Site is not safe?

Antechinus · March 10, 2017, 08:14:09 PM

Quote from: CoreISP on March 10, 2017, 06:05:46 PM
Quote from: Arantor on March 09, 2017, 09:12:20 AM
Courtesy of Let's Encrypt

COMODO, actually. They do the Cpanel Inc. certs.
LetsEncrypt can be enabled as alternative, but is not the default.

$49 per year is an outrageous fee.
Can you add your own SSL certificate? If so, its fairly easy to get one for aroubd 10 bucks a year hassle free, or for free through a service like LetsEncrypt.

Yebbut teh ranty one says:

Quote from: Arantor on March 09, 2017, 04:36:02 PM
The fact it has a password is why it is being 'targeted'. To be some kind of fair to Google/Firefox, they didn't roll this out until free certificates were made available, but it's a headache to roll out free certificates unless you're pretty technical.

To put it into context, I work for a firm that has 6 developers/server administrators on staff. Only two of us actually know how to get a Let's Encrypt certificate onto the servers without breaking anything and have it work again afterwards.

And MaryLouW is not of the highly technical persuasion.

LiroyvH · March 10, 2017, 11:21:47 PM

Indeed, LetsEncrypt is not exactly easy to use at all... The options is available though.
All the same, $49 is insane. If you're not technical enough to use a service like Let's Encrypt: you can grab an SSL cert for $9 at NameCheap. (Perhaps even cheaper elsewhere.)
So should the hosting provider offer the SSL functions (signing request + install certificate), then $9 and a few minutes of work is all it takes.

MaryLouW · March 10, 2017, 11:44:24 PM

If I had one of those bills, I'd sure send it to you!!! THANK YOU for the coding!! That is something I can manage to do. I appreciate your efforts here and it will definitely make my life easier as well as that of a friend of mine who also runs an SMF forum. We have both been upset over how to handle it.

I am a happy camper now!

Kindred · March 11, 2017, 01:17:41 AM

Marylou... adding that text is ***NOT*** the "way to handle it"

If anything, you are actually making things WORSE by adding text like that.

My host gave me carts for free with a single click... and for the one site that I wanted a more official cert for, they helped me set it up, costing me a total of $20 for the year for the cert and zero for the service.

If your host can't do that, then why the heck are you paying them?

MaryLouW · March 11, 2017, 04:55:51 PM

Okay, based on what you just said, I went back to the control panel and to my surprise, I found an advanced area where they do offer a free SSL. I clicked on it and it created several files in my root directory , secure, and secure-cgi-bin . Then it gave me a url https://secure40.securewebsession.com/pirc-forum.com/ and said to make sure I moved my files.

I don't understand what all that means. What files do I need to put in these folders and does that mean, the above will be the link to my site?

I was very much misled by one of their lower level tech who said all I needed to do was change my password every three months when I asked about adding an SSL and explained about the message that the browsers were displaying. Apparently, he wasn't aware of that happening.

When I checked out their services again, they do charge $49 for an SSL but apparently, it also comes free if you are hosted with them.

Can anyone tell me what should be in those folders and what url I would use?

MaryLouW · March 13, 2017, 01:52:32 AM

Going to ask again just in case you guys missed it. What goes into those folders that were created when I activated the SSL?

Illori · March 13, 2017, 05:07:02 AM

ideally the ssl should cover your existing domain as you want to use it, you should ask your host about that. you should not need to move things anywhere else to take advantage of the SSL.

br360 · March 13, 2017, 12:31:31 PM

When you do talk to your host, you should ask them to upload the SSL certificate to your server for you and then add the appropriate code to force https in your .htacces file.

Most hosts will do both for you and probably at no cost to you.

After that is done, the only thing you should have to do is run repair.settings.pgp to make sure all http paths are changed to https

Ben_S · March 13, 2017, 12:53:52 PM

Except you will have issue with all the hotlinked content so there is no point doing anything until 2.0.14 is released!

Kindred · March 13, 2017, 01:18:28 PM

well, I wouldn't say that there is "no point" - since the change will address the main index and the login page (which are the two spots that most people will notice it)

MaryLouW · March 13, 2017, 02:28:07 PM

Why would I have a problem with 2.0.14? I don't understand all of this stuff but I will contact my host and see if they can help. In the meantime, Thanks to all who tried.

Arantor · March 13, 2017, 02:54:02 PM

No-one is saying that. What people are saying is that right now if someone puts a picture on your forum without using an attachment, and the link to it is http:// it won't work on a secure site.

2.0.14 will, when released, solve this problem.

MaryLouW · March 13, 2017, 02:59:53 PM

OH! Thanks for explaining that! Maybe I will wait until the next upgrade then because we have many linked images. Thanks for clearing that up.

Steve · March 13, 2017, 08:41:20 PM

If your questions have been answered for now would you mark this solved?

News:

Site is not safe?