Self-signed certifcate for HTTPS?

[Artful Dodger]

Hi Fred (hi Neven),

Is it feasible to create a self-signed SSL certificate for use with the new forum?

http://en.wikipedia.org/wiki/Self-signed_certificate

It would ease some of the scary-looking security warnings that most web browsers display when connecting with HTTPS

And it provides a good value proposition: Free! 

[danbashaw]

I think the site currently has a self-signed certificate, which is what is causing the warning message. Only a certificate from a CA will be accepted without the alert.

Those cost about $60 a year if you shop around, so we need to pass the hat! Is there a PayPal tip jar?

[Artful Dodger]

Hi,

The SSL cert currently in use by the Forum is owned by:
(see my screenshot, attached)

ssl15.ovh.net

This is in fact a self-signed certificate (see the "Issued by" section of the cert).

The warnings currently shown are due to the fact that the name on the SSL cert does not match the name of the Forum:

forum.arctic-sea-ice.net

Whether we 'pass-the-hat' for a CA-issued cert, or we create a self-signed cert, is not the question right now.

The question is, do we have the technical means to assign a different cert on this virtual host. Or to cause it to happen. That's what I'm asking Fred.

[DungeonMaster]

Sorry, it's a low-range server right now, there's no way to add a certificate. Ways to change this:
- we may have so many users and readers that later we must change for a bigger, 'real' server - with a real certificate;
- or, sooner, I'll look for a way to integrate with a generic login system (openid, google, facebook ?)
- and I'll add a word on the New Account page to ask people not to use their "standard" password, so the risk is reduced if they're spied.

On the other hand, I've been using http forum for decades and never been hacked... so don't be over-alarmed !

[Artful Dodger]

On the other hand, I've been using http forum for decades and never been hacked... so don't be over-alarmed !

Hi Fred. Ask Daniel Bailey about the break-in and password theft at skeptical science. Or UBC Victoria. Or East Anglia. The threat is real, well-funded, and relentless.

If people login via HTTP (not HTTPS) and reuse the same password on this forum as their email account, they are vulnerable.

[Neven]

On the other hand, we have nothing to offer here, except for Arctic sea ice, but that's like Kryptonite to fake skeptics. 

[DungeonMaster]

Lodger is right, it can be dangerous for the users here IF they have their 'universal' password stolen. I only have different passwords and no general scheme to remember them - but most people have one or few passwords.

If you have precious and multiple assets, multiply the keys on your keyring.

I'm going to look for solutions.

[Artful Dodger]

Sorry, it's a low-range server right now, there's no way to add a certificate.

Hi Fred,

The issue with Apache is that an SSL cert can normally only be assigned to one virtual host, unless a unique IP address or port is assigned to the 2nd virtual host:

http://www.virtualmin.com/node/20250

This approach would work if we could get, say, port 444 (or any other) reserved for our virtual host. Then we'd just require ssl in apache's .htaccess file (would have to be done by 'root'). This would automatically redirect http access to https on port 444

The problem with this approach is that anyone that manually goes to https would still go to port 443 on the Host, and would then end up at the wrong site, even though they typed in the name of our forum. YUCK!

There is a better work-around for use with Apache called 'SNI' (Server Name Indication):

http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI

"With SNI, you can have many virtual hosts sharing the same IP address and port, and each one can have its own unique certificate (and the rest of the configuration)."

Unfortunately, due to the level at which this approach must be implemented, it would have to be preformed by 'root' on the host server. This is probably more work than our service provider is interested in doing for us, but we could ask. It'd be a nice upgrade for them, and their own SSL cert expires on May 5 this year, so they might be willing to make the other changes at the same time.

In summary, there may well be no simple + effective way out of this. In that case I think our best way forward is to train our forum members:

• DO NOT use the same password as your email
• Login with HTTPS
• Create a Security Certificate Exception in your web browser

A 'sticky' thread could be created and place at the top of the Forum to do this.

[DungeonMaster]

Lodger,

I've installed these tools many times for my serverd and for customers - and I know most tricks about them. But there is absolutely no way to install our own cert on this server.

So we're going to create a sticky note, plus I'm looking for a way to change the login screen to tell them NOT TO REUSE a password, and I've found a nice tool to use existing credentials - but I won't install it before testing it on another site / server, with exactly the same config.

[Artful Dodger]

So we're going to create a sticky note, plus I'm looking for a way to change the login screen to tell them NOT TO REUSE a password, and I've found a nice tool to use existing credentials - but I won't install it before testing it on another site / server, with exactly the same config.

That will be good. Thanks so much for all your effort, Fred. Greatly appreciated!

[DungeonMaster]

I've added the warning on the registration screen.

Neven can you please add the sticky note ?

 Next steps will follow.

[MikeAinOz]

Hi Guys,

Great to see the forum but you need a proper certificate. Create a tip jar please, I certainly don't mind paying a bit.

An email address for a Bpay would be adequate.

Regards

Mike

[Neven]

Gentlemen, if I understood correctly you want me to make a stickied thread with a HTTPS- explanation at the top of the 'The forum' board?

[Artful Dodger]

Great to see the forum but you need a proper certificate. Create a tip jar please, I certainly don't mind paying a bit.

Hi Mike,

If you are able, please review the discussion above between Fred "the Dungeon Master" and myself.

We do want our own SSL cert, but Fred informs us there is no way to implement that with our current service provider.

It's not an issue with choosing between a self-signed Cert or one issued by a CA for a small annual fee. It is a technical limitation of using a Virtual Host on Apache.

Hope this helps. 

[DungeonMaster]

Of course when we have hundreds of posters the server will be toooo slow and we shall move to a big server with gazillions of RAM and SSDs so we can have a real certificate. But I thought that it would be wiser to install this first server and see if it seems useful...

[Laurent]

It is the third time that the forum ask me to sign the certificate !
Is it normal ?

[Artful Dodger]

It is the third time that the forum ask me to sign the certificate !
Is it normal ?

Yes, this has happened to me each of my last two sessions.

Fred, has there been a change to the server host? Thanks?

[NeilT]

I installed the certificate into the trusted root certificate store using IE10 on my machines.  except my Netbook which seems to have blocked certificate installs for some reason.

I still get a red cert bar but it doesn't prompt any more.