Tech What are you gonna do with your HTTP sites?

[sirkonstantine]

RE: Google Will Soon Shame All Websites That Are Unencrypted | Motherboard

Google is gonna display unsecure notices for HTTP sites soon. Are you gonna encrypt them all? If so, check out https://letsencrypt.org/ as it gives you SSL certs for free (here is the cPanel script https://github.com/Prajithp/letsencrypt-cpanel). 301-ing HTTP to HTTPS does not lose PageRank by the way (see No PageRank Loss When 301 or 302 Redirect to HTTPS).

If not, what are you gonna do?

For me, I'm gonna sit down and update my sites to HTTPS this quarter. I might also cough up some cash to buy SSL certs on web hosts that can't run Lets Encrypt. For PBNs, I'll let them stay with HTTP since they're not meant to get human visitors anyways.

[rowan]

Been thinking about this myself. Google absolutely loves one of my sites (#1 out of 1m+ results) so this could be a killer.

This blog post makes me think that Let's Encrypt is maybe not quite ready for widespread deployment yet? I would imagine a browser generated security warning would probably be even more of a roadblcok, when compared to a Google warning...

https://letsencrypt.org/2016/08/05/l...y-mozilla.html

What company do people recommend for buying a certificate from, in the meantime?

[rowan]

https://letsencrypt.org/docs/certificate-compatibility/

Looks like it's more widely supported than I thought. I see the occasional Blackberry and Nintendo 3DS user-agent in my logs, nothing much I can do there...

[Serge Litehead]

each SSL cert must be on their own dedicated IP

usually IPv4 costs monthly $3-5 per IP
IPv6 supposedly should be cheaper. Does anyone know any hosts letting have bunch of IPv6 for cheap and configurable for SSL/HTTPS?

[rowan]

Quote:

Originally Posted by holograph

each SSL cert must be on their own dedicated IP

I'd forgotten about that.

Looks like there is a solution, but it's not universally supported:

https://en.wikipedia.org/wiki/HTTPS#Limitations

"Because TLS operates below HTTP and has no knowledge of higher-level protocols, TLS servers can only strictly present one certificate for a particular IP/port combination. This means that, in most cases, it is not feasible to use name-based virtual hosting with HTTPS. A solution called Server Name Indication (SNI) exists, which sends the hostname to the server before encrypting the connection, although many older browsers do not support this extension. Support for SNI is available since Firefox 2, Opera 8, Safari 2.1, Google Chrome 6, and Internet Explorer 7 on Windows Vista."

Does this mean that Google strongarming webmasters into using HTTPS is going to further accelerate the exhaustion of IPv4 space?

[freecartoonporn]

use cloudflare get free https ...

[Barry-xlovecam]

SNI works except on out dated browsers. People with out dated browsers are not buyers ...

I don't think that is an issue. Google is making more work for a busy world -- that is a problem -- then beating on site owners because of packet sniffing (mostly by world governments).

So, this is really Google's way of making packet sniffing as difficult an possible (Google's real motivation). Google's second motivation is in reducing the number of websites that they will index -- most of the spammy or legacy domains will not adapt and die

[trevesty]

Any site I've cared about has been HTTPS for a year or so.

I'm glad the rest of the industry is extremely slow to adapt, though. Makes competition pretty easy.

[rowan]

Quote:

Originally Posted by freecartoonporn

use cloudflare get free https ...

Wouldn't be surprised if in 5 or 10 years time Google starts "warning" people about cloudflare hosted sites, too. They don't exactly keep their noses clean. Also, their faux HTTPS product defeats the purpose of using certificates and encryption - surfers think the connection is fully encrypted, with a nice padlock showing in their browser, when it's actually all clear text between cloudflare and the web server, and can be sniffed or MITM'd just like any other HTTP connection...

[The Porn Nerd]

Fuck Google in the ass.

