Web Hosting Forum | Lunarpages

Author Topic: Let's Encrypt  (Read 6529 times)

Offline scanman20

  • Senior Moderator
  • ‹ber Jedi
  • *****
  • Posts: 1552
    • http://www.notonebit.com
Let's Encrypt
« on: February 19, 2016, 06:49:06 AM »
Is LP planning to offer this free service? Other hosts have already implemented it, so I'd expect to follow suit.

For those unfamiliar with Let's Encrypt (https://letsencrypt.org/):

Letís Encrypt is a free, automated, and open certificate authority (CA), run for the publicís benefit. Letís Encrypt is a service provided by the Internet Security Research Group (ISRG).

The key principles behind Letís Encrypt are:
  • Free: Anyone who owns a domain name can use Letís Encrypt to obtain a trusted certificate at zero cost.
  • Automatic: Software running on a web server can interact with Letís Encrypt to painlessly obtain a certificate, securely configure it for use, and automatically take care of renewal.
  • Secure: Letís Encrypt will serve as a platform for advancing TLS security best practices, both on the CA side and by helping site operators properly secure their servers.
  • Transparent: All certificates issued or revoked will be publicly recorded and available for anyone to inspect.
  • Open: The automatic issuance and renewal protocol will be published as an open standard that others can adopt.
  • Cooperative: Much like the underlying Internet protocols themselves, Letís Encrypt is a joint effort to benefit the community, beyond the control of any one organization
Even a broken clock is right twice a day.
NotOneBit.com
MCSE - MCSA - MCP (<- unused since 2006!)

Offline MrPhil

  • Senior Moderator
  • Berserker Poster
  • *****
  • Posts: 6163
Re: Let's Encrypt
« Reply #1 on: February 20, 2016, 02:32:38 PM »
Does this require or allow SNI (Server Name Indication)? That is a shared IP address for private certs; http://forums.oscommerce.com/topic/409069-server-name-indication/ . Anyone know what LP's position is on this for Basic plans (Linux shared server)? It would be nice not to have to pay for a dedicated IP address, and to use a low cost or free SSL certificate for a low-volume ecommerce site.
Visit My Site

E-mail Me
  
-= From the ashes shall rise a sooty tern =-

Offline scanman20

  • Senior Moderator
  • ‹ber Jedi
  • *****
  • Posts: 1552
    • http://www.notonebit.com
Even a broken clock is right twice a day.
NotOneBit.com
MCSE - MCSA - MCP (<- unused since 2006!)

Offline MrPhil

  • Senior Moderator
  • Berserker Poster
  • *****
  • Posts: 6163
Re: Let's Encrypt
« Reply #3 on: February 22, 2016, 12:55:59 PM »
My browser tells me there is no groups.lunarpages.com. Could you check that first URL?
Visit My Site

E-mail Me
  
-= From the ashes shall rise a sooty tern =-

Offline scanman20

  • Senior Moderator
  • ‹ber Jedi
  • *****
  • Posts: 1552
    • http://www.notonebit.com
Re: Let's Encrypt
« Reply #4 on: February 23, 2016, 07:25:46 AM »
lol that's not the link I posted. The forum changed it! Substitute google for lunarpages in that link. What kind of stupid filter is this?

Even a broken clock is right twice a day.
NotOneBit.com
MCSE - MCSA - MCP (<- unused since 2006!)

Offline MrPhil

  • Senior Moderator
  • Berserker Poster
  • *****
  • Posts: 6163
Re: Let's Encrypt
« Reply #5 on: November 20, 2016, 09:14:44 AM »
So, what choices does a Lunarpages customer have if they want to enable SSL on their site? I am considering opening a store on my site, which will require SSL (HTTPS) on at least some of its pages (ones carrying sensitive information). Also, Google is starting to downrank HTTP sites in favor of HTTPS sites (not just pages), so in the long run it's good to have a site completely HTTPS.

For a long time, LP has offered static IP addresses and commercial private SSL certificates, which may be a bit on the expensive side for small shops. They also offer shared SSL certificates for free, but the domain used will not match the rest of your site, which can put off a lot of customers. Do shared certificates still not work with PHP? I don't expect LP to offer private SSL certificates for free, since there is a cost associated with them, but what can they offer us that's fairly low cost? Dedicated IPv4 addresses are also going to get quite expensive, so some method that allows sharing or virtual IP addresses would be very good.

Don't forget that SSL comes in different encryption strengths (e.g., 128, 256, 1024 bit), and some financial (payment) services may require fairly strong encryption (now or in the future).

http://wiki.lunarpages.com/Adding_Features/SSL
http://wiki.lunarpages.com/Additional_Dedicated_Hosting_Features/Dedicated_Linux_SSL_Certificate
http://wiki.lunarpages.com/SSL_Renewal_is_not_automatic
Visit My Site

E-mail Me
  
-= From the ashes shall rise a sooty tern =-

Offline MichaelT

  • Support
  • Jabba the Hutt
  • *****
  • Posts: 579
Re: Let's Encrypt
« Reply #6 on: November 20, 2016, 11:52:19 PM »
At this time, Letís Encrypt certificate are not supported on the shared servers although this may change at some time in the future. Until then, Letís Encrypt certificates would require either a VPS or Dedicated server.

Offline MrPhil

  • Senior Moderator
  • Berserker Poster
  • *****
  • Posts: 6163
Re: Let's Encrypt
« Reply #7 on: November 22, 2016, 07:50:50 AM »
An interesting article: http://www.theregister.co.uk/2016/01/07/net_scum_getting_lets_encrypt_certs_for_malware/

Now, The Register has become something of an online tabloid, and its articles should be taken with a few grains of salt. If I read the article correctly, Let's Encrypt SSL certificates themselves have not been compromised, but the problem is that bad actors are using them to encrypt malware deliveries from malicious (or compromised?) sites, so that en-route scanners don't pick up malware. The basic problem seems to be that those running Let's Encrypt feel it is not their job to enforce anti-malware site lists. Other certificate vendors apparently do revoke certificates if those sites are being used to distribute malware.

The bottom line is that while Let's Encrypt SSL certificates are apparently as good as anyone else's, they may be getting a bad odor about them for their policies on malware sites. Does anyone know if this has changed since this article was posted nearly a year ago?
Visit My Site

E-mail Me
  
-= From the ashes shall rise a sooty tern =-

 

Share |