SSL certificate

[Mathilda]

Tell them 10 Downing Street.

Yeah I might need to update the address very soon ...

[Dark Light]

I know I just kind of showed up off the street, so to speak, but...

If I were a hostile actor (hacker) I'd certainly make plenty of use of information stored on the back-end of the forum if I had a vendetta, or thought I could make some cash...or wanted to have fun by screwing with people or just taking on the challenge of seeing what I was capable of doing. Most of you people are worried about PMs being the end all be all. That is the wrong worry. I'd combine the data gathered, including registration e-mail addresses, birthdays, etc, combine it with OSINT (Open Source Intel) and I could certainly put together info to blackmail, humiliate, "out", etc. This is especially useful for going after people vulnerable because they are in positions of prominence/power. I know some of you are based on my relationships with you from TTA, but will not get specific because I don't want to make anyone else here more vulnerable than they already are.

I'm a security analyst by profession, and not a security engineer that is exposed to the legal side of things too much other than reporting illegal activity from hackers (I'm not a legal compliance expert), however Vosur is absolutely correct to raise the security concerns that he has. Maybe he could've communicated his concerns better, or been more diplomatic, or maybe you think he is just an asshole, but the concern is certainly very legitimate, and it would be in the best interest of all involved if his advice concerning the certificates was heeded.

As for the comment on the DDoS attack concerns, that is less concerning than the cert issue, but it still is a security concern that falls under Availability of the CIA security triad, and should largely be dealt with by using a good NIPS, ideally supplemented by an analyst blocking troublesome IPs and possible writing some rules for your NIPS (Snort is a good option).

Just my 2 cents if you're interested.

[KevinM1]

I want to know if I have to give my personal name and address because I think that's what Vosur was after and why he was pushing so hard for it.

For something like Let's Encrypt, no. It's mostly automated and doesn't require (nor ask) for personal information.

I mean... the certbot program which handles the automation part of it was developed by the EFF. They're all about internet privacy.

[Aractus]

I want to know if I have to give my personal name and address because I think that's what Vosur was after and why he was pushing so hard for it.

No of course not. The Let's Encrypt CA is designed to be full automated, if you can install Certbot and set a cron job (that just means "task scheduler" in Linux) it will fetch and install certificates automatically. It's the officially recommended way by LE.

Here is a video guide of the complete set up (using PuTTY as the SSH client):



Depending on how your hosting is set up you may need to enable SSH first on the backend (in the hosting admin area or control panel), and if that's the case you can disable it again afterwards.

[Mathilda]

Sorry about this. Installing certbot destroyed the forum. I have tried uninstalling it and rolling it back but the developers seemed to have forgotten this aspect of it. At least none of the instructions have helped.

I have re-installed the server software but for some reason View New Posts (and I assume a lot of other functionality) is now broken because http requests are getting redirected to https and I don't know how to change this. There must be an option in the apache configs somewhere.

[Mathilda]

Actually no. I just needed to clear my browser cache. Hopefully it has rolled back successfully.

[Aractus]

It didn't destroy the forum, everything was working fine except that there was a mixed-content warning (the forum was trying to load stylesheets and javascript etc over http:// which is why it looked funny):



I thought the forum was still "down" because I was refreshing the "new posts" page lol. Did you set up the redirect (http > https) or did the server do that? That is unexpected behaviour if the server did that on its own. As far as the present redirection problem is concerned, check if there are any http > https redirects in httpd.conf or .htaccess (check .htaccess files both in "public_html" and the "public_html/forums" folder). Be careful with those files they are the server configuration files and contain absolutely essential rules that make the forum work, make a backup before changing anything. It probably won't be one line, it'll be at least two lines maybe 3 or 4 or more so if you're unsure at all post it here. And in fact every time you make a change to any .htaccess file I think it's best practise to download it first from the server rather than use the last uploaded local file because often software upgrades on the server will have made changes that aren't in the older local copy.

See if you can re-install the certificate (without certbot for the moment) or if not generate a new one using the web interface (use the manual verification method is the easiest you just upload a couple of zero-byte files to "/.well-known/acme-challenge" certbot should already have created that folder). (EDIT) that shouldn't be necessary, here's the certificate:

Code:

