free SSL?

does anyone here know of a way to activate / associate a website (elgg) with a free (no cost) SSL certificate?

i have explored various options and still have not found a way to do it.

presently i have created a personal certificate on my server and this allows me to activate SSL on login in elgg. however, the browsers throw 'unsafe' warning pages when the site is accessed in that way. as far as i know, that 'unsafe' message is more accurately translated as 'has not paid a corporation to be labelled as safe'.

i've seen a couple of organisations advertising free SSL certificates where the group manages the 'trust level' of the sites involved .. yet so far have not had a response from them. at least one of them is usa based and relies on 'real world' 3d interactions to verify people are as they say they are.. and i am not usa based.

any ideas welcome.

thanks

  • In case you are still looking... 

    As far as I can tell CloudFlare SSL works like a charm and it's very easy to setup. Open SLL is probably recommended, but you don't even need to install a certificate...

    01. Go to https://www.cloudflare.com/ + sign up / login
    02. Fill in domain & click 'add website' button

    CloudFlare gathers DNS settings.
    Meanwhile open your sites DNS settings.

    04. Click "continue"
    05. Verify DNS settings and add what's missing.
        - You can leave TTL on automatic, it's quick.
        - IP's and subdomains (except ftp, mail) will activate automatically, else click the grey cloud to activate.
    06. Click "continue"
    07. Change some settings if you wish. I choose the following:
        - plan: free
        - performance: CDN + full optimizations
        - security: high
        - Automatic IPv6: on - test it | spread the word
        - Smarterrors: on (partial) - I prefer redirects 1 level up
    08. Click "continue"
    09. Replace your domain's nameservers with CloudFlare's.
    10. Click "continue"

    I would recommend to add SSL to your entire site. 
        - for speed: CloudFlare enables SPDY by default, which makes SSL faster than regular connections.
        - for SEO
        - for privacy

    11. In Elgg admin > advanced settings > site URL, change http:// to https://

    For SEO reasons it's best to force SSL, else it may be considered double content.
    At CloudFlare, once the nameservers have changed, you can find "Page rules" in the gearing wheel menu to the right of you domain.

    12. In the page rules screen add pattern: *yourdomain.ext/*
    13. Activate "Always use https"
    14. Click "add rule"

    There are some more apps to explore. I'm very happy to have found Dome9 there, which is a free lock for servers.

    I Hope it helps!

  • cloudflare do offer free ssl now, yes. however, they also require that your traffic is routed through their server, which is a privacy and potentially a security issue.

    however.. i just found this... LET'S ENCRYPPPPTTT - http://www.wordfence.com/blog/2014/11/free-ssl-certificates-lets-encrypt-ssl-eff/?utm_source=list&utm_medium=email&utm_campaign=effssl

    a step forward for free ssl.

  • There is already https://www.startssl.com/ offering free SSL certificates. For Class 1 certificate (without wildcard) they only charge for processing revocation (40$ IIRC). I'd really like to see any other company do better than that.

  • the electronic frontiers link i just posted does do better than startssl. the revocation fee actually breaks the specification of ssl since it is imperative that certificates can be revoked quickly and charging for them causes problems. there was a discussion of removing startssl from the major CA lists in browsers.
    this new service is totally free all the way through.

  • I have more confidence in CloudFlare securing their entire network, than in me securing my Elgg site... and that doesn't say anything about CloudFlare.

    I'm not convinced about StartSSL. I read some reviews, which were better than I expected when seeing their site, but not good enough to proceed... The way I understood: too risky to get paper work with it + forbidden to request a certificate for others.

    But either way, Let's Encrypt sounds promising idd! )

  • Funnily enough startssl is probably the only website I know that uses PKI authorization, so that makes much better impression on me than bad impression of previous century website layout. To be honest our main page isn't very well as well. I certainly can sympathize with people that spend more time on offering good, free SSL service than their website. Honestly, why bother when you don't really need to advertise.

  • Yups, you are correct. That's why the reviews were better than expected. I looked for reviews upon seeing their website, then I bought one to be sure not to waste time on it.

    And Ura is correct also. With CloudFlare it's still necessary/recommended to add a certificate to encrypt the connection between CF and the server. You basically get half secure for free, but it's apparently less secure than I expected. I found a good read about it here. For non-commercial sites, I think it's better than nothing (even though the author there disagrees).