If you are looking to make your site SSL enabled so google doesn’t mark it as untrusted by June/July here is the quick and dirty to make life easy.
1.Spin up a machine and install Webmin and Virtualmin on it. This is very very easy for simple web-sites. Lots of tutorials. 2.Once you have your sites as domains in virtualmin, you go to the SSL options of each site, click a few buttons and you are done. It goes out and requests a certificate from LetsEncrypt, installs it in your webserver, and gives you the option to install it in postfix,ftp, etc. Very easy. Justin Wilson j...@mtin.net www.mtin.net www.midwest-ix.com > On Apr 9, 2018, at 9:19 PM, Steve Jones <thatoneguyst...@gmail.com> wrote: > > Im not going to lie, i forgot that https is encrypted. > > On Mon, Apr 9, 2018, 5:32 PM Mike Hammett <af...@ics-il.net > <mailto:af...@ics-il.net>> wrote: > Being really smart at cryptography has nothing to do with whether it needs to > be encrypted or not in the first place. > > I'm not against encryption. Many things certainly require it. > > That URL is indicative of groupthink, not the case for HTTPS everywhere. > > https://en.wikipedia.org/wiki/Groupthink > <https://en.wikipedia.org/wiki/Groupthink> > > Why might Wikipedia want to HTTPS everything? Their mission is the > dissemination of information to everywhere, including countries that have > content filters. Of course that doesn't actually stop anyone from actually > doing a MITM, it just increases the amount of resources required to do the > job. > > > > ----- > Mike Hammett > Intelligent Computing Solutions <http://www.ics-il.com/> > <https://www.facebook.com/ICSIL> > <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> > <https://www.linkedin.com/company/intelligent-computing-solutions> > <https://twitter.com/ICSIL> > Midwest Internet Exchange <http://www.midwest-ix.com/> > <https://www.facebook.com/mdwestix> > <https://www.linkedin.com/company/midwest-internet-exchange> > <https://twitter.com/mdwestix> > The Brothers WISP <http://www.thebrotherswisp.com/> > <https://www.facebook.com/thebrotherswisp> > > > <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> > From: "Eric Kuhnke" <eric.kuh...@gmail.com <mailto:eric.kuh...@gmail.com>> > To: af@afmug.com <mailto:af@afmug.com> > Sent: Monday, April 9, 2018 5:27:25 PM > Subject: Re: [AFMUG] ssl certs > > The discussion has been hashed out quite thoroughly by people who are far > more knowledgeable about cryptography than you or I will ever be - about > twenty years ago, when SSL was first popularized. It's been continually > developed since then. The really funny thing if that you linked to an https > website for your URL promoting the credentials of that one specific dude, in > defense of your argument. Why isn't it plain http? > > > On Mon, Apr 9, 2018 at 3:24 PM, Mike Hammett <af...@ics-il.net > <mailto:af...@ics-il.net>> wrote: > A position so weak, it can't stand up to a discussion? How sad. > > > > ----- > Mike Hammett > Intelligent Computing Solutions <http://www.ics-il.com/> > <https://www.facebook.com/ICSIL> > <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> > <https://www.linkedin.com/company/intelligent-computing-solutions> > <https://twitter.com/ICSIL> > Midwest Internet Exchange <http://www.midwest-ix.com/> > <https://www.facebook.com/mdwestix> > <https://www.linkedin.com/company/midwest-internet-exchange> > <https://twitter.com/mdwestix> > The Brothers WISP <http://www.thebrotherswisp.com/> > <https://www.facebook.com/thebrotherswisp> > > > <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> > From: "Eric Kuhnke" <eric.kuh...@gmail.com <mailto:eric.kuh...@gmail.com>> > To: af@afmug.com <mailto:af@afmug.com> > Sent: Monday, April 9, 2018 5:22:40 PM > Subject: Re: [AFMUG] ssl certs > > Yeah I think I'll skip a 45 minute podcast that seems to have an anti-crypto > agenda, and continue reading the IETF mailing lists instead. Standardization > and implementation of TLS1.3 will continue onwards even if the > techno-luddites ignore its existence. > > > On Mon, Apr 9, 2018 at 3:19 PM, Mike Hammett <af...