Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TLS/SSL


  • Please log in to reply
3 replies to this topic

#1 ScathEnfys

ScathEnfys

    Bleeping Butterfly


  • Members
  • 1,375 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Deep in the Surface Web
  • Local time:04:44 PM

Posted 10 July 2016 - 11:42 AM

Hello, I am slightly surprised that we still don't have TLS/SSL (https) enabled yet. There are even legit (if somewhat obscure) CAs that will issue free DV certificates. If the issue is with installation of the cert, I would be willing to share a sanitized version of my NGIX configuration for my site using a WoSign cert.

Further info:
https://buy.wosign.com/free/ - the site of the CA I got my DV from.
https://freevps.us/thread-16900.html - a (slightly outdated) tutorial on how to configure the cert on NGINX, including instructions on how to use OCSP Stapling, HSTS, and HPKP to minimize the amount of information sent to the CA.
https://blog.duskguild.net/ https://forum.duskguild.net/ - my sites that are using WoSign certificates (verifiable by inspecting the certificate in-browser). As you can see, they do not trigger browser warning pages due to having a certificate signed by a trusted CA.
Proud system builder, modder, and watercooler.

GitHub | SoundCloud | Keybase

BC AdBot (Login to Remove)

 


#2 Guest_GNULINUX_*

Guest_GNULINUX_*

  • Guests
  • OFFLINE
  •  

Posted 10 July 2016 - 02:37 PM

This website does not use SSL?

Secured Connection?

 

Greets!  :wink:



#3 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,540 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA

Posted 10 July 2016 - 04:49 PM

I have a cert, just have to figure out the best way to implement it in the forums. The problem with SSL is that every image, javascript, css, etc must be loaded from https:// as well or you will get mixed content errors in browsers.

As people can show pictures in posts that may be from http:// pages, this will cause all sorts of issues.

Some things I have been toying with would be to use SSL for only the forum logins, the rest of the site where I know the content is only hosted by servers I control, and possibly the pages where you actually post data to the forums (posting a new topic/reply/pm).

#4 ScathEnfys

ScathEnfys

    Bleeping Butterfly

  • Topic Starter

  • Members
  • 1,375 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Deep in the Surface Web
  • Local time:04:44 PM

Posted 10 July 2016 - 09:51 PM

the "mixed content" warning, at least in firefox, only appears as a little note on the TLS "padlock" icon. I am pretty sure chrome handles things this way too. I wouldn't worry about it. (EDIT: That is to say, the mixed media warning is not a full-page warning the way a self-signed certificate is).

Login pages are a good start, but there are other pages who's content should be not visible to a MITM. For example, administrative pages and / or the Malware Response Forums.

Edited by ScathEnfys, 10 July 2016 - 09:53 PM.

Proud system builder, modder, and watercooler.

GitHub | SoundCloud | Keybase




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users