Difference between revisions of "SSL (Secure Sockets Layer)"

From HE FAQ
Jump to: navigation, search
(Created page with ''''<span style="color:#8B0000">Please note: For new "Version 3" hosting servers, see the bottom of this topic page for information regarding obtaining an SSL Cert for your accoun…')
 
(Updated to current standards and methods)
 
(20 intermediate revisions by 6 users not shown)
Line 1: Line 1:
'''<span style="color:#8B0000">Please note: For new "Version 3" hosting servers, see the bottom of this topic page for information regarding obtaining an SSL Cert for your account on a new server. If you are unsure about the version of the server that your account resides, please contact [mailto:support@he.net support@he.net] for further assistance.</span>'''
+
{{1 prefix}}
 +
'''<span style="color:#8B0000">Please note: This information applies to our current "Version 3" hosting servers. If you are unsure about the version of the server on which your account resides, or if you need assistance with an older "Version 1" or "Version 2" server, please contact [mailto:support@he.net support@he.net] for assistance.</span>'''
  
 
----
 
----
== What does SSL mean? ==
+
== What do SSL and TLS mean? ==
  
 +
SSL is an acronym for Secure Sockets Layer. TLS stands for Transport Layer Security.  They are protocols used for authenticating and encrypting web traffic. For web traffic to be authenticated means that your browser is able to verify the identity of the remote server. For web traffic to be encrypted means that traffic between the server and your browser is scrambled so that it is unintelligible if intercepted.
  
SSL is an acronym for Secure Sockets Layer. It is a protocol used for authenticating and encrypting web traffic. For web traffic to be authenticated means that your browser is able to verify the identity of the remote server. For web traffic to be encrypted means that traffic between the server and your browser is scrambled so that it is unintelgible if intercepted.
+
While people frequently refer to SSL Certificates for authentication, SSL is a deprecated technology and is no longer used. All our servers use TLS.
Why is that when I try to access a secure web page on your server my browser shows an error message saying something about an "unknown authority", and won't load the page.
+
  
We have changed all of the secure certificates on our servers to Thawte. Because at one time the only certifying agency was Verisign, older web browsers will only recognize secure certificates from them. To avoid getting error messages in the future you should add Thawte's certificate to your database of CA's (Certificate Authorities):
+
== How do I use SSL/TLS? ==
 
+
http://www.thawte.com/serverbasic.crt or update your browser.
+
 
+
 
+
== How do I use SSL? ==
+
  
 
All accounts include a secure web directory. Your secure web directory is named:
 
All accounts include a secure web directory. Your secure web directory is named:
  
/home/''accountname''/secure_html
+
/home/accountname/secure_html
 
+
where ''accountname'' is your account name. Your secure web URL is:
+
 
+
https://''servername''/~accountname
+
 
+
where ''servername'' is the name of the server your account is on. An example secure web URL might be:
+
 
+
<nowiki>https://thor.he.net/~rflyer</nowiki>
+
 
+
To invoke user CGI scripts using SSL use:
+
 
+
<nowiki>https://servername/cgi-bin/suid/~accountname/scriptname</nowiki>
+
 
+
To invoke system CGI scripts using SSL use:
+
 
+
<nowiki>https://servername/cgi-bin/scriptname</nowiki>
+
 
+
 
+
== What advantage, if any, is there to a secure page using SSL? ==
+
 
+
The page and any response using forms on it are encrypted in transit so that eavesdroppers which may observe raw traffic passing through their networks can't read it. This is especially useful in shared environments, such as a college campus or a large office which uses standard 10 base T ethernet hubs or thin ethernet, where all machines can see all traffic.
+
 
+
The use of a secure form increases the willingness of people to submit orders online using their credit card, which means increased sales for you.
+
Why can I use <nowiki>https://servername/~accountname</nowiki> but not <nowiki>https://virtualhostname</nowiki> ?
+
The digital certificates used in SSL are issued by certificate authorities (such as VeriSign and Thawte). A digital certificate will only work for the specific domain name it was issued for.
+
 
+
To obtain a digital certificate you must prove that you have the legal right to use the domain name the certificate is to be issued for, prove that you are who you say you are (for a corporation you may be required to provide its articles of incorporation), and pay the necessary fee ($295 for the first year if you use VeriSign) to the certificate authority.
+
 
