TNG - SSL Certificate neccesary?

[Merv]

Hi All,

It seems a little strange to me why SSL is not a standard feature for TNG websites or at the very least a recommended step considering the sensitive data that many of us have on our sites. Access to most if not all TNG sites require a login which would suggest that most of us do think we have data worth keeping secure.

https://www.sslshopper.com/why-ssl-the-purpose-of-using-ssl-certificates.html

Your thoughts? Necessary or not? Can anybody recommend a provider and/or an installation process??

This is what I got from Simply Hosting (who I understand can do the install)...

Quote

The cost for an SSL is $19.99 USD/year plus $1 per month for a dedicated IP. The cost for the SSL is non-refundable, but if you no longer need the dedicated IP (and you notify us of such) than we would stop charging you for that.

Maybe we could do a group deal with SH but I'm not to sure how this could be negotiated

[bobbyfamilytree]

I use https (via CloudFlare, free), this looks to be something different. Not sure which is better, perhaps both are good in their own way. I guess any additional security can only be a good thing.

[jayat1familytree]

Merv,

I think SSL isnt really much of a protection unless someone knows exactly where and when to 'capture' your data stream between two points.

It is great overall for any sensitive data coming from a place that someone could possibly track down exactly,

like a bank server, but to pick out a tiny fragment of genealogy data is like trying to find a drop of water in Lake Michigan.

 

 

[Merv]

Thanks for your comments.

Maybe I am being a little paranoid or maybe it's because I feel the responsibility of ensuring take I all reasonable measures toward the security of the information I have been entrusted with.

Firefox browser information for my site states that 'Connection is not secure", " Your connection to this site is not private. Information you submit could be viewed by others (like passwords, messages, credit cards etc)." - this is on all pages on my site including the login page and all my admin pages.

This gives me, and maybe others that may read the security messages, the sense that I may not be taking all reasonable measures with website security even though it would be difficult for someone to intercept transmissions.

The questions I think that need to be answered...
Is getting a genealogy website SSL certified (encrypted) a "reasonable" security measure to expect from the site administrator or not?

For those of you who have SSL, have you experienced any adverse issues with getting it for your website??

What are the financial costs? Can you recommend a SSL provider and an installation process?

[Chris Lloyd]

Merv IMHO using SSL and https is quite valuable - if ony to re-assure site visitors. I use it on sites where visitors enter personal details - not my TNG one as I have it set that only I can edit

Have a look at letsencrypt.org - a free and pretty easy system to use.

Cheers

Chris

[Merv]

This from Simply Hosting...

Quote

Matt R. Staff

Merv,

Over the past few days much has been made about Google's announcement to update Chrome so that it notifies users if a login form is insecure and potentially transmitting login data over an insecure connection. Google has actually been planning on this transition for sometime (https://goo.gl/9Be0Ow), and Gustave has quietly been working behind the scenes in preparation. The Google announcement, however, has pushed the roll-out time frame a bit.

That said, Gustave is currently working on transitioning each of our servers to automatically include SSL by default, for no extra cost. The server that you are on was transitioned today.

I should note, though, that these changes require time to propagate throughout the domain name system, so not every website on our servers will be able see the effect immeadiatly.

Also, it should especially be noted that the use of third party scripts that utilize links with non-secure http links will result in a message that the site is not secure. This can also happen with hard coded embedded images that use http links. This is what is known as mixed content, and will need to be addressed by the individual user to correct the message (i.e. - it is not a problem with the SSL, but rather the way that the person has his/her website set up).

Regards,
Matt
SimplyHosting.net

 

Merv,

Everybody at Simply Hosting has a Let's Encrypt SSL certificate if they did not have an SSL before. These are three month certs, we will do our best to automatically keep them updated upon renewal. You do not have to do anything for yours. We will attempt to renew the one you have when the time comes. As long as Let's Encrypt stays free we should be able to keep doing this. I am not aware, at this time, of anything that could become a problem in the future. We can all hope they stay free and offer an API to generate certs.