@ics-il.net > <mailto:af...@ics-il.net>> wrote: > Also, listen to the cast. > > Well, or don't. It might make you think for yourself. > > > > ----- > Mike Hammett > Intelligent Computing Solutions <http://www.ics-il.com/> > <https://www.facebook.com/ICSIL> > <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> > <https://www.linkedin.com/company/intelligent-computing-solutions> > <https://twitter.com/ICSIL> > Midwest Internet Exchange <http://www.midwest-ix.com/> > <https://www.facebook.com/mdwestix> > <https://www.linkedin.com/company/midwest-internet-exchange> > <https://twitter.com/mdwestix> > The Brothers WISP <http://www.thebrotherswisp.com/> > <https://www.facebook.com/thebrotherswisp> > > > <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> > From: "Eric Kuhnke" <eric.kuh...@gmail.com <mailto:eric.kuh...@gmail.com>> > To: af@afmug.com <mailto:af@afmug.com> > Sent: Monday, April 9, 2018 5:14:32 PM > Subject: Re: [AFMUG] ssl certs > > The score: > > Podcast with six people I've never heard of: 0 > > Every network security expert currently active in the field: 1 > > Confidential information aside, having 100% confidence that the content > served up by your httpd will appear exactly as you intend it on the end > user's browser is useful. There are too many shitty/unethical ISPs that do > MITM and javascript injection on plaintext http now. > > > > > On Mon, Apr 9, 2018 at 3:09 PM, Mike Hammett <af...@ics-il.net > <mailto:af...@ics-il.net>> wrote: > Confidential date, sure. Billing portals, shopping carts, etc. sure. > > The marketing materials on my web site? Why? > > > The podcast I linked to goes into a lot of it. > > > > ----- > Mike Hammett > Intelligent Computing Solutions <http://www.ics-il.com/> > <https://www.facebook.com/ICSIL> > <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> > <https://www.linkedin.com/company/intelligent-computing-solutions> > <https://twitter.com/ICSIL> > Midwest Internet Exchange <http://www.midwest-ix.com/> > <https://www.facebook.com/mdwestix> > <https://www.linkedin.com/company/midwest-internet-exchange> > <https://twitter.com/mdwestix> > The Brothers WISP <http://www.thebrotherswisp.com/> > <https://www.facebook.com/thebrotherswisp> > > > <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> > From: "Simon Westlake" <simon@sonar.software> > To: af@afmug.com <mailto:af@afmug.com>, af@afmug.com <mailto:af@afmug.com> > Sent: Monday, April 9, 2018 5:06:26 PM > Subject: Re: [AFMUG] ssl certs > > Moving any kind of confidential data in the clear is irresponsible. > Moving HTTP traffic across the Internet leaves you open to having the data > modified, or having malicious Javascript injected. > > It's up to you whether or not you care about that, but it has been reduced to > pasting 3 lines into a terminal to get a valid, automatically renewing > certificate. It seems pointless not to when the benefits are tangible. > > ------ Original Message ------ > From: "Mike Hammett" <af...@ics-il.net <mailto:af...@ics-il.net>> > To: af@afmug.com <mailto:af@afmug.com> > Sent: 4/9/2018 5:02:29 PM > Subject: Re: [AFMUG] ssl certs > > Why? Why is any of that necessary? > > I have no intentions of inspecting anyone's traffic. I just don't find HTTPS > everywhere necessary. I have yet to hear a viable reason to do it. > > > OH NO! SOMEONE SAW MY WEB SITE!!! > > > https://www.youtube.com/watch?v=18PbwYdjsps > <https://www.youtube.com/watch?v=18PbwYdjsps> > > > > ----- > Mike Hammett > Intelligent Computing Solutions <http://www.ics-il.com/> > <https://www.facebook.com/ICSIL> > <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> > <https://www.linkedin.com/company/intelligent-computing-solutions> > <https://twitter.com/ICSIL> > Midwest Internet Exchange <http://www.midwest-ix.com/> > <https://www.facebook.com/mdwestix> > <https://www.linkedin.com/company/midwest-internet-exchange> > <https://twitter.com/mdwestix> > The Brothers WISP <http://www.thebrotherswisp.com/> > <https://www.facebook.com/thebrotherswisp> > > > <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> > From: "Eric Kuhnke" <eric.kuh...