Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3
Webhead
2252 posts

Uber Geek
+1 received by user: 777

Moderator
Trusted
Lifetime subscriber

  # 1663277 3-Nov-2016 12:30
2 people support this post
Send private message

Letsencrypt is brilliant. Its free, and its available with auto renew on all the hosting platforms I use for my customers and its being used to secure admin logins and more and more to have the sites be full SSL.

 

A lot of sites will be moving to SSL when Google Chrome make their warning of non-encrypted websites more visible. (Chrome already shows a ! on sites without SSL, and will begin to show a notice after the ! in not too long).

 

Besides, SSL actually gives a little SEO boost already on Google, and allows for using HTTP/2 which really can speed up a website.





Mr Snotty
8732 posts

Uber Geek
+1 received by user: 4642

Moderator
Trusted
Lifetime subscriber

  # 1663306 3-Nov-2016 13:22
Send private message

I don't have anything running over HTTP - it is HTTPS with either Letsencrypt or Cloudflare SSL. I just have a cron job to run the renewal scripts.





 
 
 
 


14967 posts

Uber Geek
+1 received by user: 2046


  # 1663322 3-Nov-2016 13:52
Send private message

jarledb:

 

Letsencrypt is brilliant. Its free, and its available with auto renew on all the hosting platforms I use for my customers and its being used to secure admin logins and more and more to have the sites be full SSL.

 

A lot of sites will be moving to SSL when Google Chrome make their warning of non-encrypted websites more visible. (Chrome already shows a ! on sites without SSL, and will begin to show a notice after the ! in not too long).

 

Besides, SSL actually gives a little SEO boost already on Google, and allows for using HTTP/2 which really can speed up a website.

 

 

 

 

I can't see it making any difference, and potentially such a warning is misleading, as it gives the impression that simply visiting the site could be a risk to the visitor. Most sites however don't need an SSL certificate, and sitewide HTTPS isn't used much, even big retailers like the warehouse don't use it. It can also give the false imporession a website secure, whe it isn't, for eaxmple an old wordpress website with security holes is still going to be a security risk, with or without HTTPS. So it could give people false information regarding the sites security. You really only need it for things such as shopping carts when someone is logging in. Although I know quite a few shopping carts that don't even have it for that which isn't good.

 

 

 

I don't believe there is any proof that there is any SEO benefit with having a SSL. I recall reading something recently where they tested it, and found there was no proof of any SEO benefit.

 

http://www.seoblog.com/2014/10/website-owners-overestimating-https-seo-benefits/ 


'That VDSL Cat'
10507 posts

Uber Geek
+1 received by user: 2527

Trusted
Spark
Subscriber

  # 1663324 3-Nov-2016 13:56
Send private message

Personally i go for PositiveSSL certs for anything that is not absolutely crucial but requires SSL.

 

even go as far as to having one for the router.. Probably a little excessive but least its not self-signed! 

 

 

 

Lets encrypt is a cool system, but can be a fair bit of work in some cases unfortunately.





#include <std_disclaimer>

 

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.


Webhead
2252 posts

Uber Geek
+1 received by user: 777

Moderator
Trusted
Lifetime subscriber

  # 1663336 3-Nov-2016 14:38
2 people support this post
Send private message

mattwnz:

 

I can't see it making any difference, and potentially such a warning is misleading, as i gives the impression that simply visiting the site could be a risk to the visitor.

 

Most sites however don't need an SSL certificate, and sitewide HTTPS isn't used much

 

 

Using SSL when the web is moving that way is going to become quite necessary. If nothing else, to be able to get referer information from https sites linking to yours.

 

Browsers will not send a referrer when linking from HTTPS to HTTP

 

 

even big retailers like the warehouse don't use it.

 

 

Don't make the mistake of looking at how people do something wrong to justify not doing it. Any ecommerce site should be using SSL for their full site, both for security but also as a part of the signal to the customer to trust the site.

 

 

It can also give the false imporession a website secure, whe it isn't, for eaxmple an old wordpress website with security holes is still going to be a security risk, with or without HTTPS.

 

 

That is true, but Google and others are actually dealing with malware infested sites by warning the users before they hit infested pages. That will not stop working with a site using SSL.

 

 

So it could give people false information regarding the sites security.

 

 

Also true, but that should be handled by other mechanisms in any case.

 

 

You really only need it for things such as shopping carts when someone is logging in. Although I know quite a few shopping carts that don't even have it for that which isn't good.