It would seem there is not a global setting to redirect traffic to https for TNG. People will need to re-direct through .htaccess as we have done for you with the following code or equivalent.

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

The code above may not work for some but it seems to be working for your site and a few others. I do not know if there will be negative impacts to special setups or other things that users may have on their site.

Please note if you give any instructions that if people have "Mixed Content" that will need to be resolved for their site to be secure. What I know now is that a base TNG install will not have "Mixed Content".

Regards,

Gustave Dahl
Simply Hosting .:. Owner

 

[rlgreen]

Merv -- I've been concerned about this too, as I'm trying to convince family to fill in the gaps in the family tree and many of them are hesitant for the reasons you mention. I'm with Bluehost, and I thought of just asking them how to handle it, but I know they'll try to sell me something that isn't necessary the right or best thing.  It would be good to get some kind of official feedback from the TNG powers-that-be on this, clear statements on what is possible given the inner workings of the software, and best practices recommendations.  That would seem like a good thing for all parties, given the potential for liabilities.

[Merv]

Hi,

Obviously Darrin would be would be the person to put in a process for https to be standard from day one for new users, and for existing users to secure their sites.

I am guessing that this will happen in the upcoming months.

[tngrlkrz]

I'm thinking of trying LetsEncrypt. It has 'CertBot' which asks what OS is running.  Will I find that in my Cpanel, or do I have to ask my Host?

Ron

[bobbyfamilytree]

22 minutes ago, tngrlkrz said:

I'm thinking of trying LetsEncrypt. It has 'CertBot' which asks what OS is running.  Will I find that in my Cpanel, or do I have to ask my Host?

Ron

I have this and its within the settings on my host site. I simply just had to activate it.

[tngrlkrz]

1 hour ago, bobbyfamilytree said:

I have this and its within the settings on my host site. I simply just had to activate it.

I thought you indicated earlier you use Cloudflare, not LetsEncrypt?  Regardless, my host is ICDSoft, and if I go outside free, then I need to do a few things myself. CertBot is asking a couple questions I have to get answers from my host provider.

Ron

[tngrlkrz]

I will likely go with Geotrust's RapidSSL for my 'Live' TNG, which works with my hosting provider ICDSoft to offer a $30/yr vs. $60+ outside ICDSoft. And ICDSoft handles all except the code switch that Darrin already has in globallib.php for http to https transition.  LetsEncrypt is uses a Bot-Like conversion, and ICDSoft isn't able to help with that, whereas SimplyHosting sets it up for you. I cannot justify the hassle of switching hosting services.   I will leave my 'Test' subdomains as http, since I am the only user.

I have read of Certificate issuing entities being hacked as well, but RapidSSL has a good track record so far.

Ron

www.kmtrees.com

 

[Merv]

2 hours ago, tngrlkrz said:

I will likely go with Geotrust's RapidSSL for my 'Live' TNG, which works with my hosting provider ICDSoft to offer a $30/yr

The options can be a bit overwhelming but this sounds like a good deal for a 1 year SSL, host support and peace of mind that your users will perceive your site as secure. 12 months down the track you will obviously be able to make a better evaluation. We will be better informed and more knowledgeable on TNG/SSL by then also.

[Merv]

5 hours ago, tngrlkrz said:

I'm thinking of trying LetsEncrypt. It has 'CertBot' which asks what OS is running.  Will I find that in my Cpanel, or do I have to ask my Host?

Ron

Hi, I don't know what Certbot is. I went to this page and entered my web address. https://www.sslforfree.com/

The next page asked me for my CPanel Access details and the the certificate and installation instructions were provided.

If you follow the instructions you should be able to install the certificate yourself.

