply and efficiently.

They ensure that no-one can interpret the data exchanged between a
browser and an encrypted platform (GCHQ/NSA possibly excluded).

They tell you that the end-point of the encrypted transfer is controlled
by the same computer or people that control the domain name. Assuming
that neither your computer nor the server has been compromised in some
other way, the data exchanged cannot be read, changed or replaced, and
it is going to the right place. (That\'s a stronger than merely saying
it can\'t be viewed.)

But of course it doesn\'t tell you that the address you think you are
using is the correct one, or that the target server hasn\'t been taken
over by hackers, or that there is no security bug in your browser, or
that the certificate signing keys have not been stolen. As an internet
user, you need to apply the level of paranoia you think appropriate.

One thing that search engines should be forced to do is where there is a
hit in the .gov hierarchy no paid for scam adverts on the same keywords
should be allowed to sit above it in the search results.

I agree this is a bad thing.  I don\'t think it can be stopped by search
engines like this - at least not as a general rule.  (Perhaps specific
rules could be used for specific cases.)

They could do a lot more to prevent this sort of thing:

I fully agree that search engines could be better in all sorts of ways.
And I agree that it should be practical to do better in some ways at
least, though I don\'t think there is any simple and general solution.
And I don\'t agree that this has anything to do with SSL or certificates.
(Topic drift is, as we know, the norm for this group. But you might
want to separate it a little and give this a new subject line.)

 

[Jon Elson]

Rick C wrote:

Anyone know about SSL certificates for a web site? I\'m trying to help a
friend who had a web site for his non-profit and I don\'t quite understand
the details. The web hosting provides a certificate which I copied to
Cpanel and it says it is installed, but opening the web page still reports
a problem with security.

At this point I\'m guessing this has to do with the fact that the
certificate is not issued by an authority, but rather self signed. I
found a site that gives out 90 day free certificates and installed one.
Just typing the web site URL doesn\'t show a safe site, but typing https:
manually does, however the web site doesn\'t work correctly. The initial
page has some sort of fancy dancy animated text that doesn\'t work and you
can\'t get past that.

I\'ve reached the limits of what I can figure out. Any web page gurus out
there who can offer some advice?

The web page is coldwatersafety.org

OK, you need to create a public and a private key. Then, the keys are
placed somewhere where the web server can access it. Then, the web server
needs to be given the file paths to these files. Yes, I think most browsers
now require an authoritatively signed SSL certificate.

First thing to do is use one of the online SSL checkers. Just Google for
\"check SSL \" and a bunch come up. Click on one and enter the URL and see
what it says. Yes, I see it shows as NOT vendor signed. The web page does
seem to work on my Firefox system without complaint.

Then, if you want to set up an official signed SSL cert, you will have to
choose one of the bigger signing outfits like GoDaddy and pay them an
exorbitant fee for a totally automated online service that takes their
computer a millisecond to process, every 2 years or so. Yes, it is a scam.

Jon

 

[Jeff Liebermann]

On Mon, 30 Nov 2020 18:15:47 -0800 (PST), Rick C
<gnuarm.deletethisbit@gmail.com> wrote:

>The web page is coldwatersafety.org

<https://www.coldwatersafety.org/nccwsRules3.html>
It works if I force encryption with https://
Your home page (and entire site) should translate http:// -> https://

However, that\'s not enough because you have parts of the site going
out to insecure web sites. When I click on the \"lock\" icon in
Firefox, it proclaims that:
Connection Secure
Verifired by ZeroSSL
Firefox has blocked parts of this page that are not secure

So basically, what you need to do is check the box on whatever
management interface the web site is using and tell it to translate
*ALL* http:// requests to https:// and I think you\'ll be ok.

SSL check:
<https://www.ssllabs.com/ssltest/analyze.html?d=coldwatersafety.org>
(The test takes about 7 minutes. Patience).
IPv4 and IPv6 both show that SSL is working \"grade A\".

Also, check TLS with one of these:
<https://geekflare.com/ssl-test-certificate/>
such as:
<https://www.digicert.com/help/>
which says you\'re ok. Make sure TLS 1.0 is *NOT* enabled.

Good luck.

--
Jeff Liebermann jeffl@cruzio.com
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

 

[Rick C]

On Monday, November 30, 2020 at 9:49:38 PM UTC-5, Jon Elson wrote:

Rick C wrote:

Anyone know about SSL certificates for a web site? I\'m trying to help a
friend who had a web site for his non-profit and I don\'t quite understand
the details. The web hosting provides a certificate which I copied to
Cpanel and it says it is installed, but opening the web page still reports
a problem with security.

At this point I\'m guessing this has to do with the fact that the
certificate is not issued by an authority, but rather self signed. I
found a site that gives out 90 day free certificates and installed one.
Just typing the web site URL doesn\'t show a safe site, but typing https:
manually does, however the web site doesn\'t work correctly. The initial
page has some sort of fancy dancy animated text that doesn\'t work and you
can\'t get past that.

I\'ve reached the limits of what I can figure out. Any web page gurus out
there who can offer some advice?

The web page is coldwatersafety.org

OK, you need to create a public and a private key. Then, the keys are
placed somewhere where the web server can access it. Then, the web server
needs to be given the file paths to these files. Yes, I think most browsers
now require an authoritatively signed SSL certificate.

First thing to do is use one of the online SSL checkers. Just Google for
\"check SSL \" and a bunch come up. Click on one and enter the URL and see
what it says. Yes, I see it shows as NOT vendor signed. The web page does
seem to work on my Firefox system without complaint.

Then, if you want to set up an official signed SSL cert, you will have to
choose one of the bigger signing outfits like GoDaddy and pay them an
exorbitant fee for a totally automated online service that takes their
computer a millisecond to process, every 2 years or so. Yes, it is a scam..

Thanks. Yeah, when I do that it shows as all good, three different sites. Is there some delay in spreading the certificates like when you change name servers? Anyway, the other problem remains where entering a simple coldwatersafety.org gives the non-secure access and so browser complaints. Typing the https: at the beginning of the url doesn\'t give the complaints, but the page doesn\'t function completely.

--

Rick C.

+ Get 1,000 miles of free Supercharging
+ Tesla referral code - https://ts.la/richard11209