Question on https for slimesalad + firefox

marionline · Post by **marionline** » Wed Feb 01, 2017 9:28 pm

Hello!
I feel a bit stupid, but I am wondering what firefox's https-warning for slimesalad trying to tell me.
It says the website is not secure.

Did anyone else notice?
The reasons shown are the certificate is self-signed and not valid for slimesalad.com.

I'm not sure about the meaning of this. Is it that my web browser went paranoid after an update?

Post by **Bob the Hamster** » Wed Feb 01, 2017 10:22 pm

I think it just means it is a self-signed certificate as opposed to a certificate signed by a trusted signer.

So it does protect against some level of eavesdropping, but does not verify site identity in any meaningful way.

(Untill today I had no idea that slimesalad even had any kind of https cert)

Post by **TMC** » Wed Feb 01, 2017 11:53 pm

The certificate is issued by DreamHost to itself. But even if you add a security exception, you'll find that you can't actually access SS over https -- you get a "Site not found" error. I'm guessing that that certificate is probably only used as a fallback by the hosting company to show error messages in case the website hasn't set up https. DreamHost might charge extra for https hosting, since it increases resource usage.

Post by **Bob the Hamster** » Thu Feb 02, 2017 3:05 am

I use dreamhost too, and they provide completely free https using "Let's Encrypt" I have it working on all my domains.

I was assuming that Mogri had created his own SSL cert sometime before dreamhost added Let's Encrypt support-- but that was just a guess, I really don't know

Post by **Mogri** » Thu Mar 02, 2017 4:25 pm

Bob the Hamster wrote:I use dreamhost too, and they provide completely free https using "Let's Encrypt" I have it working on all my domains.

I was assuming that Mogri had created his own SSL cert sometime before dreamhost added Let's Encrypt support-- but that was just a guess, I really don't know

Hello hi. I've added a SSL cert. I had assumed that I would have to pay cash moneys for a cert, but I guess that's so last decade at this point. I should probably set up htaccess forwarding to https at this point, hmm?

Taco Bot · Post by **Taco Bot** » Thu Mar 02, 2017 4:38 pm

Mogri wrote:Hello hi. I've added a SSL cert. I had assumed that I would have to pay cash moneys for a cert, but I guess that's so last decade at this point. I should probably set up htaccess forwarding to https at this point, hmm?

For sure. And thank you so much for setting up https. I was a little sketched out that ss was transmitting everything as plaintext. (I think? That's what I was led to believe?)

Post by **Bob the Hamster** » Thu Mar 02, 2017 8:31 pm

Yay! The automatic https:// redirect works great :)

Post by **TMC** » Fri Mar 03, 2017 4:45 am

Fantastic!

Let's Encrypt certs do have short expiry times though, have to watch out for that. It's apparently to encourage people to automate switching to new certificates regularly.

Post by **Bob the Hamster** » Fri Mar 03, 2017 1:04 pm

Fortunately dreamhost already automated it

FyreWulff · Post by **FyreWulff** » Sun Mar 05, 2017 1:07 am

TMC wrote:Fantastic!

Let's Encrypt certs do have short expiry times though, have to watch out for that. It's apparently to encourage people to automate switching to new certificates regularly.

yeah, the point behind the constant expiry is that it's better than trying to maintain a growing giant blacklist of "bad" certs. Instead, certs just expire really fast, not lingering around and being a pain in the butt for future browsers.