SSL (HTTPS)

[ajnl]

Is it worth while to get SSL for a personal site?

 

Is it possible to get SSL for free, or are all the "free" ones scams?

 

What other measures can I take to ensure my website is protected? (I already password protected most of the directories)

[DogPatch]

No, its not worth it. All it does is encrypt data to and from the site, and I only recommend using SSL for sites that deal with personal information like bank details and addresses.

 

Like on my Store, the only pages that have SSL are the ones that deal with credit cards and bank information.

 

You can use cloudflare and use their SSL.

 

but SSL is known to slow down sites.

 

What is your site about ?

What  are you running (like Wordpress, Joomla, Drupal...) ?

Edited May 22, 2014 by DogPatch

[Quovadis]

SSL is protocol with data encryption. Basicly the sender encrypt it and the receiver decrypts it using the "key" they share which ensures only the receiver can interpret it.

 

IMO it should only be worth if there is data sent by client/server that you want to guarentee at most that the "inbetween actors" aren't able to interpret. (ISP , network admin of a workplace, etc)

ex: credit card , social security numbers , etc

 

I only have basic knowlege of networking (I admin our Virtual Machine running CENTOS6 @ work) since I am a programmer.

From what I understand anyone should be able to setup SSL pretty easily on their server by installing a few packages and configuring a few files (and port fowarding and etcs on router).

That is of course if you have access to your server.

 

Is it home hosted , do you pay for a dedicated machine or do you pay direcly for an hosting package?

 

If it is the 3rd, you have good chances that your provider will be making you pay more $$$ for those services.

 

 

As of the rest it depends on which type of website you have. What kind of server treatment happens on it? Databases?

 

Basic security would be to securing your website against Javascript code injections , mysql injections ,brute force ftp/sftp/ssh login

 

 

If you send me your website URL I can always have a fast look on most important things.

[DogPatch]

From what I understand anyone should be able to setup SSL pretty easily on their server by installing a few packages and configuring a few files (and port fowarding and etcs on router).

 

SSL Costs money.

they can be cheap - https://www.namecheap.com/security/ssl-certificates/comodo.aspx

Or very expensive - http://www.digicert.com/ssl-certificate-comparison.htm

 

Or use cloudflares free one -  Just noticed that cloudflare only include ssl in their paid plans.

 

 

Is it worth while to get SSL for a personal site?

 

Honestly I don't think it is worth it for a personal site.

[Quovadis]

SSL Costs money.

they can be cheap - https://www.namecheap.com/security/ssl-certificates/comodo.aspx

Or very expensive - http://www.digicert.com/ssl-certificate-comparison.htm

 

Or use cloudflares free one -  Just noticed that cloudflare only include ssl in their paid plans.

 

 

 

Honestly I don't think it is worth it for a personal site.

 

Wait this isn't SSL , SSL is a protocol , it's free to use to anybody.

 

Your links points to SSL certificates.

 

Theres a big differance between Self Signed SSl and Certified SSL but still, both are still SSL.

[DogPatch]

Wait this isn't SSL , SSL is a protocol , it's free to use to anybody.

 

Your links points to SSL certificates.

 

Theres a big differance between Self Signed SSl and Certified SSL but still, both are still SSL.

 

I don't like Self Signed SSL and don't recommend it.

Honestly the Certified SSL is so cheap, that if you are going to use SSL you might as well do it properly. Its only $9 a year.

 

Self signed SSL is only recommended for test/development sites. Also visitors to your site will get a warning about the SSL certificate, which you don't want your visitors to see.

[Seggy]

SSL Costs money.

they can be cheap - https://www.namecheap.com/security/ssl-certificates/comodo.aspx

Or very expensive - http://www.digicert.com/ssl-certificate-comparison.htm

 

It depends. SSL, the protocol, itself does not cost money. You can easily use your own server key and self-sign the certificate. All this really does is tell a browser is that "Yes, this website has verified that the certificate they presented has been signed by them and they are who they say they are." It's useful for testing and also if you don't have a need for verification by a trusted certificate root, such as Verisign.

 

What costs money is the verification by a company, such as Verisign. The certificates you get can be signed by third party entities. Thus, your certificate can be signed by a company like Verisign saying that, "Yes, we verify that the certificate presented to this browser, with the signatures, is in fact a genuine certificate that we have signed." You can, in fact, have certificate chains. So if you have a certificate that has been signed by Verisign, but then you can use that certificate to sign other certificates. If a user indicates that they trust Verisign, the fact that your certificate (that was signed by Verisign) is used to sign another certificate establishes a chain.

 

As to the performance issue. In years past, SSL was a pretty CPU intensive process. Most operators would only encrypt the parts that needed it. With hardware these days, it's not such a huge overhead. This is why Google or Facebook are fine with using SSL for their entire sites. In the past, they too didn't use SSL for everything.

[menatwork]

I'm not one to bump old topics - but in case you're still interested - Seggy is correct, it's not that expensive on today's hardware.

