Secure connection, what to do?

Thanks for the update Ben.

I would be interested to know how the lets encrypt works out, as the instalation of the certificate is the main stopping point in recommending that to users. If possible could you also let me know how the renewal of the lets encrypt goes?

The reason i ask about the renewal, is that unlike the paid for certificates the lets encrypt must be renewed every 90 days.

Our layback way of life has meant that my support ticket had been pushed to the bottom of the queue. It was finally processed and to keep you updated, here it is

Hi Ben, We do have a platform that supports Lets Encrypt, It’s our new Plesk Platform.  However it’s not currently setup to support resellers. I’ll speak to Grant and see what we need to do, So we can get them moved over to the new platform and this enabled.    William Buckley | Senior Systems Engineer

Note: Grant is the company CEO.

Seems like the rest of the world is also taking TLS seriously.

Will keep you in the loop.

BenPleysier  wrote Seems like the rest of the world is also taking TLS seriously.

Really, then why are hosts still selling unsecure web-hosting?

This has rather thrown the cat amongst the pigeons because a lot of sites don't require a secure connection as they have no sensitive situation where they would require a secure connection yet still the browsers flag the site up as having an 'unsecure connection' if you look hard enough for it, which is quite worrying as many visitors, should they stumble across the information, will be concerned that perhaps their computer is open to abuse.

Im concerned myself beacuse sooner or later someone will point this out to the client or clients and then they will be concerned, even if there is no need to be concerned, and the whole thing will snowball out of control.

Going forward any new site I create I will investigate secure hosting, regardless of if its needed or not, so its future proof.

This seems to be what other developers I follow are doing. Old sites they are leaving 'unsecured' whilst anything newish I have discovered they now using https as default. This I think is a sensible approach for now.

Keep us informed how it goes Ben. I may have to look for another host as my current one doesnt seem to offer anything, although I have yet to address the problem directly with them.

Hey guys,

Does a website is considered a "virtual property" or any property rights includes websites in it, or is it country specific?

If it is, is the website a property of who hosts it, or who owns it?

Wouldn't be against the browser EULA to not show when a connection is or isn't insecure for the user?

Could it be a marketing strategy to get more hosts/customers purchasing security protocols without exactly needing it?

Don't get me wrong, i'm all in for security, always. But i've had the same issue in the past, more than once.

The problem will always resides in the website owner,  guess that nobody likes when someone invade their property, and saying that to a laic person can be the trigger to a purchase.

TSL seems to be the bigger deal right now, although some people have already cracked a HMAC-MD5 characters with a timing attack, but that is unpractical in a real attack.

And i do think that those TSL/SSL implementations will occur soon, as its a competitive advantage to sell any of these security protocols.

Hope i could add something to this discussion.

Thanks.

mtprimo  wrote Could it be a marketing strategy to get more hosts/customers purchasing security protocols without exactly needing it?

Hosts are already doing that by claiming their 'secure' packages will enhance your Google rankings. If that is NOT a marketing ploy I dont know what is as there is no documented evidence that this is the case.

What annoys me is that Google and the Broswers are pushing for secure connection, which if it brings greater protection that can only be good, but then why are hosts still selling unsecured hosting knowing it will be flagged up as such. Given a choice everyone wants a secure environment so stop selling inadequate hosting, if that is what it is deemed to be or if a website has no need for a secure connection the broswers should not flag it up as being insecure. Blanket coverage is being used regardless of what the situtaion is.

If the web was working together any new installations should be 'forced' onto a secure connection as default. Obviously it isnt.

This has rather thrown the cat amongst the pigeons because a lot of sites don't require a secure connection as they have no sensitive situation where they would require a secure connection

Most websites have a contact form. The information using that form can be intercepted and misused if the info is not encrypted.

BenPleysier  wrote Most websites have a contact form. The information using that form can be intercepted and misused if the info is not encrypted.

I never thought of that, maybe i should move my own site to the secure folder.

I never thought of using a secure connection, I thought that having a secure website using encrypted passwords and handshake protocol between the user and the application was sufficient. It was only through the popup warning in FF that made me think. Reading up on the subject has made me even more determined to start using TLS for my websites and I think that browsers will gradually refuse to show any website without encryption as the following image shows, is already happening.

I also believe that TLS and HTTPS  don't provide enough safety against all adversaries in all situations and that we are at an infancy stage regarding security.

As mtprimo has said, encryptions can be cracked, But that is not a reason to ignore security. Upon discovery of a hacked encryption, certificates will be revoked and (hopefully automatically) replaced with new ones.

BenPleysier  wrote I never thought of using a secure connection, I thought that having a secure website using encrypted passwords and handshake protocol between the user and the application was sufficient. It was only through the popup warning in FF that made me think. Reading up on the subject has made me even more determined to start using TLS for my websites and I think that browsers will gradually refuse to show any website without encryption as the following image shows, is already happening. I also believe that TLS and HTTPS  don't provide enough safety against all adversaries in all situations and that we are at an infancy stage regarding security. As mtprimo  has said, encryptions can be cracked, But that is not a reason to ignore security. Upon discovery of a hacked encryption, certificates will be revoked and (hopefully automatically) replaced with new ones.

I've not seen a message of that size directly pop up as yet but I would think if it does that would scare the shite out of pretty much anyone and they will run a mile...........humm

It seems to me we are at a state of confusion, hosts are ignoring it and Google and Browsers are pushing for it to happen.

I just updated a client site which needed login details to the control panel provided and these pesky messages appeared once clicked inside the form fields. I'm sure they werent there when I last logged in a week or so ago otherwise I would have noticed them.

Hey ho this is going to be fun once the clients start complaining.

BenPleysier  wrote This has rather thrown the cat amongst the pigeons because a lot of sites don't require a secure connection as they have no sensitive situation where they would require a secure connection Most websites have a contact form. The information using that form can be intercepted and misused if the info is not encrypted.

They do but at the moment you get no 'warning' if you click inside the form field boxes unless its a 'password' field which is even more confusing because as you point out any information could be intercepted, password field or otherwise - so why not ALL form field boxes?