Community.openproducts.com has invalid certificate

Non Software / Product related discussions
Post Reply
kivinen
Posts: 13
Joined: Wed Oct 01, 2014 1:08 pm

Community.openproducts.com has invalid certificate

Post by kivinen » Wed Oct 01, 2014 4:23 pm

When I first registered to the community.openproducts.com I noticed it sent me an email in clear text, so of course I wanted to change the password. I logged in and to my great surprise the site was NOT protected by TLS. I would have expected that product that is really for privacy would protect all information with TLS, so I simply edited the http -> https on the url, and noticed, yes there is TLS, but the certificate is not for this community.openproducts.com, but a wildcard cert for loopiasecure.com.

Knowing that proper certificates trusted by browsers cost less $10 per year (for example gogetssl sells some comodo certs for $6 / year), it would be better to get proper certificate for the community.openproducts.com and make sure the forums are redirected to the TLS by default.

User avatar
tor
Posts: 120
Joined: Thu Aug 14, 2014 3:42 am
Contact:

Post by tor » Wed Oct 01, 2014 7:39 pm

Hi Kivinen,

Thank you for your constructive feedback, It's appreciated!

The problem with the certificate is that the hosting-company for this site does not provide means for customer specific certificates. (God knows why they keep arguing that its not possible) You can browse this forum via https and you will be presented with the hosting-company's certificate "*.loopiasecure.com" :(

We are painfully aware of this flaw and will hopefully be able to change this in the (near?) future.

/Tor

kivinen
Posts: 13
Joined: Wed Oct 01, 2014 1:08 pm

Post by kivinen » Thu Oct 02, 2014 10:33 am

Sounds like clueless hosting-company...

The web server seems to be apache 2.2.27 running on FreeBSD, and Apache do support SNI (http://en.wikipedia.org/wiki/Server_Name_Indication), i.e. you can have virtual hosts with same IP-address served by the same host.

Configuration should be something like:

'...
# Ensure that Apache listens on port 443
Listen 0.0.0.0:443
Listen [::]:443
...
# Listen for virtual host requests on all IP addresses
NameVirtualHost *:443

# Go ahead and accept connections for these vhosts
# from non-SNI clients
SSLStrictSNIVHostCheck off
...
<VirtualHost *:443>
# Default virtual host when no SNI
ServerName server1.example.com:443
DocumentRoot /www/server1
...
SSLEngine on
SSLProtocol -ALL -SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2
SSLCipherSuite HIGH:+MEDIUM:!aNULL:!MD5:!ADH
SSLHonorCipherOrder on
SSLCertificateFile /www/ssl/server1.crt
SSLCertificateKeyFile /www/ssl/server1.key
SSLCertificateChainFile "/www/ssl/server1_intermediate.crt"
</VirtualHost>

<VirtualHost *:443>
...
ServerName community.openproducts.com:443
DocumentRoot /www/community-opi/
...
SSLEngine on
SSLProtocol -ALL -SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2
SSLCipherSuite HIGH:+MEDIUM:!aNULL:!MD5:!ADH
SSLHonorCipherOrder on
SSLCertificateFile /www/ssl/community-opi.crt
SSLCertificateKeyFile /www/ssl/community-opi.key
SSLCertificateChainFile "/www/ssl/community-opi_intermediate.crt"
</VirtualHost>
'

or similar. For more information see https://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI or https://www.digicert.com/ssl-support/ap ... ng-sni.htm

andrew
Posts: 6
Joined: Thu Sep 25, 2014 2:49 pm

Post by andrew » Thu Oct 02, 2014 1:05 pm

Tor,

I suggest you check out CloudFlare, which now provides free SSL: https://blog.cloudflare.com/introducing-universal-ssl/

Andrew

User avatar
tor
Posts: 120
Joined: Thu Aug 14, 2014 3:42 am
Contact:

Post by tor » Thu Oct 02, 2014 1:57 pm

Hi Andrew and Kivinen,

Regarding Loopia and ssl certs. Yes i know of SNI and i actually emailed them complaining about it. (Not that i think it will matter to them)

Regarding Cloudflare, I will add these on our list on potential alternatives.

Thx!
/Tor

Post Reply