https on freecadweb.org sites?

[throwaway1]

The lack of https support on the freecadweb.org sites is a bit awkward. Would you please consider implementing https on the forum aswell as the web site? That would help protect the privacy of visitors and keep their forum credentials (among other things) from being transmitted in plaintext over the internet.

I don't know about you guys but personally I avoid visiting non-https sites like the plague and I'm likely not the only one doing that.

A bonus effect of enabling https is improved ranking on popular search engines.

For configuration details, see Mozilla's excellent wiki entry on https://wiki.mozilla.org/Security/Server_Side_TLS. There's even a configuration generator for popular services on https://mozilla.github.io/server-side-t ... generator/. Here's an example for Apache2.

Code: Select all

<VirtualHost *:443>
    ...
    SSLEngine on
    SSLCertificateFile      /etc/letsencrypt/live/forum.example.com/fullchain.pem
    SSLCertificateKeyFile   /etc/letsencrypt/live/forum.example.com/privkey.pem
    ...
</VirtualHost>

# intermediate configuration, tweak to your needs
SSLProtocol             all -SSLv2 -SSLv3
SSLCipherSuite          ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLHonorCipherOrder     on

TLS certificates can be obtained for free using Let's Encrypt's letsencrypt client (nowadays renamed to certbot). Myself I'm using Ansible to obtain certificates and install them on Ansible-mananged the servers. FWIW, here's an example playbook that does just that. It assumes the receiving server redirects requests for the path /.well-known/acme-challenge to the server where Ansible runs (in Apache, Redirect /.well-known/acme-challenge http://ansible-server.example.com/.well ... -challenge). The Ansible server is expected to also run a webserver, which for this particular example needs a vhost for ansible-server.example with DocumentRoot /var/www/well-known.

Code: Select all

# Usage: ansible-playbook this-playbook.yml
#        ansible-playbook -e vhost overriden.example.com this-playbook.yml
- hosts: some-host-mananged-by-ansible.example.com
  vars:
    letsencrypt:
      email: hostmaster@example.com
    vhost: forum.example.com
  tasks:
    - name: Obtain TLS certificate for {{ vhost }}
      command: letsencrypt certonly --agree-tos --email {{ letsencrypt.email }} --expand --keep-until-expiring --webroot -w /var/www/well-known -d {{ vhost }}
      args:
        creates: /etc/letsencrypt/live/{{ vhost }}/fullchain.pem
      delegate_to: localhost
    
    - name: Install TLS certificate (public key)
      copy:
        src: /etc/letsencrypt/live/{{ vhost }}/fullchain.pem
        dest: /etc/ssl/{{ vhost }}.pem
        mode: 0644
        owner: root
        group: root
    
    - name: Install TLS certificate (private key)
      copy:
        src: /etc/letsencrypt/live/{{ vhost }}/privkey.pem
        dest: /etc/ssl/private/{{ vhost }}.pem
        mode: 0600
        owner: root
        group: root

Of course, if you don't use Ansible (or similar automation tools), you can run it directly on the server. Assuming your vhost configuration for freecadweb.org, http://www.freecadweb.org and forum.freecadweb.org has something like Alias /.well-known/acme-challenge /var/www/well-known/.well-known/acme-challenge you could do:

Code: Select all

letsencrypt certonly --agree-tos --email hostmaster@example.com --expand --keep-until-expiring --webroot -w /var/www/well-known -d freecadweb.org -d www.freecadweb.org -d forum.freecadweb.org

[yorik]

The problem is that our current web hosting solution doesn't provide us with https.
Only jriegel has full access to the domain & control panel, but he doesn't come on the forum very often, and it's unlikely he will read this post.
I suggest you try to convince him, I believe on our part there is nothing specific to be done to support https...

[throwaway1]

Thanks for the suggestion, Yorik. I'll try contact him.

I noticed that at least one other site, fett-daneben.de, is hosted on the same IP-address (and supposedly the same server) as freecadweb.org, and that this site is using https with a TLS certificate from Let's Encrypt (an open-source and free Certificate Authority). It looks like the hosting provider now has some support for https-enabling hosted sites using certificates from Let's Encrypt. This is good news.

https://www.wired-net.de/wichtigeinfos/ ... 65b1046e06

As translated by Google:

...
The certificates are requested by us and created about Let's Encrypt and maintained.

In this following goals:

- * Free: Anyone who has a domain can receive a free, trusted certificate on Let's Encrypt.
- secure: Let's Encrypt serves as a platform for the promotion of TLS and secure connections.
- transparency: All certificates are publicly available.
- open: the automatic publication and renewal records will be published so that other companies can use it.
- Cooperative: Let's Encrypt is a joint effort of the entire community benefits, not just a company.
- automatic: We provide you with the certificate , after which it will be renewed automatically. You need to worry about anything.

At WIRED-NET, there are free SSL / TLS certificates of Let's Encrypt. These are automatically updated and include the hosting package to. It is from WIRED-NET specifically recommended a SSL / TLS certificate to use.

* WITHOUT RUNNING COSTS .... (only one-time set of 5 € -. With additional domains or existing contracts In Neuvertägen is a certificate means the device rate included)

If shied website operator to date implementing SSL for cost reasons, they may soon be forced to do so indirectly.

Google began in August 2014, the encrypted connection between a client and a web (HTTPS) to use as a ranking factor. This is not a part of a classic Google updates but an algorithm that confirmed John Mueller of Google Switzerland.

(as I read it, there seems to be a one-time fee of 5 euro only, possibly per domain)

[chrisb]

Let me correct the translation in case someone was worried:

As translated by Google:

You need to worry about anything.

should read "You don't need to worry about anything."

(as I read it, there seems to be a one-time fee of 5 euro only, possibly per domain)

That's what I read as well.