[tngrlkrz]

Well, RapidSSL may wish to change their name.  They advertise 1-2 hrs for the basic option, and it's been over 24 hrs since I signed up for $30.  Apparently, and I only got this status by inquiring, the 1-2 hrs is ONLY if their robotic system works and nothing is kicked out.  If any anomalies are found, it becomes a 'manual' process.  Good thing they have a 5-day refund.  I may pull out if I hear nothing today.  This is the recommended cert issuer by ICDSoft, whose support for hosting has been very quick and satisfactory, so no problem with them, but they should maybe recommend someone else.

Ron

TNG 11.0.1   http://www.kmtrees.com wampserver 2.5,legacy 7.5,  family historian 6.2.2, win 10 pro

[tngrlkrz]

OK, so I pushed ICDSoft on this to contact RapidSSL and they did activate the SSL within 1/2 hour after that.  However,  though https works fine, so does http, but of course with a little red triangle on the url line.  Is there some time I have to wait? I thought, like other secure sites, any attempt to access non-https would be rejected with an error (like this site) with 'site cannot be reached. I did clear cache etc.

Ron

TNG 11.0.1   http://www.kmtrees.com wampserver 2.5,legacy 7.5,  family historian 6.2.2, win 10 pro

[rlgreen]

Is this something Darrin is working on? If there's a way to streamline it from within, and that means I won't have to fuss with third party software, that would be ideal.

[tngrlkrz]

Update:  ICDSoft was very quick and helpful to have me add the .htaccess file just above (not in) the tng root directory, the following code which forces all access to https for my tng domain.  Seems to work fine. Wish I could have done it w/o cost, ....maybe next year;>)

RewriteEngine On

RewriteCond %{SERVER_PORT} 80

RewriteRule ^(.*)$ https://www.kmtrees.com/$1 [R,L]

 

This was a bit different than an earlier reference in this forum; sort of surprised using an absolute server port of 80. Whereas the other code I saw referenced by Gustave was:

RewriteEngine On

RewriteCond %{HTTPS} off

RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

And,,,I just tried both, and either one of these works!  Which is better?  Probably Gustave's since it uses system variables?

Ron

TNG 11.0.1   http://www.kmtrees.com wampserver 2.5,legacy 7.5,  family historian 6.2.2, win 10 pro

 

 

[Merv]

22 hours ago, rlgreen said:

Is this something Darrin is working on? If there's a way to streamline it from within, and that means I won't have to fuss with third party software, that would be ideal.

Hi,

I don't think SSL Certificates are a TNG issue but more a hosting issue although TNG users should be made aware of

• the option of a secured or unsecured site when they choose a hosting provider and
• Take in consideration what services the provider provides as far as SSL certificates (see next section)
• the advantages and disadvantages of having a secure site
• how to identify unsecured content on our sites and how to secure it
• the redirection requirement from http to https

It is probably more a hosting issue, and the questions that should be asked of them are

• What are the certificate options the hosting provider provides - paid/free?
• If the provider only has paid options, can a free certificate be installed?
• Who can do the installation - provider/customer/ both and if there are any costs involved?
• Who can do the redirect - provider/customer/ both and if there are any cost involved?

As far as streamlining, and at the moment, Simply Hosting (the recommended TNG hosting provider) has upgraded all their TNG sites to https for free. Anyone with them should be able to see their secure site by simply changing the address in the address bar to https. To get your users to enter your secure address site by default you will need to get the redirection done. If you ask nicely, they will do this for you for free (they did for me) Only time will tell whether Simply Hosting will put in place a policy of redirecting all their TNG sites to https by default or not... but I'm guessing they will. So if you are with Simply Hosting you may not have to do anything and it will eventually happen automatically and for free

To stay competitive, I'm guessing the other hosting providers will improve their policy around this issue over time.

 

 

[rlgreen]

Merv -- thanks for the clarification. I think I've got it now.

