Re: Why not even a self-signed HTTPS certificate?
Posted: 2016-11-25 23:54
In the hypothetical case that it were adopted, there's no need for a self-signed HTTPS certificate now that letsencrypt is available from Debian backports.
The objective of Certbot, Let's Encrypt, and the ACME (Automated Certificate Management Environment) protocol is to make it possible to set up an HTTPS server and have it automatically obtain a browser-trusted certificate, without any human intervention. This is accomplished by running a certificate management agent on the web server.
------------------------From: https://perezbox.com/2015/07/https-does ... r-website/
The actual act of securing a website is a very complex process. HTTPS does not stop attackers from hacking a website, web server or network. It will not stop an attacker from exploiting software vulnerabilities, brute forcing your access controls or ensure your websites availability by mitigating Distributed Denial of Services (DDOS) attacks.
Here are a number of articles I’ve written that better explain the dynamic nature of securing your websites, and what happens when you don’t. Notice how HTTPS has very little to do with the process. ---snip---
To prove this point, you can see various examples in recent history in which several entities had their certificates spoofed. In 2014, Threatpost reported that a number of popular entities were having theircertificates spoofed:---- read more--
Notice that sub-domain link packages.debian.org given by stevepusser is secured with a letsencrypt certificate whilst the main domain, debian.org, is verified by gandi.stevepusser wrote:The Free Software Foundation is giving certificates away; there's even a Debian package for it in the repos: https://packages.debian.org/jessie-backports/certbot
by kedaha » after installing the Debian packages for letsencrypt on my server which runs apache2. And I was able to set it up in no time at all.
I know it is a old topic, but any way, just because a site has a ssl certificate,From: https://www.wordfence.com/blog/2017/04/ ... -phishing/
====
We even managed to get an SSL certificate for our demonstration attack domain from LetsEncrypt . Getting the SSL certificate took us 5 minutes and it was free. By doing this we received the word ‘Secure’ next to our domain in Chrome and the little green lock symbol in Firefox
This would be the ideal situation, as I mentioned earlier, some one struggling with a crippled system, could have trouble accessing if it is https, that would give them a alternative.Postby kedaha »One advantage of letsencrypt is that the option to access the site via https could be implemented easily in addition to http for users who prefer it.