+
We have purchased digital certificates for all of our shared web servers to save you the cost, delay, and difficulty of obtaining a certificate. To take advantage of our pre-installed digital certificates you must use the domain name of the server in your https (SSL) URL.
+
 
+
 
+
== How do I use frames with SSL? ==
+
 
+
When using frames with ssl, a new window must be created otherwise ssl will not work.
+
Where do I install and how do I call secure cgi scripts?
+
The cgi scripts are placed in your cgi-bin and called using the URL:
+
 
+
<nowiki>https://server.he.net/cgi-bin/suid/~accountname/script.cgi</nowiki>
+
 
+
 
+
== How do I get a secure form to send encrypted email? ==
+
 
+
You would use PGP (Pretty Good Privacy) for that. Please see:
+
 
+
http://web.mit.edu/network/pgp.html
+
 
+
  
== How do I correctly call a cgi script from within a secure form? ==
+
where ''accountname'' is your account name.
  
Please use:
+
In order to use TLS, you will need to either have your own TLS certificate for your site or install a [[Let's_Encrypt|Let's Encrypt]] certificate.  A TLS certificate can be purchased from a third-party certificate authority, such as Godaddy.com, GeoTrust, or VeriSign.
  
<nowiki>https://server/cgi-bin/suid/~accountname/scriptname</nowiki>
+
We do also support self-signed certificates.  However, these certificates will always throw warnings in a web browser and are not recommended.
  
Make sure to replace where it says server with your domain name or the domain name on which your account is located. Also replace where it says ''accountname'' with the name of your account and scriptname with the name of your script. For example:
+
In either case, the first step is to generate a CSR.
  
<nowiki>https://thor.he.net/cgi-bin/suid/~rflyer/novato.cgi</nowiki>
+
== What is a CSR? How do I get one? ==
  
 +
The CSR is a Certificate Signing Request.  It consists of a block of encoded text that you send to a certificate provider that they use to generate the certificate.
  
== When I access my secure site, I get a message that says "One of the Certificates Has Expire." How do I fix that? ==
+
Click on "Manage Secure Certificates" in the https://admin.he.net account management system to bring up the CSR generator and secure certificate installation tool.
  
The Thawte root secure certificates embedded in Netscape Navigator 3.x and Microsoft Internet Explorer 3.x and earlier expired in July 1998. All root certificates will eventually expire and will need to be updated. To keep up with this, certificate issuers give software manufacturers their latest certificates to include in new releases of their browsers.
+
Next, verify all the information, and then click the "generate" button. This will generate the CSR for you in the text box below. It can be copied and pasted like any other text, and saved to a text file or sent in a web form.
  
Users of Netscape Navigator 3.x and Microsoft Internet Explorer 3.x and earlier can upgrade their browsers by following the instructions at:
+
== How can I install a certificate for my website? ==
  
http://www.thawte.com/certs/server/rollover.html
+
To install a purchased certificate, first generate the CSR and send this to your vendor per their instructions.  They will send you two files: one containing the site certificate and one containing a CA (Certificate Authority) Chain, Intermediate Bundle, or something to that effect. Open these in a text editor, such as Notepad or TextEdit. In Step 3 of "Manage Secure Certificates," paste the site certificate in the first box ("Certificate") and the CA Chain in the third box ("CA Chain"), then submit.
  
It takes 2 minutes and means you will no longer experience any problems accessing the millions of web sites with Thawte secure certificates.
+
To install a free Let's Encrypt certificate, follow the instructions [[Let's_Encrypt|here]].
  
Less than 15% of all installed browsers are effected by this.
+
== What advantage, if any, is there to a secure page using SSL/TLS? ==
  
 +
The page and any response using forms on it are encrypted in transit so that eavesdroppers which may observe raw traffic passing through their networks can't read it.  This was originally used only for sensitive information, such as passwords and credit card numbers, but is now recommended for all sites.  Search engines, such as Google and Bing, will penalize sites that do not have an "https" URL.
  
== How do I get an SSL Cert for my account on a new server? ==
+
An SSL/TLS certificate also serves to validate the page you are visiting as authentic.  This helps prevent websites from masquerading as the websites of legitimate businesses by using certain types of attack.  It is not a foolproof measure against phishing and other types of fraud, but does help.
  