 

Furthermore, you can get a free certificate from StartSSL (which will show up on most browsers as certified) - though, there are some catches - if you need it re-issued, you'll need to pay.

 

On the other hands, there's also an interesting project coming up: https://letsencrypt.org in September 2015; which will essentially issue "free" certificates to anyone. ( https://letsencrypt.org/howitworks/ )

[Quovadis]

https://www.cloudflare.com/

 

Free certificate + ddos protection + web optimization

[Bow_In_Honor]

I'm not one to bump old topics

Then don't. I see you are new to the forums, but you shouldn't be bumping age old topics just because you have some knowledge of the subject. Post whoring isn't going to get you a higher admin status, and quite frankly, it's annoying.

Edited July 29, 2015 by Bow_In_Honor

[menatwork]

Then don't. I see you are new to the forums, but you shouldn't be bumping age old topics just because you have some knowledge of the subject. Post whoring isn't going to get you a higher admin status, and quite frankly, it's annoying.

 

Hold off on your assumptions for a second. If you've looked at my post history you'll know I'm generally trying to help. I've got level 7, that's plenty for me (the only two reasons I got platinum VIP is to help F|A and to not get kicked for inactivity when spec [it's annoying whilst smoking]) so I'm not "Post whoring" and I'm not trying to get a higher level of admin. I'm merely trying to help people.

 

In this case, I bumped it because I wanted to share the information about letsencrypt - so that people looking at this later (either when browsing the forum or if they got here via Google) can easily find it - and furthermore, the startssl link - on top of that, I also see that Quovadis replied with Cloudflare - and as said earlier in this topic; it's for paid users only - except, now it's for free users too.. so, that might also be useful information for people who are looking at this.

 

I don't know about you but isn't it generally a good idea to update information after it becomes obsolete? ;-)

 

Anyway, I'm sorry if it was against the rules; but please, it's not all about levels and the likes.

[Bow_In_Honor]

Hold off on your assumptions for a second. If you've looked at my post history you'll know I'm generally trying to help. I've got level 7, that's plenty for me (the only two reasons I got platinum VIP is to help F|A and to not get kicked for inactivity when spec [it's annoying whilst smoking]) so I'm not "Post whoring" and I'm not trying to get a higher level of admin. I'm merely trying to help people.

 

In this case, I bumped it because I wanted to share the information about letsencrypt - so that people looking at this later (either when browsing the forum or if they got here via Google) can easily find it - and furthermore, the startssl link - on top of that, I also see that Quovadis replied with Cloudflare - and as said earlier in this topic; it's for paid users only - except, now it's for free users too.. so, that might also be useful information for people who are looking at this.

 

I don't know about you but isn't it generally a good idea to update information after it becomes obsolete? ;-)

 

Anyway, I'm sorry if it was against the rules; but please, it's not all about levels and the likes.

Yeah I've seen your post history, and it's pretty sparadic to me, seeing how you've been here three days(no introduce post), and your excuse about "wanting to update people about letsencrypt and people who google it" is pretty lame excuse. Anyone with access to a browser could look up that information without help of your post. And the reason Quovadis replied is because YOU BUMPED THE POST. That's why you shouldn't bump year old posts. Please explain to me how you are helping when you are bumping posts long gone dead? We aren't a information storage server, we are a forum that keeps everything fresh.

Edited July 29, 2015 by Bow_In_Honor

[menatwork]

Well it's not an excuse but an explanation; anyway, I'll refrain from 'bumping' in the future, sorry.

 

(edit: I've made an introduction post, though - the reason why I didn't is because I'm not good at writing about myself in such a context.. but there it is).

Edited July 29, 2015 by w00tw00t

[Heretic121]

I'm not one to bump old topics - but in case you're still interested - Seggy is correct, it's not that expensive on today's hardware.

 

Furthermore, you can get a free certificate from StartSSL (which will show up on most browsers as certified) - though, there are some catches - if you need it re-issued, you'll need to pay.

 

On the other hands, there's also an interesting project coming up: https://letsencrypt.org in September 2015; which will essentially issue "free" certificates to anyone. ( https://letsencrypt.org/howitworks/ )

 

Thank you for the information, w00t, however please don't bump old topics. Anything over a couple of months is probably a bad idea

If you really wanted to share the information then perhaps creating a new topic, and then linking to this one, might have been better?

 

Yeah I've seen your post history, and it's pretty sparadic to me, seeing how you've been here three days(no introduce post), and your excuse about "wanting to update people about letsencrypt and people who google it" is pretty lame excuse. Anyone with access to a browser could look up that information without help of your post. And the reason Quovadis replied is because YOU BUMPED THE POST. That's why you shouldn't bump year old posts. Please explain to me how you are helping when you are bumping posts long gone dead? We aren't a information storage server, we are a forum that keeps everything fresh.

 

[PM sent instead]

 

EDIT: Oh, and // Locked.

Edited July 29, 2015 by Heretic121