SECURITY NOTICE: Please read the security notice in the site help forum immediately.

Fix in progress https - We are waiting on "let's encrypt" to mature a bit more

Discussion in 'Bug Report Forum' started by rso, Nov 28, 2015.

  1. rso

    rso Contains Quiltineum

    Joined:
    Mar 26, 2010
    Messages:
    1,737
    Likes Received:
    255
    The SSL certificate the server uses for https looks... weird. Don't think it was meant for anything other than the Plesk panel. Not only is it not issued for this domain, it doesn't have any at all. Would it be possible to replace it with a proper one?

    Now, I know that most "serious" ones cost serious money. If that's an issue - how about a free one from cacert.org instead? Sure, it's not perfect - their CA cert only comes bundled with some browsers/OSs so far - but one can easily install that if required and imho it's still worlds better than that Parallels one.

    (Unlikely to be relevant, but for completeness' sake: I'm using Chromium 46.0.2490.86 on Linux 4.3.0, built for x86_64, w/ the Debian Project's ca-certificates-20140927.3.17.2.)
     
  2. Turranius

    Turranius Site Supporter 2015

    Joined:
    Apr 18, 2015
    Messages:
    105
    Likes Received:
    31
    Startcom is nice for a free cert as well. I've used it for years. Only downside is that they only last a year.

    https://www.startcom.org/
     
  3. ASSEMbler

    ASSEMbler Administrator

    Joined:
    Mar 13, 2004
    Messages:
    19,492
    Likes Received:
    789
    Correct, we have no https cert aside from the self generated one.
    It's on the to-do list.
     
  4. modrobert

    modrobert Rising Member

    Joined:
    Jul 23, 2005
    Messages:
    50
    Likes Received:
    3
    I trust a self generated cert created by ASSEMbler a lot more than any "cert authority" just to please the browser racket regarding https (SSL/TLS). IMHO; the browser warnings are of no concern unless you are dealing with a bank or similar.
     
    Last edited: Nov 28, 2015
  5. ASSEMbler

    ASSEMbler Administrator

    Joined:
    Mar 13, 2004
    Messages:
    19,492
    Likes Received:
    789
    Well most people don't know that. Our problem is google deprecates non https pages now.
     
  6. mairsil

    mairsil Officer at Arms

    Joined:
    Apr 20, 2005
    Messages:
    3,432
    Likes Received:
    99
    Agreed on the "browser racket" comment regarding certs, but your "bank" comment is just wrong. There are plenty of reasons that you want working certs outside of banking.
     
  7. rso

    rso Contains Quiltineum

    Joined:
    Mar 26, 2010
    Messages:
    1,737
    Likes Received:
    255
    The current one looks like it's been generated by Parallels, not you. I have no reason to trust them. No iea where else that cert might turn up and what sites might be deemed "secure" if one manually greenlights it... (It might have been generated locally during installation, but I have no way to check that. A cert doesn't contain a domain, I ain't touching it.)

    That's all I wanted to hear, thank you.

    What did they smoke, and where can I get some? Best of luck with that, but I don't see it happening any time soon. Web pages are pretty much the definition of legacy tech.
    (I couldn't find anything about Google intending to do this, but Mozilla's blog has a post about something similar. They intend to enable some new features only for properly encrypted sites. At least they won't throw a tantrum when encountering plaintext ones...)
     
  8. modrobert

    modrobert Rising Member

    Joined:
    Jul 23, 2005
    Messages:
    50
    Likes Received:
    3
    My SHA-256 fingerprint for the current Parrallel's certificate at https://assemblergames.com is:

    43:2B:24:1B:E7:F6:93:1D:3E:21:60:A2:C9:37:1E:03:86:3E:0B:73:F8:0B:87:7B:79:55:B6:F8:9B:EF:B7:C6

    ASSEMbler,

    All you need to do is to confirm if this indeed is the correct SHA-256 fingerprint for your site, just post a reply in this forum thread. A forum post with this simple "yes or no" confirmation will mean a lot more to me than having Symantec or Verisign telling me that this really is the assemblergames.com website.

    I understand the problems about having the most common browsers complaining with warnings and your users need to add "Untrusted" exceptions (which is a browser flaw by design IMO), so this will not fix that, but when it comes to trust about if this certificate really belong to assemblergames.com, then I trust you more than any third party.
     
