Things that annoy me, number 543,321: Expired or no SSL certificates

Update: MPC finally got around to renewing their SSL certificate on the 15th May!  Alas, however, for mixed content delivery. 🙁

This is 2018, a year where IT infrastructure is constantly under attack, and privacy is king (except when it isn’t, and just you’ve given an app permission to slurp your data and sell it the highest bidder),  I’m a very strong advocate of making sure that ALL websites load over SSL by default because any form of input from the client (whether it be form filling – such as a local search engine, for example) will be sent over in plain text which gives anybody the opportunity to sniff the contents of the transmission.

SSL hasn’t had it easy, however.  We’ve had companies running certificate authorities compromised, SSL vendors compromised, key encryption algorithms weakened by increasing power of technology forcing everybody to switch to a stronger algorithm, and all manner of things in-between.  I’ve seen a lot in the 9 years I’ve been working in the hosting industry, and in the 9 months I’ve been working in e-commerce.  I’ve been using SSL on this blog for a considerable amount of time.  Whether paid SSL certificates, Let’s Encrypt, cPanel/Comodo issued certificates or through CloudFlare.

ALAS!

I’ve recently ranted (then deleted) about how a BBC Apprentice winner launched their brand new website without SSL, then added SSL but screwed loading assets over the secure connection, and a number of other issues that are super important in modern web site maintenance.   I also discovered ANOTHER Apprentice winner not loading their website over SSL by default, and with contact forms that send data over in plain text.  So much for that £250,000 investment!

Then, as I was just browsing the ‘net, I suffered problems browsing a major computer vendor’s web site where a third party service they use had an expired SSL certificate, leading to mixed content and warnings galore.

Now I’m stumbling across websites that have SSL, but are using a certificate from a Symantec distrust source which essentially means that anybody who bought a certificate from one of the vendors mentioned in the link prior to certain dates will need to have their certificate re-issued (or if it’s close to expiry, just renew it a little earlier than expected).

Despite the pain in the arse managing SSL brings, it is nevertheless very important.  Google will start downranking websites in their search rankings that don’t have it, and the likes of Chrome will eventually display a big unfriendly warning that a site is insecure if you do not load your site over SSL by default.  Chrome is still very much the dominant browser on the block right now, so I’d take notice of what they’re planning to do!

I shall give you an example of what I consider to be bad web site management.

So, former employers of mine, MPC (The Moving Picture Company), why has an Academy award-winning (amongst many, many other awards) failed to renew their SSL certificate which is still in place (some 216 days) on their web server?  This is sloppy!  Just removing it is a better thing to do than leaving an expired certificate in place.  I sincerely hope that they do not have any client facing logins off the main moving-picture.com because this would cause me to scream.

On a more positive note, their web server doesn’t accept SSLv3 connections.  But that’s perhaps the only good thing I can say about their set-up.

Bad Academy award winning company. Bad!
Red warning colour by Technicolor! Which will persist if MPC, like many other companies, do not take SSL seriously.

BTW, I did reach out to MPC about this, but to date (about a week now), no response and no action.

So unless MPC does something – and sooner rather than later – when a future of Chrome is released, www.moving-picture.com will display a great big Not Secure message.

If you run a website, blog, or whatever it may be – for crying out loud – take a look at your site’s SSL functionality.  Do you even have one?  If not, why not?  Sort it out right away!

Update: It’s not just MPC that’s got an SSL problem – practically all other than perhaps two or three Soho-based VFX companies don’t have an SSL certificate, or if you attempt to load the site over SSL, uses an invalid common name (e.g. the certificate of another domain).  Chrome will be switching on the Not Secure flag in July when Chrome 68 is released.  We’re on Chrome 66 at the moment.  Time is counting down..

Update on the update: And home.bt.com is another culprit that doesn’t load over SSL by default, and if you try to force it, returns mixed content (e.g. it won’t load certain assets over SSL thus you might as well just treat the whole connection as insecure).  Man, this is crazy.  If telecoms companies aren’t doing the right thing by default.. 


For a later blog post: Is Google becoming too dominant?  Are Google’s new Gmail security tools proprietary, and will it eventually make existing email standards obsolete?  Will RFCs aka “internet standards” be a thing of the past?

No longer just Let’s Encrypt, cPanel offers free Comodo-backed SSL certificates

With the latest release (to the CURRENT tier, which is considered “release candidate” worthy) of cPanel/WHM, you can now obtain completely free 90 day SSL certificates from cPanel themselves (backed by Comodo) for your web site.  This requires version 58 of cPanel/WHM.  These certificates will automatically be renewed.

2016-07-18_13-35-39

This blog is already using them, and long may I do so.  As I’ve said earlier, obtaining SSL certificates for securing usernames and passwords or e-commerce is now the cheapest (e.g. free) it’s ever been.  There’s absolutely no excuse to run a web site that’s not secured by an SSL certificate now.  None.

If you don’t want to use Comodo backed SSL certificates, there will be a Let’s Encrypt plugin for cPanel/WHM appearing soon from cPanel themselves.

You’ll never have to buy another SSL certificate again!

(At least not if you are a financial organisation or need some form of extended validation/identity confirmation)

The SSL certificate marketplace is undergoing an extraordinary transformation.  Once upon a time you could expect to pay a princely sum to obtain what is called an “SSL certificate”.  This is effectively a piece of code that you install on a server (whether it be web, email, or similar) that allows you to encrypt data between two end points (a client such as a web browser and a web server, for example).  The SSL certificate allows the client (browser) to identify the server it’s connecting to.

But as the Internet has grown, the need to protect data in transit (such as usernames and passwords, credit card details, or other personal information) has also increased.  To that end there has been many attempts to provide free or cheap SSL certificates to all and sundry.  Self-signed certificates are no longer good enough.  Unless you explicitly trust a self certificate within your browser, you’ll see all manner of warning messages.  No,  a trusted third party must now be present to ensure that your communications in a web browser are secure.

SSL certificate prices have been gradually becoming cheaper and cheaper over past few years.  I’ve picked up regular domain validated SSL certificates as little as 99 cents (US) or at the most around £2-3 per year.  The drake.org.uk wildcard certificate (which protects an unlimited number of us domains with a single certificate) only cost me 40 quid for two years.

But now things are getting even cheaper – cheap enough to be FREE!

Let’s Encrypt has been one such effort to bring SSL certificates to the masses, for free.  Completely free.  Having left beta, we are going to see a lot of companies and organisations offer Let’s Encrypt as part of their product or service.  cPanel, for example, will be integrating Let’s Encrypt as part of the next major release of cPanel/WHM.  This means that providing that the server operator/hosting company you’re hosting with allows it, your web site will be protected by an SSL certificate for free – automatically.

CloudFlare is another company that’s offering free certificates.  Their free tier allows you to encrypt between their servers and your own (origin) servers – combined with an origin SSL certificate that you install on your server that provides full, authenticated encryption between CloudFlare’s data centres and your server(s).

WordPress and Sucuri are also two other services offering free SSL certificates with their services.

So as you can see – the days of the paid SSL certificate appear to be coming to an end.  The only exceptions are special SSL certificates that require additional validation and assurance – normally Extended Validation (EV) certificates – the ones you’ll normally see at a bank’s web site – the company name all in green alongside the green lock symbol.  These certificates require a lot of paperwork.  This consequently costs quite a bit more money (and time).

But for us mere mortals, we may well never have to spend a single penny on SSL certificates for our sites or services ever again.  We can encrypt for free.  And that’s a good thing.