[ErectMedia]

Quote:

Originally Posted by rowan

What company do people recommend for buying a certificate from, in the meantime?

https://www.NameCheap.com

[rowan]

Quote:

Originally Posted by ErectMedia

https://www.NameCheap.com

Sneaky using your affiliate URL. Have you actually used them for certificates?

[Major (Tom)]

We did this and our sales litterally shut off. We reverted

[rowan]

Quote:

Originally Posted by DukeSkywalker

We did this and our sales litterally shut off. We reverted

I guess this is going to sound like a stupid question, but did you double check that everything was working - certificates valid, no weird errors in logs etc - so you could conclusively say it was the switch to HTTPS that killed the sales? If it wasn't a technical issue, why do you think the switch caused that effect?

[directfiesta]

Quote:

Originally Posted by holograph

each SSL cert must be on their own dedicated IP

usually IPv4 costs monthly $3-5 per IP
IPv6 supposedly should be cheaper. Does anyone know any hosts letting have bunch of IPv6 for cheap and configurable for SSL/HTTPS?

I have an HTTPS site for a client, no dedicated IP .
Godaddy host , Godaddy SSL

[Kafka]

HTTPS is very useful for adult

[Serge Litehead]

Quote:

Originally Posted by directfiesta

I have an HTTPS site for a client, no dedicated IP .
Godaddy host , Godaddy SSL

are you sure it's not a dedicated IP? I mean, does client have other domains under same ip all working fine?
I don't see how it is possible, having multiple domains and a single or multiple SSLs on one IP.

If that is true, then it is super cool and means anyone could have all their sites HTTPSed affordably, virtually hosted on only one IP. - but that's not how it works, as far as I know
Also, godday is in the business of leasing extra ipv4 IPs at $6 a pop, monthly I think

[ErectMedia]

Quote:

Originally Posted by rowan

Have you actually used them for certificates?

Use a good handful of the RapidSSL ones at $10.95. They have a $9 Comodo one as well but haven't tried that one.

[ironwebmaster]

Quote:

Originally Posted by rowan

Wouldn't be surprised if in 5 or 10 years time Google starts "warning" people about cloudflare hosted sites, too. They don't exactly keep their noses clean. Also, their faux HTTPS product defeats the purpose of using certificates and encryption - surfers think the connection is fully encrypted, with a nice padlock showing in their browser, when it's actually all clear text between cloudflare and the web server, and can be sniffed or MITM'd just like any other HTTP connection...

I'm a little intrigued by your answers, would you add me on skype pls? I'd like to talk

[directfiesta]

Quote:

Originally Posted by holograph

are you sure it's not a dedicated IP? I mean, does client have other domains under same ip all working fine?
I don't see how it is possible, having multiple domains and a single or multiple SSLs on one IP.

If that is true, then it is super cool and means anyone could have all their sites HTTPSed affordably, virtually hosted on only one IP. - but that's not how it works, as far as I know
Also, godday is in the business of leasing extra ipv4 IPs at $6 a pop, monthly I think

Here are the screen capos ... I was surprised too . As you can see, it is an https site :







and it is cleary not the only site on that IP :




cost the SSL , first year cheap, about 14.00


Site is actually done , but hidden to public and not live as client has not yet given the OK .

[rowan]

Quote:

Originally Posted by holograph

are you sure it's not a dedicated IP? I mean, does client have other domains under same ip all working fine?
I don't see how it is possible, having multiple domains and a single or multiple SSLs on one IP.

If that is true, then it is super cool and means anyone could have all their sites HTTPSed affordably, virtually hosted on only one IP. - but that's not how it works, as far as I know
Also, godday is in the business of leasing extra ipv4 IPs at $6 a pop, monthly I think

See the above reference to Server Name Indication (SNI) which lets you use more than one hostname per SSL IP.

It is apparently widely supported, but not quite 100% (eg not supported by XP+IE)

Hmm, come to think of it, I used XP SP3 until about 2 years ago.

[rowan]

Was checking out Comodo, went to bed, got up to find this.

