Babylonic SSL (https)
That is how Babylon works: it uses an emotion about safety and security, I’ll re-phrase that it touches one’s fear or enables one’s fear using a lack of our knowledge and often providing fake information on top. Let’s find out rights and wrongs about the “https”, more properly called SSL, secure socket layer, translated into the security certificate which is highly recommened to have for a professional website. SSL gives security, as the original idea, that’s right, but where is a “wrong” about it and why.
This article intents to spread an opinion and knowledge, blaming upon no one, but resisting the unreasonable blame upon our brothers over the internet. As users we want to know, and we want to share. This article uses the religious terminology demonstrating the basic idea of that one religion. True and false is used from a perception of a classic computer science. This article targets the cannabis market professionals.
What is true about the security
Yes, you need the certificate, it’s called SSL (secure socket layer) and it reflects into “https : / /” appearing in the beginning of the url of the website instead of a more regular “http : / /”
This thingy, the “https”, protects the tunnel between the user and the website. No one can take control over the information passed between you and the website if this website suggests the security certificate installed and running well. Once you enter a password on a page or input and send any other sensitive data, e.g. via a contact form, payment form, or your system shares a geo location in automatic mode, all that data goes through this securely encrypted tunnel to the server where the website is.
For example, using an unknown internet, a WIFI in a hotel room or any other “untrusted” connection, the provider technically can see the passwords that you send or any other data pulled from your phone or a computer to the website. With a “trusted” company (like a home provider or a cellular company) we keep in mind that a technical man or a government agent still can access the sensitive personal data because the world is not perfect yet. SSL in its turn helps to prevent such a leak.
Aparently if you send NOTHING, there is NOTHING that can be obtained by mallicious guys, logically so. By that do not freak out of the security warning if you are merely checking upon a lasagna recipe, there is nothing to steal except that your sacred wish to know the lasagna recipe (considering the website honestly does not perform other activities).
What is untrue about the security
The babylonic sources blame the self-signed certificates as being unsecure. This is not the actual truth. We have temporarily put a self-signed certificate on a website to demonstrate the issue, see the screenshots below.
Two next screenshots demonstrate the following:
— When we open a website with a SELF-SIGNED SSL certificate the browser suggests the connection is not secure. Then we hit on “more details” and suddenly discover how browser have two contrary opinions about the security at the same exact time:
And then we check upon more detailed information, it’s shown on the screenshot, the block marked red contains the security details and the encryption methods, the key size and other stuff.
SUDDENLY the browser changes its “opinion” about the security, saying that the connection is Encrypted, and the Encryption makes it difficult to unauthorized people to view the information travelling between computers.
Where one side is YOU, or your computer, and the other side is the WEBSITE as soon as its server is the computer too. So they call you and the website collectively “computers”, technically all is correct.
Babylonic enough. Let’s call a “sofistication” these attempts to hide information behind the complecity of the speech. This method of rhetorics (the art of speech) originates out of the Greek philosophical movement, where “sofia” is “wisdom” and nothing about trickstery but then this is the other story.
— Now for sake of the proper comparison we check upon the “paid” SSL certificate.
— IN REALITY we use the free certificate (as in “freedom”) for this website, and for the previous website too, they are all securely protected and also well-treated by browsers (see below on this page how to apply to ‘Let’s Encrypt’ foundation to overcome the babylonic obstacles effectively).
— HOWEVER for the experiments we played this game, and temporarily installed a paid one, made screenshots, and got back upon the path of freedom, which is for the case a Free Certificate.
Have a look:
And then we double-check upon the details, we click on the image of the “lock” in the address bar and we discover the exactly same details as they are for the self-signed SSL about the security methods, encryption details, all same.
The lock in the address bar looks better, along with the message, saying the same words that the connection is encypted, and no bad guy can sneak between the computers. Where one computer is your workstation, and another is the website, simply: BETWEEN YOU AND THE WEBSITE.
The only practical difference is the self-signed SSL and another SSL obtained from an organization is the payment, which we all know can be quasi-anonymous. Payment is not exactly a security, the color of the lock in the address bar is on the shelf for sale enforced with the subscription model which certainly adds smell to the whole idea.
When the free SSL is really free
Here is the “life hack” how to take this security headache away.
There is a foundation which provide a free SSL security certificate for free and they promise a forever term. Called Let’s Encrypt but you’ll need to have minor technical skills to use the beautiful offer.
Once it’s done it may save another C-note off the annual expense, it equals to the whole price of a well hosting for a year. And more important you will NOT PAY FOR WHAT IS FREE. The internet was once created for freedom but not for the babylon affairs, afterall.
You want to use the certbot and there is no other way. This certbot intents to be run on the server and it can update your certificate even automatically, if nicely tuned. However there is an easier beautiful option offered: to run certbot on the local machine or any other machine, especially important for the over-paranoic site owners and I am definitely in this coghort. Internet connection you will need and a regular FTP access to your website, nothing else.