 

 

Thats not true. Using SSL actually secures a site from man in the middle attacks. So all sites should be using it. If I wanted to infect business people at large scale, I could easily set up fake Wi-fi hotspots at airports and insert zero day exploits on pages such as Stuff, NZherald etc. 

 

I could also do the same with Trademe, and make sure that people paid me instead of Trademe when "winning a bid", that I also could manipulate quite easily.

 

If those sites were running SSL that would be impossible.

 

 

I don't believe there is any proof that there is any SEO benefit with having a SSL. I recall reading something recently where they tested it, and found there was no proof of any SEO benefit.

 

http://www.seoblog.com/2014/10/website-owners-overestimating-https-seo-benefits/ 

 

 

Thats funny. The article you link to raises a few problems which are implementation problems when going from HTTP to HTTPS, but it also has these portions:

 

  • Google took a stance.  A secure site is better than an equivalent site without security.  A site using HTTPS would gain a small benefit to their search ranking.  In other words, site security was officially a search ranking factor.
  • Google telling webmasters that SSL is a valid ranking factor is a drive to push webmasters into implementing site-wide HTTPS connections, even if the benefit they would receive is nearly negligible.

BTW: Google has removed the SEO-penalty for 301 redirects. Probably because of their push to get the web over to SSL. So as long as your change from HTTP to HTTPS is implemented correctly, you won't get any SEO penalties for redirecting (with a 301) from the HTTP to the HTTPS version.





643 posts

Ultimate Geek
+1 received by user: 227


  # 1663388 3-Nov-2016 16:59
One person supports this post
Send private message

I use https://www.ssls.com - reasonable price and no issues.





Amanon

2948 posts

Uber Geek
+1 received by user: 407


  # 1663491 3-Nov-2016 21:42
Send private message

I use LetsEncrypt as well. The setup is painless and it auto renews so no big deal. Does the job and a fine one at that.

 
 
 
 


Amanzi
922 posts

Ultimate Geek
+1 received by user: 110

Trusted
Subscriber

  # 1663583 4-Nov-2016 10:00
Send private message

Two free options you for you to consider for securing websites:

 

1 - as others have mentioned, Let's Encrypt is a great solution if you have full control over your web server. The short lifetime of the certs isn't an issue because part of the setup procedure is creating a cron job that renews the certs for you in the background. This works really well and is free.

 

2 - you can also use CloudFlare to secure your site without even touching the configuration on the website, and this is available on the free plan. CloudFlare presents a SSL cert so that traffic is secured between visitors and the CloudFlare servers. Then you have two options for the traffic between CloudFlare and your webserver: you can leave the traffic unencrypted, or, you can install a self-signed cert and configure your website to use HTTPS so the full traffic flow is encrypted. (visitors won't see any cert warnings, even if using a self-signed cert)

 

 


14895 posts

Uber Geek
+1 received by user: 2795

Trusted
Subscriber

  # 1663641 4-Nov-2016 11:40
Send private message

I actually use both Let's Encrypt and CloudFlare. Having Let's Encrypt means CloudFlare can connect to my web server over https, so it has end to end security.

 

If you use CloudFlare you should set up your firewall to prevent direct connections, other than say your own PC so you can SSH in. That's really easy to do on AWS, security group = firewall.


Webhead
2252 posts

Uber Geek
+1 received by user: 777

Moderator
Trusted
Lifetime subscriber

  # 1663690 4-Nov-2016 12:00
Send private message

timmmay:

 

I actually use both Let's Encrypt and CloudFlare. Having Let's Encrypt means CloudFlare can connect to my web server over https, so it has end to end security.

 

If you use CloudFlare you should set up your firewall to prevent direct connections, other than say your own PC so you can SSH in. That's really easy to do on AWS, security group = firewall.

 

 

For regular webhosting you can use a .htaccess rule and deny all ip-addresses except for CloudFlares to make sure its not possible to access the site by going directly to your ip-address.





1276 posts

Uber Geek
+1 received by user: 171


  # 1664195 5-Nov-2016 13:01
One person supports this post
Send private message

FWIW, my wildcard is a Comodo cert, purchased through namecheap.com

 

I have a couple of letsencrypt certs on some sites but most of my things I can push through the wildcard.

 

I fully expect to see that SSL becomes the norm rather than the exception in the reasonably near future, now that SNI is well supported.





---
James Sleeman
I sell lots of stuff for electronic enthusiasts...


