30 Matching Annotations
  1. Dec 2022
  2. Jul 2022
  3. Oct 2021
    1. Let's Encrypt + Ghost

      Self-Hosting on DigitalOcean means setting up Let’s Encrypt to configure SSL.

      ghost setup ssl
      
  4. May 2020
    1. If your hosting provider does not support HTTPS, the following options are available: You can contact your web hosting provider: tell them you want a free HTTPS certificate through Let’s Encrypt. You’re probably not the only one using your web hosting provider service who wants HTTPS. You can request that your web hosting provider offer Let’s Encrypt HTTPS certificates as a free part of their hosting package. An effective way to make this ask is through email, their help desk system, or by contacting the web hosting provider through social media. You can switch to a different web hosting provider. Find a web hosting provider who offers full HTTPS support as part of their web hosting package by checking our list. You might be able to use Certbot. If you have SSH access to the server your website is hosted on, you might be able to use Certbot. You will need to know the software and system your server is running on. After you confirm the software and system information, you can use the dropdown menus above to generate specific instructions for running Certbot on your server through the command line.
    1. ABSTRACTLet’s Encrypt is a free, open, and automated HTTPS certificate au-thority (CA) created to advance HTTPS adoption to the entire Web.Since its launch in late 2015, Let’s Encrypt has grown to become theworld’s largest HTTPS CA, accounting for more currently valid cer-tificates than all other browser-trusted CAs combined. By January2019, it had issued over 538 million certificates for 223 million do-main names. We describe how we built Let’s Encrypt, including thearchitecture of the CA software system (Boulder) and the structureof the organization that operates it (ISRG), and we discuss lessonslearned from the experience. We also describe the design of ACME,the IETF-standard protocol we created to automate CA–server inter-actions and certificate issuance, and survey the diverse ecosystemof ACME clients, including Certbot, a software agent we created toautomate HTTPS deployment. Finally, we measure Let’s Encrypt’simpact on the Web and the CA ecosystem. We hope that the successof Let’s Encrypt can provide a model for further enhancements tothe Web PKI and for future Internet security infrastructure.
    1. public-benefit digital infrastructure projects, the first of which was the Let's Encrypt certificate authority. ISRG's founding directors were Josh Aas and Eric Rescorla. The group's founding sponsors and partners were Mozilla, the Electronic Frontier Foundation, the University of Michigan, Cisco, and Akamai.
    2. About Internet Security Research Group Mission Our mission is to reduce financial, technological, and educational barriers to secure communication over the Internet.
    1. HTTPS Everywhere HTTPS Everywhere is a Firefox, Chrome, and Opera extension that encrypts your communications with many major websites, making your browsing more secure. Encrypt the web: Install HTTPS Everywhere today.
    1. Certbot is part of EFF’s larger effort to encrypt the entire Internet. Websites need to use HTTPS to secure the web. Along with HTTPS Everywhere, Certbot aims to build a network that is more structurally private, safe, and protected against censorship. Certbot is the work of many authors, including a team of EFF staff and numerous open source contributors.
    2. What’s Certbot? Certbot is a free, open source software tool for automatically using Let’s Encrypt certificates on manually-administrated websites to enable HTTPS. Certbot is made by the Electronic Frontier Foundation (EFF), a 501(c)3 nonprofit based in San Francisco, CA, that defends digital privacy, free speech, and innovation.
    1. The objective of Let’s Encrypt and the ACME protocol is to make it possible to set up an HTTPS server and have it automatically obtain a browser-trusted certificate, without any human intervention. This is accomplished by running a certificate management agent on the web server. To understand how the technology works, let’s walk through the process of setting up https://example.com/ with a certificate management agent that supports Let’s Encrypt. There are two steps to this process. First, the agent proves to the CA that the web server controls a domain. Then, the agent can request, renew, and revoke certificates for that domain. Domain Validation Let’s Encrypt identifies the server administrator by public key. The first time the agent software interacts with Let’s Encrypt, it generates a new key pair and proves to the Let’s Encrypt CA that the server controls one or more domains. This is similar to the traditional CA process of creating an account and adding domains to that account. To kick off the process, the agent asks the Let’s Encrypt CA what it needs to do in order to prove that it controls example.com. The Let’s Encrypt CA will look at the domain name being requested and issue one or more sets of challenges. These are different ways that the agent can prove control of the domain. For example, the CA might give the agent a choice of either: Provisioning a DNS record under example.com, or Provisioning an HTTP resource under a well-known URI on http://example.com/ Along with the challenges, the Let’s Encrypt CA also provides a nonce that the agent must sign with its private key pair to prove that it controls the key pair. The agent software completes one of the provided sets of challenges. Let’s say it is able to accomplish the second task above: it creates a file on a specified path on the http://example.com site. The agent also signs the provided nonce with its private key. Once the agent has completed these steps, it notifies the CA that it’s ready to complete validation. Then, it’s the CA’s job to check that the challenges have been satisfied. The CA verifies the signature on the nonce, and it attempts to download the file from the web server and make sure it has the expected content. If the signature over the nonce is valid, and the challenges check out, then the agent identified by the public key is authorized to do certificate management for example.com. We call the key pair the agent used an “authorized key pair” for example.com. Certificate Issuance and Revocation Once the agent has an authorized key pair, requesting, renewing, and revoking certificates is simple—just send certificate management messages and sign them with the authorized key pair. To obtain a certificate for the domain, the agent constructs a PKCS#10 Certificate Signing Request that asks the Let’s Encrypt CA to issue a certificate for example.com with a specified public key. As usual, the CSR includes a signature by the private key corresponding to the public key in the CSR. The agent also signs the whole CSR with the authorized key for example.com so that the Let’s Encrypt CA knows it’s authorized. When the Let’s Encrypt CA receives the request, it verifies both signatures. If everything looks good, it issues a certificate for example.com with the public key from the CSR and returns it to the agent. Revocation works in a similar manner. The agent signs a revocation request with the key pair authorized for example.com, and the Let’s Encrypt CA verifies that the request is authorized. If so, it publishes revocation information into the normal revocation channels (i.e. OCSP), so that relying parties such as browsers can know that they shouldn’t accept the revoked certificate.
    1. Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. It is a service provided by the Internet Security Research Group (ISRG). We give people the digital certificates they need in order to enable HTTPS (SSL/TLS) for websites, for free, in the most user-friendly way we can. We do this because we want to create a more secure and privacy-respecting Web. You can read about our most recent year in review by downloading our annual report (Desktop, Mobile). The key principles behind Let’s Encrypt are: Free: Anyone who owns a domain name can use Let’s Encrypt to obtain a trusted certificate at zero cost. Automatic: Software running on a web server can interact with Let’s Encrypt to painlessly obtain a certificate, securely configure it for use, and automatically take care of renewal. Secure: Let’s Encrypt will serve as a platform for advancing TLS security best practices, both on the CA side and by helping site operators properly secure their servers. Transparent: All certificates issued or revoked will be publicly recorded and available for anyone to inspect. Open: The automatic issuance and renewal protocol will be published as an open standard that others can adopt. Cooperative: Much like the underlying Internet protocols themselves, Let’s Encrypt is a joint effort to benefit the community, beyond the control of any one organization. We have a page with more detailed information about how the Let’s Encrypt CA works.
  5. Oct 2019
    1. PI keys are supposed to be a secret that only the client and server know. Like Basic authentication, API key-based authentication is only considered secure if used together with other security mechanisms such as HTTPS/SSL
  6. Jun 2019
  7. Jun 2018
    1. security