This is the minimal line you need for the SSL miracle and you need run under administrator permissions. No extras but it’ll only ask for entering the email for the registration purpose in the Let’s Encrypt.
— that certonly key stands for skipping the automatic installation of the ssl certificate, as soon as we run it on local machine, where there is no website, but the certbot will output all required records into local files.
— that —manual key will hold a pause to grant you time to upload verification files into .well-known directory in the document root where the website is, and it should be accessible as: example.com/.well-known/acme-challenge/ then goes a verification file.
See the onscreen instruction carefully in the terminal window when running certbot, there should be a filename and contents of the file shown. You create this file manualy, plain text format. Contact us for help when needed, don’t be shy.
— and that -d key stands to declare the domain, or domains, also subdomains, whatever you really need.
NB ! It is important, that sometimes (and more often) we need to put few domains, where www.angrybud.com and angrybud.com are two different. For this purpose you put them comma separated into -d command, like this (the created cert.pem and privkey.pem files will be as one set for both domains):
It’s a totally manual action (manual key is used) you will need to repeat in a few months, once the cert will expire. And you create and put the files through FTP into your website:
1 ) The onscreen instruction will offer to create the filename with a name looking so: njANbnkWNa3xkHE.SFsiUCQtBzbWnr9a (it is really longer 80+ chars, just cut some length for this example)
2 ) There is a dot in the name above! BEFORE the DOT: this is a filename, for our case it is: njANbnkWNa3xkHE — this is the filename, and the WHOLE string will be the inside of that file.
3) In FTP client create .well-known folder It starts from dot “.” and that means the directory is not visible by usual means from the outside. And in the directory create another one sub-dirrectory “acme-challenge”, the full path will be:
4 ) In that folder (or directory) create the file named: njANbnkWNa3xkHE, but a longer char as this one is cut for the example, make attention it does not contain the trailing dot, and the Contents of this File will be: njANbnkWNa3xkHE.SFsiUCQtBzbWnr9a (this is our full line which is a little bit longer in reality as I cut it in this example)
5 ) Then the program check automatically upon the just created url, as soon as you unhold it from the pause, and the url checked will be:
6 ) For several domains you will need to make this file every time (the program stops and you have time to upload). If you use example.com and www.example.com, you make it twice with the file. Adding some other subdomain you need to make one extra file, and have the working directories ready, accessible by the url. For www and non-www case it is usually the same physical directory. It will be same certificate for all domains that you include.
7 ) in the folder (or directory) something like /etc/letsencrypt/live/example.com/ there are files with keys, where privkey.pem is for private key. The bundle you really do not need for Let’s Encrypt, as it is well known and should appear automatically
8 ) Add this certificate through the hosting Control Panel (or CPanel). Get into SSL section and manage the certificates, where refresh or add the new one just created. You add certificated UPON domains.
Voila. HTTPS should work now.
Make a small change in .htaccess to redirect non-secure requests:
Such will redirect all non-https requests to the same with https. It will be the last rule where htaccess will stop (key “L” stands for “last rule”) and the server response will be 301, permanently removed (key “R=301”). If you want to make it softer, use “302”, temporarily removed. Do not forget to comment temporarily it in case updating certificates after expiration, or any other reason when you need a normal access via classic http.
This is the most simple way discovered so far. No extras required and not a rocket-ship at all, but just a couple of hours of learning (or asking someone to assist) will save you a C-note each year of the observable future. Good price for an hour after all.
Find my contact information here. Let’s chat, Let’s encrypt.
Advocating Self-signed SSLs
Even if bearing a self-signed SSL certificate a website still sends data through the encrypted channel (see the series of screeenshots above). By that I suppose that a browser sending a warning about the possibility of a security breach is practically demonstrates a “prejustice”. Anyone, good one and bad one, can pay for the certificate few bucks a month, but the payment itself does not change the nature of a person neither the intentions.
Babylon sells the green icon but they call it “security”. It is only the color.
We do not judge a man by means of appearance for some future theoretical doings. Same for the websites, the owner is not yet a bad man by the reason he refuses to pay to Babylon for what is free of charge. A self-signed certificates are not bad in their nature.
There was a guy in Spain once in the medieval times known for his idea of the eternal fight to the wind mills…
There are plenty of “trusted” websites and they are huge and recognizable companies, F-company, G-company, other companies, carrying lawsuits for violation of privacy but the browsers are influencing upon the audience about the ultimate security of them.
This article intents exclusively to spread the knowledge about how to choose between certificates. A trouble-free certificate can be obtained from a provider, and it gives an amount of certain benefits, like a wild-card and a longer term, but just making a choice BASED ON KNOWLEDGE is always better than no choice due to lack of information.