That's like one popup attempt every 30-40 seconds. They really want to get my attention. There's also a window floating around that asks me to explain why I don't want to buy.

[NemesisEnforcer]

Good conversation

[Jigster715]

Quote:

Originally Posted by rowan

Was checking out Comodo, went to bed, got up to find this.

That's like one popup attempt every 30-40 seconds. They really want to get my attention. There's also a window floating around that asks me to explain why I don't want to buy.

We tried Comodo one year. Never again. Hard sell then support falls off the planet. They got upset when I posted a support request in their forum which they use as a sales tool. "ALL Hail, the Great Comodo" kind of bullshit.

[Serge Litehead]

Quote:

Originally Posted by directfiesta

Here are the screen capos ... I was surprised too . As you can see, it is an https site :
...
and it is cleary not the only site on that IP :
...
cost the SSL , first year cheap, about 14.00


Site is actually done , but hidden to public and not live as client has not yet given the OK .

Quote:

Originally Posted by rowan

See the above reference to Server Name Indication (SNI) which lets you use more than one hostname per SSL IP.

It is apparently widely supported, but not quite 100% (eg not supported by XP+IE)

Hmm, come to think of it, I used XP SP3 until about 2 years ago.

That's pretty neat. I've got a VPS at godaddy I manage, will be toying around with setting up SSL there in some time. Will be seeing if I could get ipv6 and config it that way or get the SNI work. So far I remember checking out SSL config through WHM/Cpanel is that they make a point that the dedicated IP is required.

[rowan]

Quote:

Originally Posted by Jigster715

We tried Comodo one year. Never again. Hard sell then support falls off the planet. They got upset when I posted a support request in their forum which they use as a sales tool. "ALL Hail, the Great Comodo" kind of bullshit.

Interesting.

I did notice that the testimonials shown their product page seem to be excessively positive, like they're manipulated (delete anything negative), or totally fake.

For the moment I'll continue playing around with https://letsencrypt.org/ , as my site doesn't need strong verification/trust from its users, just HTTPS to keep the big G happy.

[sandman!]

SNI works on almost al browsers the only traffic you will loose is from people on windows xp running IE and some very old cell phones which is not all that much if the website is important get a dedicated ip if its not use SNI.

Quote:

Originally Posted by rowan

I'd forgotten about that.

Looks like there is a solution, but it's not universally supported:

https://en.wikipedia.org/wiki/HTTPS#Limitations

"Because TLS operates below HTTP and has no knowledge of higher-level protocols, TLS servers can only strictly present one certificate for a particular IP/port combination. This means that, in most cases, it is not feasible to use name-based virtual hosting with HTTPS. A solution called Server Name Indication (SNI) exists, which sends the hostname to the server before encrypting the connection, although many older browsers do not support this extension. Support for SNI is available since Firefox 2, Opera 8, Safari 2.1, Google Chrome 6, and Internet Explorer 7 on Windows Vista."

Does this mean that Google strongarming webmasters into using HTTPS is going to further accelerate the exhaustion of IPv4 space?

[Markul]

Quote:

Originally Posted by rowan

Been thinking about this myself. Google absolutely loves one of my sites (#1 out of 1m+ results) so this could be a killer.

This blog post makes me think that Let's Encrypt is maybe not quite ready for widespread deployment yet? I would imagine a browser generated security warning would probably be even more of a roadblcok, when compared to a Google warning...

https://letsencrypt.org/2016/08/05/l...y-mozilla.html

What company do people recommend for buying a certificate from, in the meantime?

I hate to say it.. But go with Godaddy for SSL certs.

[Jigster715]

Quote:

Originally Posted by rowan

Interesting.

I did notice that the testimonials shown their product page seem to be excessively positive, like they're manipulated (delete anything negative), or totally fake.

For the moment I'll continue playing around with https://letsencrypt.org/ , as my site doesn't need strong verification/trust from its users, just HTTPS to keep the big G happy.

They leave posts up but they will complain to you privately.