Mr Snotty
8732 posts

Uber Geek
+1 received by user: 4642

Moderator
Trusted
Lifetime subscriber

  # 1664222 5-Nov-2016 13:29
Send private message

jarledb:

 

timmmay:

 

I actually use both Let's Encrypt and CloudFlare. Having Let's Encrypt means CloudFlare can connect to my web server over https, so it has end to end security.

 

If you use CloudFlare you should set up your firewall to prevent direct connections, other than say your own PC so you can SSH in. That's really easy to do on AWS, security group = firewall.

 

 

For regular webhosting you can use a .htaccess rule and deny all ip-addresses except for CloudFlares to make sure its not possible to access the site by going directly to your ip-address.

 

 

I've written a blog article on doing this via firewall rules Here (a little better than doing it via .htaccess since your server is literally invisible to the internet). Furthermore with Cloudflare there is an option to generate an Origin Certificate which you can use on your Web Server for strict SSL communication to Cloudflare. That is what I personally use anyway.





436 posts

Ultimate Geek
+1 received by user: 145
Inactive user


  # 1665060 7-Nov-2016 14:53
Send private message

jarledb:

 

Thats not true. Using SSL actually secures a site from man in the middle attacks. So all sites should be using it. If I wanted to infect business people at large scale, I could easily set up fake Wi-fi hotspots at airports and insert zero day exploits on pages such as Stuff, NZherald etc. 

 

I could also do the same with Trademe, and make sure that people paid me instead of Trademe when "winning a bid", that I also could manipulate quite easily.

 

If those sites were running SSL that would be impossible.

 

 

 

 

That is not true. MITM will either throw a warning (and given how users blindly click on stuff like spam getting them to go past an SSL warning is not that hard), or if you install a resigning cert on the end client it will do nothing at all. I run SSL inspection on plenty of boxes, and even on my guest Wifi network at home (it has a link to install the cert, which people do without question).

 

I don't disagree with the need for SSL. But if you think it stops MITM you've got a nasty surprise coming ;)


Webhead
2252 posts

Uber Geek
+1 received by user: 777

Moderator
Trusted
Lifetime subscriber

  # 1665068 7-Nov-2016 15:04
Send private message

vulcannz:

 

 

 

That is not true. MITM will either throw a warning (and given how users blindly click on stuff like spam getting them to go past an SSL warning is not that hard), or if you install a resigning cert on the end client it will do nothing at all.

 

 

There's no cure for people being stupid. Google have however worked on making the security notice more effective.

 

As to getting a cert onto the end client. If a hacker has access to the end point, then SSL warnings is the least of your problems.

 

 







298 posts

Ultimate Geek
+1 received by user: 44

Lifetime subscriber

  # 1721006 16-Feb-2017 08:45
Send private message

Thank you to everyone who contributed. I have been running on Letsencrypt for a last few months, and it's been a joy.

 

Very nice and polished solution, and also free. I hope it will stick around.


1 | 2 | 3
View this topic in a long page with up to 500 replies per page Create new topic



Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Huawei's scholarship programme showcases international business to Kiwi undergrads
Posted 22-Jul-2019 17:53


Spark Sport launches across a range of new devices
Posted 22-Jul-2019 13:19


Dunedin selects Telensa to deliver smart street lighting for 15,000 LEDs
Posted 18-Jul-2019 10:21


Sprint announces a connected wallet card with built-in IoT support
Posted 18-Jul-2019 08:36


Educational tool developed at Otago makes international launch
Posted 17-Jul-2019 21:57


Symantec introduces cloud access security solution
Posted 17-Jul-2019 21:48


New Zealand government unveils new digital service to make business easier
Posted 16-Jul-2019 17:35


Scientists unveil image of quantum entanglement
Posted 13-Jul-2019 06:00


Hackers to be challenged at University of Waikato
Posted 12-Jul-2019 21:34


OPPO Reno Z now available in New Zealand
Posted 12-Jul-2019 21:28


Sony introduces WF-1000XM3 wireless headphones with noise cancellation
Posted 8-Jul-2019 16:56


Xero announces new smarter tools, push into the North American market
Posted 19-Jun-2019 17:20


New report by Unisys shows New Zealanders want action by social platform companies and police to monitor social media sites
Posted 19-Jun-2019 17:09


ASB adds Google Pay option to contactless payments
Posted 19-Jun-2019 17:05


New Zealand PC Market declines on the back of high channel inventory, IDC reports
Posted 18-Jun-2019 17:35



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.