SSL Certificate Error

Discussion in 'NEW SERVER BUGS' started by UNDADC, Feb 23, 2022.

  1. UNDADC

    UNDADC New Member

    22
    Dec 21, 2021
    Lighthouse Point, FL
    2019 Sea Ray Sundancer 350 Coupe
    Twin MerCruiser® 6.2L MPI ECT* Bravo® III w/DTS Sterndrives
    The site requires an ssl certificate. This will result in most browsers reporting that this forum is not secure. This is a very easy thing to setup. It is also free to get a website certificate. This not-for-profit will provide an https certificate for free. This is a trusted organization. If you need assistance I will gladly help. My company does this routinely.

    Let's Encrypt (letsencrypt.org)

    Motor on!
     
  2. Phil S

    Phil S Well-Known Member

    Oct 16, 2020
    Taxachusetts
    2004 300DA
    5.0 Merc MPI
    Bravo III

    2022 KL Tender
    6hp Mercury OB
    The site requires an ssl certificate.

    You lost me there. Sure it would be nice if there was, but it's certainly not required. If anything, I would put a lot of the site content behind the login. People post a ton of personal info on here that could be data mined by someone who doesn't even have an account.

    If you're posting something on a public forum, do you really need it transmitted securely? It would likely be only your credentials passed insecurely. I leave the site up in a window so I haven't entered that info for a while :D
     
    Last edited: Feb 23, 2022
  3. KevinC

    KevinC Well-Known Member

    Feb 25, 2011
    Long Island, NY
    2004 340 Sundancer
    Twin 8.1 V-drives
    What he is saying is that many time browser are nagging you about going to "non secure" sites or down loading "non secure" data. Most of which is a joke because as he mentioned I can add a free LetsEncrypt certificate to a website with one click and be done in under 10 seconds. It does encrypt the communication between server and the browser but provides no identity info or assurance that you are dealing with correct party.

    Also Google likes to see the SSL for some reason now too. So all the client sites we host on my company's hosting platform will have this provisioned by default and the auto renew. Its not a bad thing just a little more security in the data transmission.

    I should also note on the opposite side that https (SSL) also creates a false security for some end users - just because communications are encrypted does not mean it is safe - same goes for some public VPN services.

    -Kevin
     
    UNDADC, Nater Potater and Strecker25 like this.
  4. mrsrobinson

    mrsrobinson Well-Known Member SILVER Sponsor

    Mar 9, 2006
    Virginia, USA
    2001 Sea Ray 380DA
    3126 purring CATs
    Agreed, encryption only encrypts data in flight/transport.
     
  5. unsalted

    unsalted Active Member

    172
    Jan 21, 2022
    Grand Haven, MI
    2001 Sundancer 310
    Twin MX 6.2L MPI w/Bravo III Drives
    The use of "http" instead of "https" is deprecated and will increasingly be rejected by browsers. The letsencrypt certificate validate that the person creating the certificate has control over the DNS namespace. The dns namespace is managed by the Interenet registrar and you are required to have valid contact info (although you can use an intermediary to keep yourself anonymous). You cannot just feed letsencrypt info and have it generate a cert.
     
    UNDADC likes this.
  6. KevinC

    KevinC Well-Known Member

    Feb 25, 2011
    Long Island, NY
    2004 340 Sundancer
    Twin 8.1 V-drives
    It only checks against DNS and it does not validate any other identity - hence the "green-bar-certs". As long as I can control the DNS for a domain I registered I can get a letsencrypt cert is seconds. I can then publish anything that I want to the website and purport to be someone that I am not.

    Case in point I could register a domain for a fake site like "amazon-new-deals.com" (this is not a legit site as I write this!!!) - then get an SSL and publish a site that looks like "Amazon". This can be used deceptively and disappear before anyone can do anything about. I am not saying this is legal or moral - however people have been "programmed" to trust an https site giving them the false sense of security.

    -Kevin
     
    Nater Potater likes this.
  7. unsalted

    unsalted Active Member

    172
    Jan 21, 2022
    Grand Haven, MI
    2001 Sundancer 310
    Twin MX 6.2L MPI w/Bravo III Drives
    Well, you could use openssl to generate your own self signed cert for any value you wish. The browser will reject this because it doesn't trust you as a certificate authority. You are arguing about the level of validation performed. A letsencrypt cert is a trusted certificate authority by most/all browser creators. They have undergone scrutiny that ensures that certificates they generate can be trusted. A self-signed cert can be created for amazon.com, but would be untrusted. You can't do this with let's encrypt. The higher validation certs means that the certificate authority in providing a level of vigor beyond what the base trusted certs are. I'm not aware of anything that "requires" a high validation it's something you can do to further assure your consumers. If I wanted to pay the money I could get a so called green bar cert for the name "amazon-new-deals.com" assuming I can show I'm a legitimate business and amazon doesn't sue me.
     
  8. KevinC

    KevinC Well-Known Member

    Feb 25, 2011
    Long Island, NY
    2004 340 Sundancer
    Twin 8.1 V-drives
    All I have been trying to say is just having an https page does not assure anyone of who they are dealing with (unless EV) and to use common sense.

    -Kevin
     
    Nater Potater likes this.
  9. UNDADC

    UNDADC New Member

    22
    Dec 21, 2021
    Lighthouse Point, FL
    2019 Sea Ray Sundancer 350 Coupe
    Twin MerCruiser® 6.2L MPI ECT* Bravo® III w/DTS Sterndrives
    Lots of good points. The most basic drivers of https vs. http is that browsers like Chrome are moving to only https and to get everyone to hurry up and update they are making it more of a hassle for the people that want to see a website that is only http. They do this by trying to scare those visitors away with scary messages about the trustworthiness of the website. This generally puts enough pressure on the site owner to make this simple change.

    Another good reason to change is that everything passed between the visitor (the client) and the website (the server) is unencrypted when using http. That means your password is in readable form when sent for your login. All data back and forth is clearly readable by anyone with access between your browser and the server. You might think, "Who the hell is reading that?!?" The answer my friend are bots. Those bots are very effective at reading and rooting out passwords and other private information. Furthermore, similar bots can get in between you and the website and pull information right from your browser. Got anything important stored in your browser, like passwords?

    Essentially, this is not something anyone in technology is arguing about. The only reason everything is not yet http is just because people are slow to update. Most don't even know this is a requirement. It really just comes down to keeping you more safe and your information secure and private.

    Again, I am more than happy to provide my time at no cost to help out in this endeavor for the good of the community.

    Cheers!
     
  10. unsalted

    unsalted Active Member

    172
    Jan 21, 2022
    Grand Haven, MI
    2001 Sundancer 310
    Twin MX 6.2L MPI w/Bravo III Drives
    That said, as long as you are using the http connection make sure your club sea ray password isn't the same as your banking password. It is one thing to have your reputation damaged by someone spamming club sea ray using your name, and quite a different thing to have your bank account drained.
     
  11. UNDADC

    UNDADC New Member

    22
    Dec 21, 2021
    Lighthouse Point, FL
    2019 Sea Ray Sundancer 350 Coupe
    Twin MerCruiser® 6.2L MPI ECT* Bravo® III w/DTS Sterndrives
    Very true. The most common successful exploits are typically a case where a username and password from one site is the same as many of the others for an individual. A site's identity database, on a site no where near as secure as your bank, is breached and then the attacker tests the username and password combination using bots at hundreds of other sites.

    Don't use the same password for any two sites, ever. Set up two-factor authentication where available. Make yourself a hard target.
     

Share This Page

Show Sidebar