When I first registered to the community.openproducts.com I noticed it sent me an email in clear text, so of course I wanted to change the password. I logged in and to my great surprise the site was NOT protected by TLS. I would have expected that product that is really for privacy would protect all information with TLS, so I simply edited the http -> https on the url, and noticed, yes there is TLS, but the certificate is not for this community.openproducts.com, but a wildcard cert for loopiasecure.com.
Knowing that proper certificates trusted by browsers cost less $10 per year (for example gogetssl sells some comodo certs for $6 / year), it would be better to get proper certificate for the community.openproducts.com and make sure the forums are redirected to the TLS by default.
Community.openproducts.com has invalid certificate
Hi Kivinen,
Thank you for your constructive feedback, It's appreciated!
The problem with the certificate is that the hosting-company for this site does not provide means for customer specific certificates. (God knows why they keep arguing that its not possible) You can browse this forum via https and you will be presented with the hosting-company's certificate "*.loopiasecure.com"
We are painfully aware of this flaw and will hopefully be able to change this in the (near?) future.
/Tor
Thank you for your constructive feedback, It's appreciated!
The problem with the certificate is that the hosting-company for this site does not provide means for customer specific certificates. (God knows why they keep arguing that its not possible) You can browse this forum via https and you will be presented with the hosting-company's certificate "*.loopiasecure.com"
We are painfully aware of this flaw and will hopefully be able to change this in the (near?) future.
/Tor
Sounds like clueless hosting-company...
The web server seems to be apache 2.2.27 running on FreeBSD, and Apache do support SNI (http://en.wikipedia.org/wiki/Server_Name_Indication), i.e. you can have virtual hosts with same IP-address served by the same host.
Configuration should be something like:
'...
# Ensure that Apache listens on port 443
Listen 0.0.0.0:443
Listen [::]:443
...
# Listen for virtual host requests on all IP addresses
NameVirtualHost *:443
# Go ahead and accept connections for these vhosts
# from non-SNI clients
SSLStrictSNIVHostCheck off
...
<VirtualHost *:443>
# Default virtual host when no SNI
ServerName server1.example.com:443
DocumentRoot /www/server1
...
SSLEngine on
SSLProtocol -ALL -SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2
SSLCipherSuite HIGH:+MEDIUM:!aNULL:!MD5:!ADH
SSLHonorCipherOrder on
SSLCertificateFile /www/ssl/server1.crt
SSLCertificateKeyFile /www/ssl/server1.key
SSLCertificateChainFile "/www/ssl/server1_intermediate.crt"
</VirtualHost>
<VirtualHost *:443>
...
ServerName community.openproducts.com:443
DocumentRoot /www/community-opi/
...
SSLEngine on
SSLProtocol -ALL -SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2
SSLCipherSuite HIGH:+MEDIUM:!aNULL:!MD5:!ADH
SSLHonorCipherOrder on
SSLCertificateFile /www/ssl/community-opi.crt
SSLCertificateKeyFile /www/ssl/community-opi.key
SSLCertificateChainFile "/www/ssl/community-opi_intermediate.crt"
</VirtualHost>
'
or similar. For more information see https://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI or https://www.digicert.com/ssl-support/ap ... ng-sni.htm
The web server seems to be apache 2.2.27 running on FreeBSD, and Apache do support SNI (http://en.wikipedia.org/wiki/Server_Name_Indication), i.e. you can have virtual hosts with same IP-address served by the same host.
Configuration should be something like:
'...
# Ensure that Apache listens on port 443
Listen 0.0.0.0:443
Listen [::]:443
...
# Listen for virtual host requests on all IP addresses
NameVirtualHost *:443
# Go ahead and accept connections for these vhosts
# from non-SNI clients
SSLStrictSNIVHostCheck off
...
<VirtualHost *:443>
# Default virtual host when no SNI
ServerName server1.example.com:443
DocumentRoot /www/server1
...
SSLEngine on
SSLProtocol -ALL -SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2
SSLCipherSuite HIGH:+MEDIUM:!aNULL:!MD5:!ADH
SSLHonorCipherOrder on
SSLCertificateFile /www/ssl/server1.crt
SSLCertificateKeyFile /www/ssl/server1.key
SSLCertificateChainFile "/www/ssl/server1_intermediate.crt"
</VirtualHost>
<VirtualHost *:443>
...
ServerName community.openproducts.com:443
DocumentRoot /www/community-opi/
...
SSLEngine on
SSLProtocol -ALL -SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2
SSLCipherSuite HIGH:+MEDIUM:!aNULL:!MD5:!ADH
SSLHonorCipherOrder on
SSLCertificateFile /www/ssl/community-opi.crt
SSLCertificateKeyFile /www/ssl/community-opi.key
SSLCertificateChainFile "/www/ssl/community-opi_intermediate.crt"
</VirtualHost>
'
or similar. For more information see https://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI or https://www.digicert.com/ssl-support/ap ... ng-sni.htm
Tor,
I suggest you check out CloudFlare, which now provides free SSL: https://blog.cloudflare.com/introducing-universal-ssl/
Andrew
I suggest you check out CloudFlare, which now provides free SSL: https://blog.cloudflare.com/introducing-universal-ssl/
Andrew