      Hi ,<br> All gov websites holding citizens personally identifiable information should hold a valid third party certificate, as I have seen at most of time, government website do not produce a valid certificate or do not produce any certificate at all , a few examples railway recruitment website which collects candidates personal info, apart from that voter id verification website (http://www.nvsp.in/) also not producing any certificate. in such cases lack of secure communication will help hackers to grab the passed data in between.. Certificates should be mandatory in all local/state / national level government websites.

  8. Apr 2018
  9. Jul 2017
    1. How To Install A Free SSL Security Certificate On Your WordPress Website

      On why are there different prices for SSL certificates

  10. Oct 2016
  11. May 2016
    1. otherwise capture information you provide over the Internet.

      That's the purpose of SSL. Why is it not used globally?

    2. the use of SSL encryption

      When? It is not used globally. Public pages are not secured by SSL.

  12. Aug 2015
    1. It occurred to me that the ideal setup would be a router where the WAN's gateway was a system running a transparent proxy. Thus simply by connecting the device to the router, the transparent proxy software would capture HTTP and HTTPS traffic
  13. Jan 2015
    1. But if you turn data into a money-printing machine for citizens, whereby we all become entrepreneurs, that will extend the financialization of everyday life to the most extreme level, driving people to obsess about monetizing their thoughts, emotions, facts, ideas—because they know that, if these can only be articulated, perhaps they will find a buyer on the open market. This would produce a human landscape worse even than the current neoliberal subjectivity. I think there are only three options. We can keep these things as they are, with Google and Facebook centralizing everything and collecting all the data, on the grounds that they have the best algorithms and generate the best predictions, and so on. We can change the status of data to let citizens own and sell them. Or citizens can own their own data but not sell them, to enable a more communal planning of their lives. That’s the option I prefer.

      Very well thought out. Obviously must know about read write web, TSL certificate issues etc. But what does neoliberal subjectivity mean? An interesting phrase.

  14. Mar 2014
    1. http://bouncycastle.org/download/bcprov-jdk16-146.jar

      This should almost certainly say "https".

    2. We need an authenticity infrastructure when there is no way to have advance knowledge of what SSL certificate a client should expect to see, but your app knows where it will be connecting, and it knows exactly what it should expect.

      Succinct way to highlight this distinction.

    3. Google is already doing this. They have an “app” called Chrome, and when their app makes SSL connections to their own services, it checks to make sure that the certificates it sees are the ones it knows Google is using. They call this “pinning,” and you should do it for your mobile apps.