-----BEGIN CERTIFICATE-----
MIIEbzCCA1egAwIBAgISA45bb08jkU8P/uclG4yyIeyMMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xOTAzMjYxMTIzMTlaFw0x
OTA2MjQxMTIzMTlaMCAxHjAcBgNVBAMTFWF0aGVpc3RkaXNjdXNzaW9uLm9yZzCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANZVdQBQkmmyFN8B13V89o82
QmbcrXDpFuiS0xr1n2Sd5WcBVI0lL7iltXaK9eHX/qvy1FjMwFT4F3jtBLq9RaGp
s9qxm5AzE0xcrai/SAM2bsyzBWSKYdpELfwbWelgNF3DqmlW0hHZfNE75WFkP9UI
rXF0u6a1Hfw+LPfyIyKowvqgHgwCB887S0dxvXWw/djVDqq2N8hVP3mWI7RMhysz
c+W87oMyilze6xiN6VhD9/koNErz9I0FAqWJ052H4uZUTRDk+HfmBCMjwqBBUBil
llTeB1/ThwMuPGe5oaV71JwlYKtuyZKYVp0cRQnF1fwvQkD9OpT5q8BoP8vbP1EC
AwEAAaOCAXcwggFzMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcD
AQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUZdpTEkLrv4ZWlTea
XEdKrdmYizswHwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEwbwYIKwYB
BQUHAQEEYzBhMC4GCCsGAQUFBzABhiJodHRwOi8vb2NzcC5pbnQteDMubGV0c2Vu
Y3J5cHQub3JnMC8GCCsGAQUFBzAChiNodHRwOi8vY2VydC5pbnQteDMubGV0c2Vu
Y3J5cHQub3JnLzAgBgNVHREEGTAXghVhdGhlaXN0ZGlzY3Vzc2lvbi5vcmcwTAYD
VR0gBEUwQzAIBgZngQwBAgEwNwYLKwYBBAGC3xMBAQEwKDAmBggrBgEFBQcCARYa
aHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcwEwYKKwYBBAHWeQIEAwEB/wQCBQAw
DQYJKoZIhvcNAQELBQADggEBAGbNfxn6so6kcVuAv/t3gd+ePHnVlTiH3i5f834B
dOlCkXZozJcNJENfoj7wEqzOy8Gt6dIgs0mGlSE1LtU0yWZX/wyR/bobxjbRb5Fm
KKQDC/9ZgWAAEvPii3EsnXioBoE619QTteHE+Qji7voVMOIpHDqShOJdE//Ni9ww
puX/L+N0DB22cHehWIqbFUCL1u/RbV1iawBAq2zE4xozzdCVya8N57qQHkmytOJX
qgSMQReWbjEDdMN0fqIuor3PkhLH/Z3rnIl0qPklJdt+1fU+mqPrmbVpoDNUApOf
JISXKD4uieMpU8vZ3bCbwT7uomzks7SxQJ7sDnAe7wfzX9k=
-----END CERTIFICATE-----

You can also download it directly from crt.sh here. Do you have a graphical control panel like cPanel that you can use? If so you can probably just paste the text itself to install the certificate:



You can see above that in the cpanel interface with manual install you have the option to just paste the certificate text in or to upload the .crt file, but other interface options will vary.

Then configure the forum for https (should be a setting in the MyBB admin area ... in fact I just looked it up the official MyBB documentation is here). Don't set up "protocol redirection" yet. After that you may need to edit any custom/theme .css files (style-sheets), check for any "http://" references, if there are change "http://" to "//". There might also be some references in javascript too.

Once everything is working correctly re-install certbot, and then finally after that set up the protocol redirection as the last step.

[Mathilda]

Damn just realised that the https port was still closed in the firewall. Doh!

I raised a ticket for the hosting service to create an SSL cert for me but then realised the email server was no longer receiving emails and I need to find out why it's stopped working. I might have closed down too much when we were a target for a hacking attempt.

[KevinM1]

Heh, I was going to ask if you opened up the port.

And, yeah, .htaccess files can be a cause of headaches. It's one of the reasons why I ditched Apache for Nginx. The latter has a far simplified server configuration model, one where you don't have to hunt down those kinds of files.

[Mathilda]

Well the mail server is back up and running and receiving emails. I think I borked it when installing reverse DNS but because the address doesn't get used I never realised. Anyway, I've managed to get it working in time to receive the email I was waiting for.

[Techcloud]

This forum really should have a SSL certificate.  Given the taboo nature of atheism, and simple common sense security practices, leaving the client/server connection unencrypted is a bad move.  You can get a free cert at https://letsencrypt.org/  They're recognized by just about all root authorities at this point.

How protected would you feel if your program cautioned you about a site being "not secure"? Since that is the thing that will be appeared in the up and coming adaptation of Chrome on the off chance that you don't have an SSL declaration. Do you need that? Obviously, you don't.On the off chance that you own a site or a blog in 2020, you need SSL. It's as straightforward as that. An SSL testament is not, at this point an extravagance; it's a without a doubt need these days.