Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 

gzt

9259 posts

Uber Geek
+1 received by user: 1318


  Reply # 1393802 24-Sep-2015 19:43
Send private message

nzerin: ok thanks guys, I will look into all these options. cry

If you want to post some specific information about your hosting/platform/software/version/configuration - you may get some very good advice here related to those components.

13448 posts

Uber Geek
+1 received by user: 2274

Trusted
Subscriber

  Reply # 1393840 24-Sep-2015 20:30
Send private message

MadEngineer: https://www.startssl.com

Any good?


SSL certificates are all roughly the same when it comes to encryption. The higher level ones validate that you are who you say you are, the cheaper ones give no such assurances.




AWS Certified Solution Architect Professional, Sysop Administrator Associate, and Developer Associate
TOGAF certified enterprise architect
Professional photographer


 
 
 
 


8020 posts

Uber Geek
+1 received by user: 386

Trusted
Subscriber

  Reply # 1394903 26-Sep-2015 16:15
Send private message

MadEngineer: https://www.startssl.com

Any good?


Pros: Free class 1 ssl certificates, you pay to verify your identity for higher class certs instead of paying per cert like other providers.

Cons: Horribly designed annoying website, based in Israel so things that require manual approval/verification at their end can take a day or more due to time difference.

BDFL - Memuneh
59392 posts

Uber Geek
+1 received by user: 10605

Administrator
Trusted
Geekzone
Lifetime subscriber

885 posts

Ultimate Geek
+1 received by user: 265

Trusted

  Reply # 1394989 26-Sep-2015 18:30
Send private message

If you are using cloudflare as your CDN you can use the cloudflare account. They have a product called Universal SSL.  





BDFL - Memuneh
59392 posts

Uber Geek
+1 received by user: 10605

Administrator
Trusted
Geekzone
Lifetime subscriber

  Reply # 1394990 26-Sep-2015 18:31
Send private message

But still good to have your own in case you need to disable Cloudflare or as a fallback.




13448 posts

Uber Geek
+1 received by user: 2274

Trusted
Subscriber

  Reply # 1394991 26-Sep-2015 18:31
Send private message

darylblake: If you are using cloudflare as your CDN you can use the cloudflare account. They have a product called Universal SSL.  


That typically only encrypts from browser to CloudFlare, not to the server. It can be configured to connect to the server using an encrypted connection, but that is less common and more hassle. It's not secure end to end.




AWS Certified Solution Architect Professional, Sysop Administrator Associate, and Developer Associate
TOGAF certified enterprise architect
Professional photographer


mme

144 posts

Master Geek
+1 received by user: 1


  Reply # 1395044 26-Sep-2015 20:35
Send private message

Just use a self signed CERT and use Cloudflare to serve the front end. Especially if PayPal handles the payment stuff

6924 posts

Uber Geek
+1 received by user: 3210

Moderator
Trusted
Lifetime subscriber

  Reply # 1395075 26-Sep-2015 22:34
Send private message

I just self-sign my certificates, enable SPDY support then use Cloudflare to serve up an actual certificate on my sites (see https://management.interwebz.co.nz as an example). For my own hosted stuff not behind Cloudflare I use StartSSL's free certificate which works really well however don't lose the private key for your certificate else you'll find you're forking out some coin for a certificate reset.




Michael Murphy | https://murfy.nz
Want to be with an epic ISP? Want $20 to join them too? Well, use this link to sign up to BigPipe!
The Router GuideCommunity UniFi Cloud Controller | Ubiquiti Edgerouter Tutorial




17 posts

Geek
+1 received by user: 7


  Reply # 1395301 27-Sep-2015 19:08
Send private message

Wow thanks everyone, I will get onto the SSL cert and look into the Cloudflare service. cheers

13448 posts

Uber Geek
+1 received by user: 2274

Trusted
Subscriber

  Reply # 1395316 27-Sep-2015 19:46
One person supports this post
Send private message

Don't get an SSL cert before you work out your whole game plan. Self signing is possible, if you do CloudFlare, but not with shared hosting, yes if you use a VPS.

Encryption in transit is still an illusion of security. Intercepting and decrypting traffic is pretty rarely a way to compromise a website. Breaking in via known vulnerabilities is far more likely, and easier.




AWS Certified Solution Architect Professional, Sysop Administrator Associate, and Developer Associate
TOGAF certified enterprise architect
Professional photographer


178 posts

Master Geek
+1 received by user: 63


  Reply # 1399925 5-Oct-2015 01:33
Send private message

Just to throw another angle:
At work we have a checkpoint firewall.

