Anyone else having issues with site security?

[Rejean31]

I keep getting a message that this site is not secure.

[Dan02]

Yes

[cam_calderon]

Guessing there's some issue with the security provider.

[Sainters7]

Yeah I'm having to use Tapatalk, as Chrome won't even let me visit the normal version of the site due to security concerns.

[The Original FFIV]

Me too. Says security certificate expired a day ago

[taxbuster]

Yep- exactly. Cert expired. still loads as https though.

[photon]

Yeah the certificate just expired, I had the wrong day in my calendar.

The certs have been renewed so it should be ok now.

[Buff]

It looks like you're using Let's Encrypt. Don't they automatically renew? That's what my SA told me when he recommended we switched to them...

Anyway, thanks for keeping us up and running!

[Blaster86]

Quote:

Originally Posted by photon

Yeah the certificate just expired, I had the wrong day in my calendar.

The certs have been renewed so it should be ok now.

####ing liar.


Photon just made a large purchase off Bad Dragon with my credit card.


This is my story and I am sticking to it.

[photon]

Quote:

Originally Posted by Buff

It looks like you're using Let's Encrypt. Don't they automatically renew? That's what my SA told me when he recommended we switched to them...

Anyway, thanks for keeping us up and running!

There's a tool you use to renew them, just a command from the command line. The command does a verification before doing the renewal just to make sure that things are as they should be (i.e. prove that you own the domain name), so usually it's easy to have it automated; just run the command automatically once a day or week or whatever.

Unfortunately I'm using what's called a wildcard cert and that verification method is more complicated, I have to update some DNS records with a couple of strings and there's no built in way to automate that.

I'll probably change things a bit at some point to make it easier to automate.

[dustygoon]

Quote:

Originally Posted by Blaster86

####ing liar.


Photon just made a large purchase off Bad Dragon with my credit card.


This is my story and I am sticking to it.

<googles "Bad Dragon" since don't know what it is and can't help myself>

<and cops just showed up>

[gvitaly]

Quote:

Originally Posted by photon

There's a tool you use to renew them, just a command from the command line. The command does a verification before doing the renewal just to make sure that things are as they should be (i.e. prove that you own the domain name), so usually it's easy to have it automated; just run the command automatically once a day or week or whatever.

Unfortunately I'm using what's called a wildcard cert and that verification method is more complicated, I have to update some DNS records with a couple of strings and there's no built in way to automate that.

I'll probably change things a bit at some point to make it easier to automate.

That certainly makes your life harder. I usually just upload the new .crt files once a year using WinSCP/PuTTY, restart the server instance and I'm good to go.

[Owen15]

Quote:

Originally Posted by Rejean31

I keep getting a message that this site is not secure.

I think we can all agree this site is highly insecure.

[Blaster86]

Quote:

Originally Posted by dustygoon

<googles "Bad Dragon" since don't know what it is and can't help myself>

<and cops just showed up>

You ARE a dirty girl, aren't you

[photon]

Quote:

Originally Posted by gvitaly

That certainly makes your life harder. I usually just upload the new .crt files once a year using WinSCP/PuTTY, restart the server instance and I'm good to go.

Let's Encrypt certs are only good for 3 months at a time.. but it's not that bad, the command puts the new certs in the right place so really I'm just replacing a WinSCP copy with a copy/paste into some DNS records, then do the same reload the web server and it's done.

[Buff]

Our previous web host wouldn't let us use Let's Encrypt telling us "we don't want to learn something new". So we sucked it up for a few years until it was time to refresh our sites and switch hosts. The new developer asked us to consider switching to Let's Encrypt. We were happy. I guess we don't have to worry about renewing them as the developers take care of that as part of our ongoing support and maintenance.... That frees up our time so we can be more efficient in asking our users "Have you tried turning it off and on again".

[FanIn80]

Today I learned about Bad Dragon, and I'm not so sure I needed that information.

[Blaster86]

Quote:

Originally Posted by FanIn80

Today I learned about Bad Dragon, and I'm not so sure I needed that information.

Knowledge is power. Use it wisely.

[FlamesAddiction]

Hey, just wondering if this is an issue for anyone again? I clicked on a CP link and my firewall gave me the notice saying that someone from debunk or debunker might be trying to hack through this website. On the address bar on my browser, it says "Dangerous" in red next to the CP url. None of the other websites I have tried are showing this.

Edit: I closed my browser and reopened CP, and the "Dangerous" tag is gone, so maybe nothing. Still kind of weird though.

[gvitaly]

Quote:

Originally Posted by FlamesAddiction

Hey, just wondering if this is an issue for anyone again? I clicked on a CP link and my firewall gave me the notice saying that someone from debunk or debunker might be trying to hack through this website. On the address bar on my browser, it says "Dangerous" in red next to the CP url. None of the other websites I have tried are showing this.

Edit: I closed my browser and reopened CP, and the "Dangerous" tag is gone, so maybe nothing. Still kind of weird though.

I have been getting a passive mixed content warning on my FireFox. Essentially it means that the site is secure using HTTPS, but there are linked elements such as images from other sites that might not be secure.

From my perspective that's not really an issue. Passive mixed content can't really be used to steal personal data. I think it's more of a security risk in term of phishing/misleading.

EDIT: for example on this page it's Blaster's signature picture. Which comes from http://i.imgur.com/KshaBLB.gif , and that's why it's not secure. I don't get that warning on the main forum page.