@gmail.com <mailto:eric.kuh...@gmail.com>> > To: af@afmug.com <mailto:af@afmug.com> > Sent: Monday, April 9, 2018 4:59:23 PM > Subject: Re: [AFMUG] ssl certs > > I offer a directly contradicting opinion, that's it's foolish in the year > 2018 to not implement end to end TLS wherever possible. The number of > problems you can solve by avoiding things that maliciously MITM regular http > traffic are considerable. The crypto libraries to do it properly (OpenSSL, > etc for apache2 and nginx) and Letsencrypt are free. > > The Internet is moving towards things like DNS-over-TLS. Mail transport > between most properly configured smtpd now will use TLS1.2 (my Postfix smtpd > negotiates TLS successfully with >98% of big ISP/cloud providers' smtpd > clusters). If a WISP thinks that they "need" things to remain unencrypted so > that they can more easily manage their traffic or inspect it, they'll be left > behind in the dustbin of history. > > > On Mon, Apr 9, 2018 at 2:55 PM, Mike Hammett <af...@ics-il.net > <mailto:af...@ics-il.net>> wrote: > I didn't say it was hard. I said it was unnecessary, perhaps even foolish. > > > > ----- > Mike Hammett > Intelligent Computing Solutions <http://www.ics-il.com/> > <https://www.facebook.com/ICSIL> > <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> > <https://www.linkedin.com/company/intelligent-computing-solutions> > <https://twitter.com/ICSIL> > Midwest Internet Exchange <http://www.midwest-ix.com/> > <https://www.facebook.com/mdwestix> > <https://www.linkedin.com/company/midwest-internet-exchange> > <https://twitter.com/mdwestix> > The Brothers WISP <http://www.thebrotherswisp.com/> > <https://www.facebook.com/thebrotherswisp> > > > <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> > From: "Eric Kuhnke" <eric.kuh...@gmail.com <mailto:eric.kuh...@gmail.com>> > To: af@afmug.com <mailto:af@afmug.com> > Sent: Monday, April 9, 2018 4:54:05 PM > Subject: Re: [AFMUG] ssl certs > > What's hard about doing TLS1.2 everywhere? Every web browser shipped or > updated from mid-2012 onwards supports 1.2. The population of browsers that > only support TLS1.0 and 1.1 is less than 1% now by most measurements of > useragent on a large scale. > > > > On Mon, Apr 9, 2018 at 2:51 PM, Mike Hammett <af...@ics-il.net > <mailto:af...@ics-il.net>> wrote: > "You should have https (TLS1.2) everywhere, on every sort of public facing > httpd these days, with at least a letsencrypt certificate." > > We'll eventually have to because Google, etc. will make us, but it's > extremely unnecessary. It's even foolish in many situations. > > > > ----- > Mike Hammett > Intelligent Computing Solutions <http://www.ics-il.com/> > <https://www.facebook.com/ICSIL> > <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> > <https://www.linkedin.com/company/intelligent-computing-solutions> > <https://twitter.com/ICSIL> > Midwest Internet Exchange <http://www.midwest-ix.com/> > <https://www.facebook.com/mdwestix> > <https://www.linkedin.com/company/midwest-internet-exchange> > <https://twitter.com/mdwestix> > The Brothers WISP <http://www.thebrotherswisp.com/> > <https://www.facebook.com/thebrotherswisp> > > > <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> > From: "Eric Kuhnke" <eric.kuh...@gmail.com <mailto:eric.kuh...@gmail.com>> > To: af@afmug.com <mailto:af@afmug.com> > Sent: Monday, April 9, 2018 4:49:01 PM > Subject: Re: [AFMUG] ssl certs > > I have seen studies showing that ecommerce checkout/cart servers do have > lower "abandon order" rates when using EV SSL. If you're going to have one > billing server hostname that you fully control (eg: > https://billing.ispname.com <https://billing.ispname.com/>) it might be worth > it. > > Things like Paypal, online banking and other stuff do make extensive use of > EV SSL. > > It used to cost $395/year, now it's $85/year and dropping in price further. > > The big change coming in both Chrome and Firefox is that any non-https page > will soon be marked as "Insecure" in the URL/address