free encryption certificates and encrypting elgg sites
i have read some of the threads here where questions have been raised about the wisest approach for using encryption and certificates with elgg. the conclusion is that encryption is necessary for logins as a minimum.
since, like domain names, the 'trust' industry has already been hijacked by ones i don't trust; who offer to sell certificates of trust and the browsers offer alerts that your site is not 'trusted' if you use a 'self generated' certificate.. does anyone here have any ideas i may not be aware of, of how to run a free certificate without triggering the browser 'UNSAFE SITE' warnings?
i know there are one or two groups that claim to offer free certificates.. without naming names, i attempted to begin setting up a certificate with them and one group only offered the service if you are within the usa border and the other (who i spoked to by phone) seemed highly untrustworthy themselves!
i really don't see how paying a group that you have never met to issue you with their brand of certificate is any type of guarantee of security at all. with this system in place, sites that attempt to activate encryption for free, even with encryption certificates that are of greater ability than the 'paid for' ones, will be identified as being 'threats'.. when in reality they are safer.. i am wondering if this is actually part of the plot to de-rail encryption algorithms and thus to prevent real encryption being used, while earning large amounts of cash.
well i tried lol ^_^
;)
"trying is so trying" - hehe.
after speaking with some others i have seen that possibly the best approach for a free certificate, for now, that can easily be implemented on a site and present no problem to any website user is to use the free service CAcert.
https://www.cacert.org
this way there is no need for site visitors to download a certificate manually and the tree structure of certificates is not challenged by a 'new kid on the block' offering a root certificate without anyone else having any 'trusted data'. (my approach is ultimately that the content of my site speaks for itself and that trust can and should be based on that).. for now i will explore cacert
right ok.. i have read through the docs at cacert.org and am now using their community services for a free ssl certificate.. with no need for anyone to download any files...
at least with the chromium browser i am using since it includes the cacert root certificate by default.
right ok.. i have read through the docs at cacert.org and am now using their community services for a free ssl certificate.. with no need for anyone to download any files...
at least with the chromium browser i am using since it includes the cacert root certificate by default.
right ok.. i have read through the docs at cacert.org and am now using their community services for a free ssl certificate.. with no need for anyone to download any files...
at least with the chromium browser i am using since it includes the cacert root certificate by default.
site is now fully https for free without messing about with downloading certificates ;)
https://www.infiniteeureka.com/
edit: no its' not now.. lol
oh.. :(
so CAcert is not supported by default by firefox presently.. so firefox throws the untrusted sign..
so i'll need to run http and https side by side for now..
i am unsure whether the https login option in elgg should be enabled in that situation
here are some more useful pages about ssl certificates, encryption methods and free certs:
http://arstechnica.com/information-technology/2012/11/securing-your-web-server-with-ssltls/
https://community.qualys.com/blogs/securitylabs/2013/06/25/ssl-labs-deploying-forward-secrecy
and a tool to analyse your site:
https://www.ssllabs.com/ssltest/index.html
currently my site is at the top end of the scale for actual encryption technology and gets a zero for trust since i am using cacert.org and they remain untrusted by mozilla (the ssllabs system uses mozilla's root certificate library).
maybe i will look at startssl at some point.
oh, one other point is that to activate TLS v 1.2 - which is the recommended protocol presently, you need to install a new version of the openssl package (newer than the present centos 6.4 package - for example) (if you are using openssl).
thanks for the info : ) 25 dollars a year is the minimum cost as we need a ip address dedicated one a little expensive having ssl well i will grab it one day soon!
- Previous
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- Next
You must log in to post replies.