The other day I was doing some internet banking at work (yes it happens)... I took a look at the cert, and to my surprise the cert was not issued by my bank, but rather from our internal PKI.... Not cool.
So, it seems the checkpoint is doing the encryption between itself and the bank, then decrypting, inspecting the traffic, then re-encrypting between itself and my PC.
Wasn't getting a cert error or any indication this was happening because the PC I was using trusts our internal PKI.

Needless to say, not banking at work anymore...... So, the point is just because you see the padlock looking all happy.... If it's not your network you are on, still check the cert.

2316 posts

Uber Geek
+1 received by user: 665

Trusted
Subscriber

  Reply # 1400322 5-Oct-2015 14:39
Send private message

UncleArthur: Just to throw another angle:
At work we have a checkpoint firewall.

The other day I was doing some internet banking at work (yes it happens)... I took a look at the cert, and to my surprise the cert was not issued by my bank, but rather from our internal PKI.... Not cool.
So, it seems the checkpoint is doing the encryption between itself and the bank, then decrypting, inspecting the traffic, then re-encrypting between itself and my PC.
Wasn't getting a cert error or any indication this was happening because the PC I was using trusts our internal PKI.

Needless to say, not banking at work anymore...... So, the point is just because you see the padlock looking all happy.... If it's not your network you are on, still check the cert.

Well spotted.

Unfortunately this is going to get more and more common and trickle down to SMBs.  Google pushing for SSL on all web traffic means more web traffic is encrypted, and this will include web-borne malware.  To provide comprehensive protection, firewall vendors are having to inject themselves into the path of SSL connections to protect against this.  That was just the 'big guys', but I am seeing more SMB firewalls doing this.




"4 wheels move the body.  2 wheels move the soul."

“Don't believe anything you read on the net. Except this. Well, including this, I suppose.” Douglas Adams

1480 posts

Uber Geek
+1 received by user: 360


  Reply # 1400571 5-Oct-2015 21:06
Send private message

Indeed - and how to employ a transparent proxy without doing the above.

206 posts

Master Geek
+1 received by user: 35


  Reply # 1402897 9-Oct-2015 10:20
Send private message

UncleArthur: The other day I was doing some internet banking at work (yes it happens)... I took a look at the cert, and to my surprise the cert was not issued by my bank, but rather from our internal PKI.... Not cool.
So, it seems the checkpoint is doing the encryption between itself and the bank, then decrypting, inspecting the traffic, then re-encrypting between itself and my PC.


That is quite bad form by your work. CheckPoint themselves go to great lengths to say that when you are doing HTTPS inspection on your firewalls that you NEED to set exceptions for certain traffic - i.e. financial and health. Your work is opening themselves up to issues if they don't follow these guidelines, as they, in theory, are privvy to personal details if they don't do this. And yes, in hacking terms this is referred to as a man in the middle.

I believe that HTTPS interception is currently the only way to be able to look inside encrypted traffic. And with an average of around 40% (rough memory recall) and growing of traffic in organistions being encrypted there is a real requirement to do this. But with the above caveats.

EDIT: words

1 | 2 
View this topic in a long page with up to 500 replies per page Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

$3.74 million for new electric vehicles in New Zealand
Posted 17-Jan-2018 11:27


Nova 2i: Value, not excitement from Huawei
Posted 17-Jan-2018 09:02


Less news in Facebook News Feed revamp
Posted 15-Jan-2018 13:15


Australian Government contract awarded to Datacom Connect
Posted 11-Jan-2018 08:37


Why New Zealand needs a chief technology officer
Posted 6-Jan-2018 13:59


Amazon release Silk Browser and Firefox for Fire TV
Posted 21-Dec-2017 13:42


New Chief Technology Officer role created
Posted 19-Dec-2017 22:18


All I want for Christmas is a new EV
Posted 19-Dec-2017 19:54


How clever is this: AI will create 2.3 million jobs by 2020
Posted 19-Dec-2017 19:52


NOW to deploy SD-WAN to regional councils
Posted 19-Dec-2017 19:46


Mobile market competition issues ComCom should watch
Posted 18-Dec-2017 10:52


New Zealand government to create digital advisory group
Posted 16-Dec-2017 08:47


Australia datum changes means whole country moving 1.8 metres north-east
Posted 16-Dec-2017 08:39


UAV Traffic Management Trial launching today in New Zealand
Posted 12-Dec-2017 16:06


UFB connections pass 460,000
Posted 11-Dec-2017 11:26



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.