bar. You should have > https (TLS1.2) everywhere, on every sort of public facing httpd these days, > with at least a letsencrypt certificate. > > > > On Mon, Apr 9, 2018 at 1:20 PM, Simon Westlake <simon@sonar.software > <mailto:simon@sonar.software>> wrote: > In 99.9% of cases, EV is useless. If you are going to educate your customers > religiously to look not only for the green padlock, but for your name in the > address bar, maybe it's worthwhile. Most people don't look or care. Google > doesn't have an EV cert. Neither does Microsoft or Facebook. My power company > doesn't. Most insurance companies don't. > > The only place I've seen them used heavily is in the financial sector, and > I'd guess that's more about CYA than technical value. > > ------ Original Message ------ > From: "Eric Kuhnke" <eric.kuh...@gmail.com <mailto:eric.kuh...@gmail.com>> > To: af@afmug.com <mailto:af@afmug.com> > Sent: 4/9/2018 3:03:38 PM > Subject: Re: [AFMUG] ssl certs > > these days there are essentially two types of SSL cert, DV and EV > > DV = domain validated. anyone can get one. this is the same idea for the $9 > SSL certs and free letsencrypt. you only need to prove you control the > domain/server it's issued for. > > EV = extended validation, you need to prove your corporate identity. should > cost around $85/year. > > EV will result in the big green banner with company name in most modern web > browsers. > > https://www.google.com/search?client=ubuntu&channel=fs&q=EV+SSL+certificate&ie=utf-8&oe=utf-8 > > <https://www.google.com/search?client=ubuntu&channel=fs&q=EV+SSL+certificate&ie=utf-8&oe=utf-8> > > On Mon, Apr 9, 2018 at 11:59 AM, Steve Jones <thatoneguyst...@gmail.com > <mailto:thatoneguyst...@gmail.com>> wrote: > tbh, im not really looking for alternative sources, im asking advice on what > i need in a certificate > > On Mon, Apr 9, 2018 at 1:52 PM, Cameron Crum <cc...@murcevilo.com > <mailto:cc...@murcevilo.com>> wrote: > ssls.com <http://ssls.com/> > > On Mon, Apr 9, 2018 at 1:02 PM, Steve Jones <thatoneguyst...@gmail.com > <mailto:thatoneguyst...@gmail.com>> wrote: > Im no webdude is the main reason. I know alot of people use it, phishermen > love them. Theyre "trusted, but not verified" which, to no webdude me, says > "IT WILL BECOME UNTRUSTED". I hate godaddy, but theyre not likely to become > untrusted, so its not something id have to deal with with little to no > knowlege. plus I dont understand this 90 day thing > > > On Mon, Apr 9, 2018 at 12:08 PM, Mike Hammett <af...@ics-il.net > <mailto:af...@ics-il.net>> wrote: > Can you use Let's Encrypt? > > > > ----- > Mike Hammett > Intelligent Computing Solutions <http://www.ics-il.com/> > <https://www.facebook.com/ICSIL> > <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> > <https://www.linkedin.com/company/intelligent-computing-solutions> > <https://twitter.com/ICSIL> > Midwest Internet Exchange <http://www.midwest-ix.com/> > <https://www.facebook.com/mdwestix> > <https://www.linkedin.com/company/midwest-internet-exchange> > <https://twitter.com/mdwestix> > The Brothers WISP <http://www.thebrotherswisp.com/> > <https://www.facebook.com/thebrotherswisp> > > > <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> > From: "Steve Jones" <thatoneguyst...@gmail.com > <mailto:thatoneguyst...@gmail.com>> > To: af@afmug.com <mailto:af@afmug.com> > Sent: Monday, April 9, 2018 12:07:04 PM > Subject: [AFMUG] ssl certs > > Our current cert for our billing server (powercode) is about to expire. For > some time web browsers have been throwing up the insecure flag, probably > needed to update it. > > What does a guy need in a certificate these days? godaddy is where we have it > from, they have all kinds of options like green bar guarantee cert, etc. > > I have thought about getting one thats good for more than one page, just to > get rid of the annoying security screen on our managment port and mobile. but > the wildcard cert seems more pricey than id prefer for something thats just > convienient rather than needed > > > > > > > > > > > > > > > > > >