[tngrlkrz]

10 hours ago, Merv said:

As far as streamlining, and at the moment, Simply Hosting (the recommended TNG hosting provider) has upgraded all their TNG sites to https for free. Anyone with them should be able to see their secure site by simply changing the address in the address bar to https. To get your users to enter your secure address site by default you will need to get the redirection done. If you ask nicely, they will do this for you for free (they did for me) Only time will tell whether Simply Hosting will put in place a policy of redirecting all their TNG sites to https by default or not... but I'm guessing they will. So if you are with Simply Hosting you may not have to do anything and it will eventually happen automatically and for free

 

Merv, 

Good analysis.  One clarification, you indicated Simply Hosting is 'the' recommended hosting provider, actually ICDSoft has also been recommended by Darrin.  While I did have to pay a fee ($30/yr)  to Geotrust's RapidSSL, ICDSoft was very helpful and responded within 1-3 minutes to every question I had, and, like Gustave, supplied the redirect information to me for putting in the .htaccess file above the TNG root folder.  I have had no issue so far, and no 'mixed content' rejection.  

Paying the price of a nice dinner for having an SSL certification is OK by me, at least this first year.  

Ron

TNG 11.0.1   http://www.kmtrees.com wampserver 2.5,legacy 7.5,  family historian 6.2.2, win 10 pro

[Merv]

4 hours ago, tngrlkrz said:

One clarification, you indicated Simply Hosting is 'the' recommended hosting provider, actually ICDSoft has also been recommended by Darrin.

Hi Ron, My apologies... I was going off the (mis?)information on the TNG promo site (at the bottom of the page)... http://www.tngsitebuilding.com/software.php

 

[tngweb]

As a web hosting provider, my company uses cPanel/WHM for client side management. With the release of cPanel/WHM v58, it is now possible for a web host provider to offer FREE SSL certs provided by Comodo through what is called AutoSSL which is now built into the package. The certs are good for 1 year and automatically renew. If there is an issue with the cert, then the AutoSSL can actually repair the cert.

A side note about AutoSSL, it is NOT transferable between hosts.

Another note about SSL, you can NOT purchase or install SSL certs on a shared hosting environment UNLESS the provider is using AutoSSL. Regular SSL's would cause major conflicts on the shared hosting environment UNLESS you have a dedicated IP for your site. 99.99% of hosting providers do charge for dedicated IP addresses.

In order to force a redirect to https, follow the outline posted by Gustav and tngrlkrz. Thbose are right on, but BEFORE you set the redirect, you MUST have a valid SSL cert installed.

[tngrlkrz]

4 hours ago, Merv said:

Hi Ron, My apologies... I was going off the (mis?)information on the TNG promo site (at the bottom of the page)... http://www.tngsitebuilding.com/software.php

 

Merv,  As of today, you are likely right about TNG references to Simply Hosting vs. ICDSoft.  There's an advert. on the promo page, and a direct recommendation in the FAQ section...and no longer any mention of ICDSoft.  

Minor deal, likely cost weighs in on this, but back in 2004 (wow, 12 years with TNG) .  A quote from Darrin in 2004 when I signed up.

" If you do go with ICDSoft, let me know if you wouldn't mind, since they give credit for making referrals. Even if they didn't I would still recommend them, however. The few times I've had issues I've submitted support tickets and have always had them answered within an hour (not to mention what they offer by way of features for their very small price)."

Darrin may have switched providers since then, but I can testify that is comment on ICDSoft support response times is still right on, in fact, in minutes is more accurate today.  But I can vouch for ICDSoft as an excellent choice.  Never had downtime, and system backups/restores have worked flawlessly.  

Brings up a question, for those who have done it, just how difficult is it to switch providers?  Curious.

Ron

TNG 11.0.1   http://www.kmtrees.com wampserver 2.5,legacy 7.5,  family historian 6.2.2, win 10 pro

 

[Ken Roy]

I found a TLS and SSL article on the TNG Wiki that was started by Olaf Tiege 3 years ago.  I have added it to the Security category on the wiki. 

Some of the issues identified have been fixed in TNG versions since that time.

Those of you you have recently converted to using SSL should update the article as appropriate.

Thanks.