On new servers, Hurricane Electric no longer provides a shared server SSL Certificate. If you wish to use SSL with your account, you can:
+
== My security scan company told me I had to disable TLSv1 on my website! Can you do that? ==
  
* Purchase your own SSL Certificate from a vendor. Hurricane Electric can help generate the CSR (Certificate Signing Request) required by vendors to purchase SSL Certificates. After purchase and providing the SSL Certificate to Hurricane Electric, it will be installed for that account.  
+
This isn't something we globally disable at this time. There is still a vast amount of people on old browsers that do not support TLSv1.2 or 1.3, which is unfortunate.
  
or:
+
Creation of an [[htaccess | .htaccess]] file in your secure_html directory with the following line should correct this issue:
  
* Request that a "self-signed" SSL Certificate be installed for your account. This process requires a valid CSR be generated in case you would like to purchase a valid signed SSL Certificate.
+
SSLCipherSuite ALL:-ADH:+HIGH:-MEDIUM:-LOW:-TLSv1:-EXP
  
To start the process for either option, please email support@he.net and request a CSR be generated, and make sure to say if you would like a "self-signed" SSL Certificate installed.
+
This will also take care of any warnings your scan company is giving you about low & medium length ciphers.
 +
[[Category:Webhosting]]

Latest revision as of 10:39, 9 June 2021

This information only pertains to Hurricane Electric's Shared Web Hosting package. There may be different information in our other categories.

Please note: This information applies to our current "Version 3" hosting servers. If you are unsure about the version of the server on which your account resides, or if you need assistance with an older "Version 1" or "Version 2" server, please contact support@he.net for assistance.


What do SSL and TLS mean?

SSL is an acronym for Secure Sockets Layer. TLS stands for Transport Layer Security. They are protocols used for authenticating and encrypting web traffic. For web traffic to be authenticated means that your browser is able to verify the identity of the remote server. For web traffic to be encrypted means that traffic between the server and your browser is scrambled so that it is unintelligible if intercepted.

While people frequently refer to SSL Certificates for authentication, SSL is a deprecated technology and is no longer used. All our servers use TLS.

How do I use SSL/TLS?

All accounts include a secure web directory. Your secure web directory is named:

/home/accountname/secure_html

where accountname is your account name.

In order to use TLS, you will need to either have your own TLS certificate for your site or install a Let's Encrypt certificate. A TLS certificate can be purchased from a third-party certificate authority, such as Godaddy.com, GeoTrust, or VeriSign.

We do also support self-signed certificates. However, these certificates will always throw warnings in a web browser and are not recommended.

In either case, the first step is to generate a CSR.

What is a CSR? How do I get one?

The CSR is a Certificate Signing Request. It consists of a block of encoded text that you send to a certificate provider that they use to generate the certificate.

Click on "Manage Secure Certificates" in the https://admin.he.net account management system to bring up the CSR generator and secure certificate installation tool.

Next, verify all the information, and then click the "generate" button. This will generate the CSR for you in the text box below. It can be copied and pasted like any other text, and saved to a text file or sent in a web form.

How can I install a certificate for my website?

To install a purchased certificate, first generate the CSR and send this to your vendor per their instructions. They will send you two files: one containing the site certificate and one containing a CA (Certificate Authority) Chain, Intermediate Bundle, or something to that effect. Open these in a text editor, such as Notepad or TextEdit. In Step 3 of "Manage Secure Certificates," paste the site certificate in the first box ("Certificate") and the CA Chain in the third box ("CA Chain"), then submit.

To install a free Let's Encrypt certificate, follow the instructions here.

What advantage, if any, is there to a secure page using SSL/TLS?

The page and any response using forms on it are encrypted in transit so that eavesdroppers which may observe raw traffic passing through their networks can't read it. This was originally used only for sensitive information, such as passwords and credit card numbers, but is now recommended for all sites. Search engines, such as Google and Bing, will penalize sites that do not have an "https" URL.

An SSL/TLS certificate also serves to validate the page you are visiting as authentic. This helps prevent websites from masquerading as the websites of legitimate businesses by using certain types of attack. It is not a foolproof measure against phishing and other types of fraud, but does help.

My security scan company told me I had to disable TLSv1 on my website! Can you do that?

This isn't something we globally disable at this time. There is still a vast amount of people on old browsers that do not support TLSv1.2 or 1.3, which is unfortunate.

Creation of an .htaccess file in your secure_html directory with the following line should correct this issue:

SSLCipherSuite ALL:-ADH:+HIGH:-MEDIUM:-LOW:-TLSv1:-EXP

This will also take care of any warnings your scan company is giving you about low & medium length ciphers.