 sj |
||
|
||
Tech: HTTPS::// - needed?
|
|
|
|||||||
|
Tech: HTTPS::// - needed? |
Share Thread
|
||||||
|
Subject: Tech: HTTPS::// - needed? From: Joe Offer Date: 17 Jun 22 - 08:40 PM Quite some time ago, I got a Network Solutions Web hosting package to use as a supplement to Mudcat to display photos and sound files and other things that can't be posted at Mudcat. And then folkinfo.org shut down and I offered to host that wonderful resource on my Website. And then the local community center needed a Website, so I'm hosting that with a different domain name, and now I find I'm the Webmaster for my cohousing group http://auburncohousing.com/. MaJoC the Filk and Google Chrome and Firefox remind me that my Websites do not have an https: certificate. My Website hosting company, Network Solutions, tells me that indeed my Websites are secure, but I need to pay then "only" $9.99 a month for the certificate that proves that. I paid ten years in advance for Web Hosting and I thought I was all set, and now I'm told I need I need these security certificates even though my Websites work just fine. I am assessing whether I need the certificate for the three low-traffic Websites that I manage. In the meantime, you can listen to the MP3 and MIDIs if you're willing to click past the Google Chrome and Firefox warnings. -Joe- |
|
Subject: RE: Tech: HTTPS::// - needed? From: Reinhard Date: 18 Jun 22 - 12:29 AM It's good and fine that Network Solutions guarantee that your website is secure, whatever they mean by that, but that doesn't mean that e.g. man-in-the-middle attacks can't insert themselves between a customer and you site and intercept or change all network traffic. https is an excellent way to prevent that. But you don't have to pay through the nose for that, $9.99 a month is a rip-off. Use Let's Encrypt which is free and (according to Wikipedia) is used for certificates on 265 million websites, including mine. To set this up, I had to run just two commands on my Linux web server, and the certificates are renewed in the background automagically. |
|
Subject: RE: Tech: HTTPS::// - needed? From: DaveRo Date: 18 Jun 22 - 03:42 AM Addressing the thread title - is https needed? - the technical answer is 'not necessarily'. But the technical answer is rather irrelevant: if you want it to look professional and for people to trust it, and be happy to enter their details and subscribe to the mailing list, you really ought to use https and lose any 'insecure' warnings. (I know that the newsletter link itself is https, but you can't expect Joe Public to understand that.) Accessing that auburn site here on Firefox mobile I get no security warnings, apart from an open padlock, but maybe I would if I delved deeper. Firefox will generate 'mixed content' warnings under some circumstances as described here. That link helps answer the headline - the difference between active and passive content. But - bottom line - you ought to use https on that site. That doesn't mean every site needs to use https. It depends not only on the content but on the userbase. |
|
Subject: RE: Tech: HTTPS::// - needed? From: Jon Freeman Date: 18 Jun 22 - 03:46 AM Even if not now, I suspect the time will come when you really need https, Joe. It might be worth shopping around. My 10Gb shared hosting plan with php, mysql, etc. costs £4.99 a month and does https at no extra cost. But I don’t know how much you have invested in what you have now. Let’s Encrypt might be an option although it’s not clear to me how I’d set it up on my shared hosting. I’ve got it working with certbot on a Raspberry PI (even though I never got round to the IP camera project it was intended for) btw. My set up was a bit more involved as I wanted wildcard DNS and to use ACME-DNS but, once set up, it does its job in the background. |
|
Subject: RE: Tech: HTTPS::// - needed? From: Stilly River Sage Date: 18 Jun 22 - 09:13 AM Let's Encrypt sounds like an excellent answer to this problem. |
|
Subject: RE: Tech: HTTPS::// - needed? From: Joe Offer Date: 18 Jun 22 - 06:04 PM Apparently, Network Solutions has certificates for $50 per year per Website, which isn't a horrible price. They call these UCC certificates. What's that mean? Network Solutions apparently doesn't work with Let's Encrypt. And I hate the thought of moving three Websites to yet another provider. I moved two of the three from GoDaddy not long ago. All of my MIDI links go to http://joe-offer.com - will all those links die if I go to https?? https://www.networksolutions.com/security/ssl-certificates |
|
Subject: RE: Tech: HTTPS::// - needed? From: Jon Freeman Date: 19 Jun 22 - 03:08 PM Joe, I think you links will depend on how the server is set up when you move to https. It may continue to serve http. Either way, I think you will want to update your links but if the server still supports http, you'd have some time to do this in. |
|
Subject: RE: Tech: HTTPS::// - needed? From: DaveRo Date: 19 Jun 22 - 04:13 PM UCC certificates cover several domains. I suppose there are advantages - cheaper than per-domain certificates? - but also disdvantages - more difficult to move a domain to a new host. But you may have no choice - other than move hosting company. Does Network Solutions allow Let’s Encrypt SSL for free? Normally the server is configured to redirect http to https, so you don't have to change the links. It happens with mudcat: HTTP://mudcat.org It's better to omit the http(s) bit from the visable text of a link. |
|
Subject: RE: Tech: HTTPS::// - needed? From: Jon Freeman Date: 19 Jun 22 - 04:22 PM I had forgot about a redirect possibility and hadn't realised there was a usual way. My hosts just give what is requested, eg: http://www.jonbanjo.com/temp/btita.jpg https://www.jonbanjo.com/temp/btita.jpg |
|
Subject: RE: Tech: HTTPS::// - needed? From: DaveRo Date: 19 Jun 22 - 05:21 PM There's an example on the auburn cohousing site; a link to N Street Cohousing, Davis http://nstreetcohousing.org/ which is redirected to https. It presumably got a certificate after the link was made. That's a Wordpress site, with a Lets Encrypt certificate. A good example of a DIY site built using Wordpress and hosted by wordpress.com. (I have one too.) |
| Share Thread: |
