SSL Certificate Error

UNDADC

New Member
Dec 21, 2021
22
Lighthouse Point, FL
Boat Info
2019 Sea Ray Sundancer 350 Coupe
Engines
Twin MerCruiser® 6.2L MPI ECT* Bravo® III w/DTS Sterndrives
The site requires an ssl certificate. This will result in most browsers reporting that this forum is not secure. This is a very easy thing to setup. It is also free to get a website certificate. This not-for-profit will provide an https certificate for free. This is a trusted organization. If you need assistance I will gladly help. My company does this routinely.

Let's Encrypt (letsencrypt.org)

Motor on!
 
The site requires an ssl certificate.

You lost me there. Sure it would be nice if there was, but it's certainly not required. If anything, I would put a lot of the site content behind the login. People post a ton of personal info on here that could be data mined by someone who doesn't even have an account.

If you're posting something on a public forum, do you really need it transmitted securely? It would likely be only your credentials passed insecurely. I leave the site up in a window so I haven't entered that info for a while :D
 
Last edited:
The site requires an ssl certificate.

You lost me there. Sure it would be nice if there was, but it's certainly not required. If anything, I would put a lot of the site content behind the login. People post a ton of personal info on here that could be data mined by someone who doesn't even have an account.

If you're posting something on a public forum, do you really need it transmitted securely? It would likely be only your credentials passed insecurely. I leave the site up in a window so I haven't entered that info for a while :D

What he is saying is that many time browser are nagging you about going to "non secure" sites or down loading "non secure" data. Most of which is a joke because as he mentioned I can add a free LetsEncrypt certificate to a website with one click and be done in under 10 seconds. It does encrypt the communication between server and the browser but provides no identity info or assurance that you are dealing with correct party.

Also Google likes to see the SSL for some reason now too. So all the client sites we host on my company's hosting platform will have this provisioned by default and the auto renew. Its not a bad thing just a little more security in the data transmission.

I should also note on the opposite side that https (SSL) also creates a false security for some end users - just because communications are encrypted does not mean it is safe - same goes for some public VPN services.

-Kevin
 
The use of "http" instead of "https" is deprecated and will increasingly be rejected by browsers. The letsencrypt certificate validate that the person creating the certificate has control over the DNS namespace. The dns namespace is managed by the Interenet registrar and you are required to have valid contact info (although you can use an intermediary to keep yourself anonymous). You cannot just feed letsencrypt info and have it generate a cert.
 
The use of "http" instead of "https" is deprecated and will increasingly be rejected by browsers. The letsencrypt certificate validate that the person creating the certificate has control over the DNS namespace. The dns namespace is managed by the Interenet registrar and you are required to have valid contact info (although you can use an intermediary to keep yourself anonymous). You cannot just feed letsencrypt info and have it generate a cert.

It only checks against DNS and it does not validate any other identity - hence the "green-bar-certs". As long as I can control the DNS for a domain I registered I can get a letsencrypt cert is seconds. I can then publish anything that I want to the website and purport to be someone that I am not.

Case in point I could register a domain for a fake site like "amazon-new-deals.com" (this is not a legit site as I write this!!!) - then get an SSL and publish a site that looks like "Amazon". This can be used deceptively and disappear before anyone can do anything about. I am not saying this is legal or moral - however people have been "programmed" to trust an https site giving them the false sense of security.

-Kevin
 
Well, you could use openssl to generate your own self signed cert for any value you wish. The browser will reject this because it doesn't trust you as a certificate authority. You are arguing about the level of validation performed. A letsencrypt cert is a trusted certificate authority by most/all browser creators. They have undergone scrutiny that ensures that certificates they generate can be trusted. A self-signed cert can be created for amazon.com, but would be untrusted. You can't do this with let's encrypt. The higher validation certs means that the certificate authority in providing a level of vigor beyond what the base trusted certs are. I'm not aware of anything that "requires" a high validation it's something you can do to further assure your consumers. If I wanted to pay the money I could get a so called green bar cert for the name "amazon-new-deals.com" assuming I can show I'm a legitimate business and amazon doesn't sue me.
 
All I have been trying to say is just having an https page does not assure anyone of who they are dealing with (unless EV) and to use common sense.

-Kevin
 
Lots of good points. The most basic drivers of https vs. http is that browsers like Chrome are moving to only https and to get everyone to hurry up and update they are making it more of a hassle for the people that want to see a website that is only http. They do this by trying to scare those visitors away with scary messages about the trustworthiness of the website. This generally puts enough pressure on the site owner to make this simple change.

Another good reason to change is that everything passed between the visitor (the client) and the website (the server) is unencrypted when using http. That means your password is in readable form when sent for your login. All data back and forth is clearly readable by anyone with access between your browser and the server. You might think, "Who the hell is reading that?!?" The answer my friend are bots. Those bots are very effective at reading and rooting out passwords and other private information. Furthermore, similar bots can get in between you and the website and pull information right from your browser. Got anything important stored in your browser, like passwords?

Essentially, this is not something anyone in technology is arguing about. The only reason everything is not yet http is just because people are slow to update. Most don't even know this is a requirement. It really just comes down to keeping you more safe and your information secure and private.

Again, I am more than happy to provide my time at no cost to help out in this endeavor for the good of the community.

Cheers!
 
That said, as long as you are using the http connection make sure your club sea ray password isn't the same as your banking password. It is one thing to have your reputation damaged by someone spamming club sea ray using your name, and quite a different thing to have your bank account drained.
 
Very true. The most common successful exploits are typically a case where a username and password from one site is the same as many of the others for an individual. A site's identity database, on a site no where near as secure as your bank, is breached and then the attacker tests the username and password combination using bots at hundreds of other sites.

Don't use the same password for any two sites, ever. Set up two-factor authentication where available. Make yourself a hard target.
 

Forum statistics

Threads
112,946
Messages
1,422,769
Members
60,929
Latest member
Henchman
Back
Top