    Last edited: Dec 17, 2015
  9. retro

    retro Administrator Staff Member

    Joined:
    Mar 13, 2004
    Messages:
    10,776
    Likes Received:
    535
    As stated above, there is no HTTPS certificate. Don't use HTTPS.
     
  10. ASSEMbler

    ASSEMbler Administrator

    Joined:
    Mar 13, 2004
    Messages:
    19,492
    Likes Received:
    789
  11. ASSEMbler

    ASSEMbler Administrator

    Joined:
    Mar 13, 2004
    Messages:
    19,492
    Likes Received:
    789
    As predicted the first version of openssh has painful bugs. I will continue to wait for a bit longer before deploying.
     
  12. Bad_Ad84

    Bad_Ad84 Keyboard Error: Press F1 to Continue

    Joined:
    May 26, 2011
    Messages:
    7,508
    Likes Received:
    545
    First version? Openssh has been around since like 1999. Not sure how long you are going to wait.
     
  13. ASSEMbler

    ASSEMbler Administrator

    Joined:
    Mar 13, 2004
    Messages:
    19,492
    Likes Received:
    789
    -=FamilyGuy=- likes this.
  14. Denryu

    Denryu マスコット

    Joined:
    Feb 17, 2007
    Messages:
    381
    Likes Received:
    10
    Painful bugs? Hmm, could you elaborate? I'm using it for a couple websites myself and didn't notice anything bad with it, but I'm a bit concerned now.
     
  15. rso

    rso Contains Quiltineum

    Joined:
    Mar 26, 2010
    Messages:
    1,737
    Likes Received:
    255
    +1 interest. I already knew they chose a rather shitty concept for a client implementation (which one can work around, e.g. by using this site to get the cert instead), but this is the first I hear about bugs.
     
  16. rso

    rso Contains Quiltineum

    Joined:
    Mar 26, 2010
    Messages:
    1,737
    Likes Received:
    255
    One-year (well, almost) bump. How mature does Let's Encrypt have to get?

    What are the still-open issues holding this back? Anything non-staff members can do (like nag the LE guys about something)?
    This site is the last one amongst those that I visit (with a login) on a regular basis that's still stuck with an insecure protocol. Would be nice to remedy that.
     
  17. derekb

    derekb Well Known Member

    Joined:
    Jan 7, 2009
    Messages:
    1,899
    Likes Received:
    14
    yeah at this point I'd be happy if someone just bought a cert
     
  18. FlamingSpaz

    FlamingSpaz Active Member

    Joined:
    Jul 26, 2016
    Messages:
    35
    Likes Received:
    8
    Let's Encrypt is pretty mature now and used in production in a load of places (I think newer versions of plesk even automate issuing/applying the cert?).

    It's a little different to set up but after that you don't have to worry about it.
     
  19. rso

    rso Contains Quiltineum

    Joined:
    Mar 26, 2010
    Messages:
    1,737
    Likes Received:
    255
    So, anything at all going on behind the scenes? To us "outsiders", the "fix in progress" label just looks like a bad joke right now tbh.

    In other news, I retract my recommendation for cacert.org. The install base for their root cert seems to actually be shrinking lately (e.g. you can still get it in Gentoo but it's not being provided by default any longer).
     
  20. Demon

    Demon Robust Member

    Joined:
    Aug 11, 2008
    Messages:
    260
    Likes Received:
    287
    HTTPS is a good idea. Google punishes sites using plain old HTTP these days. I finally moved my site to HTTPS on the 28th last month and to my amazement my traffics gone up 15% compared with the past 6 months stats, It's continuing to rise daily.

    Something else I spotted unrelated to this, Google only allows a site description to have 160 characters max and Assemblers is currently 996, This can also cause Google to penalize sites also. The description isn't like keywords and Google doesn't really count keywords towards SEO these days. May want to fix this at some stage Assembler :)

    I know I've mentioned this before (back on topic) to retro but cloudflare offers free SSL and these are installed their end instead of on your servers. Only tricky thing is it opens more risks to Assembler as a site seeing as a 3rd party now can control if the sites up or down.
     

Share This Page