Discussion:
OTish - accessing web site
(too old to reply)
RJH
2024-07-21 17:30:08 UTC
Permalink
Hope this isn't too far off-topic . . . I do a web site for a small magazine -
it's basically a repository for their articles, with a few pictures.

I've had a few reports of people finding it impossible to access. The latest,
from an Android phone, returns the message 'Your connection is not private' .
. . hackers might be trying to steal your data, passwords, credit cards (etc),
with the footnote NET::ERR_CERT_AUTHORITY_INVALID.

Could this be because it's an http address - and not https? Or some zealous
protection on phones - also Windows users have reported the same problem? or
maybe the site has been blacklisted somewhere.

Any ideas on how to get round this appreciated. I'm no expert, but the people
accessing the site are pretty clueless when it comes to such things.

The site is: http://post16educator.org.uk
--
Cheers, Rob, Sheffield UK
Andy Burns
2024-07-21 18:10:56 UTC
Permalink
Post by RJH
I do a web site for a small magazine
I've had a few reports of people finding it impossible to access. The latest,
from an Android phone, returns the message 'Your connection is not private' .
The site is: http://post16educator.org.uk
My browser accepted that http:// link without "promoting" it to https://
but many devices will try to use https, and then object because the site
only has a self-signed certificate, which nothing is going to trust.

SSL certificates can be had for free, e.g. from LetsEncrypt, where is
the site hosted?
RJH
2024-07-21 18:32:11 UTC
Permalink
Post by Andy Burns
Post by RJH
I do a web site for a small magazine
I've had a few reports of people finding it impossible to access. The latest,
from an Android phone, returns the message 'Your connection is not private' .
The site is: http://post16educator.org.uk
My browser accepted that http:// link without "promoting" it to https://
but many devices will try to use https, and then object because the site
only has a self-signed certificate, which nothing is going to trust.
Yep, I can sort of see why that 'needs to be' - but all of my devices accept
it without complaint.
Post by Andy Burns
SSL certificates can be had for free, e.g. from LetsEncrypt, where is
the site hosted?
Heart. I've only recently looked at this and their service looks pretty
rubbish:

https://www.heartinternet.uk/ssl-certificates

Think I'll go with Mythic Beasts. I followed a thread on here about them
recently . . .
Cheers, Rob, Sheffield UK
Andy Burns
2024-07-21 19:02:30 UTC
Permalink
Post by RJH
Post by Andy Burns
SSL certificates can be had for free, e.g. from LetsEncrypt, where is
the site hosted?
Heart. I've only recently looked at this and their service looks pretty
Think I'll go with Mythic Beasts.
I'm with them for email, keep meaning to move a couple of websites to
them. They do support letsencrypt, so it won't cost you (other than
some time) to set it up.

They give instructions for "the complicated way" which they say you
probably shouldn't use

<https://www.mythic-beasts.com/support/domains/letsencrypt_dns_01>

But I can't see instructions for "the straightforward way" ...
Theo
2024-07-21 22:07:30 UTC
Permalink
Post by Andy Burns
They give instructions for "the complicated way" which they say you
probably shouldn't use
<https://www.mythic-beasts.com/support/domains/letsencrypt_dns_01>
But I can't see instructions for "the straightforward way" ...
The simple way is you can select one of four options:

Security
--------
* Disable TLS:
Only http: URLs will work.

* Enable TLS
Generate and maintain a TLS certificate for this site. Both http: and https: URLs will work.

* Enable TLS and redirect to https:
All http: URLs will redirect to the corresponding https: URL.

* Enable TLS, redirect to https: and enable HSTS
HTTP Strict Transport Security (HSTS) tells browsers to only use https: for
this site for 14 days from the most recent visit. This makes it harder for
attackers to impersonate your site without a valid certificate, but also
makes it difficult for you to disable TLS in the future. It is recommended
that you only select this option once you are confident that TLS is working
correctly for your site.


Just ticking one of the last three should do it.

Theo
Jeff Gaines
2024-07-21 20:12:24 UTC
Permalink
Post by RJH
Think I'll go with Mythic Beasts. I followed a thread on here about them
recently . . .
Cheers, Rob, Sheffield UK
Mythic Beasts over Heart Internet every tie, I am with both and gradually
moving all to Mythic Beasts.
--
Jeff Gaines Dorset UK
If it's not broken, mess around with it until it is
Theo
2024-07-21 22:03:06 UTC
Permalink
Post by RJH
Hope this isn't too far off-topic . . . I do a web site for a small magazine -
it's basically a repository for their articles, with a few pictures.
I've had a few reports of people finding it impossible to access. The latest,
from an Android phone, returns the message 'Your connection is not private' .
. . hackers might be trying to steal your data, passwords, credit cards (etc),
with the footnote NET::ERR_CERT_AUTHORITY_INVALID.
Could this be because it's an http address - and not https? Or some zealous
protection on phones - also Windows users have reported the same problem? or
maybe the site has been blacklisted somewhere.
Some browsers automatically upgrade http to https if there's something
listening on the https port, which there is in this case. Unfortunately
what's listening there is broken.
Post by RJH
Any ideas on how to get round this appreciated. I'm no expert, but the people
accessing the site are pretty clueless when it comes to such things.
First step is to use an SSL/TLS checker:

https://www.ssllabs.com/ssltest/analyze.html?d=post16educator.org.uk&latest

which shows several problems:

Common names post16educator.ifyoucan.org.uk
Alternative names post16educator.ifyoucan.org.uk
mail.post16educator.org.uk post16educator.org.uk
www.post16educator.ifyoucan.org.uk www.post16educator.org.uk
cpanel.post16educator.org.uk webmail.post16educator.org.uk
webdisk.post16educator.org.uk cpcontacts.post16educator.org.uk
cpcalendars.post16educator.org.uk autodiscover.post16educator.org.uk

Valid until Sat, 25 Jun 2022 02:34:21 UTC (expired 2 years ago) EXPIRED
Trusted No NOT TRUSTED (Why?)
Mozilla Apple Android Java Windows

and the reason for that being:

1 Sent by server
Not in trust store post16educator.ifyoucan.org.uk Self-signed
Fingerprint SHA256: 788d1ad2f35d76f27f5ae88bb8c67ef4e962c5df4af99aede3a8643c248811c4
Pin SHA256: GxRKjr83KTrgJxxC93UOz1AOin6srnmXGhAmxonOqVQ=
RSA 2048 bits (e 65537) / SHA256withRSA
Valid until: Sat, 25 Jun 2022 02:34:21 UTC
EXPIRED


So there's two problems. The main one is the certificate is self-signed,
not from a known certification authority. Roughly, that's a bit like the
process where you might need to get your doctor to sign your passport photo
as a true likeness, but instead you sign it yourself - now nobody can trust
the photo. The other problem is that it's two years out of date.

The easier way to resolve this is to get a free certificate from Let's
Encrypt, who will vouch for your site if you configure it a particular way.

You can't do this yourself on a shared server, but Heart should be able to
do it - ask them. If they refuse then they're clueless and you need a new
host.

Theo
RJH
2024-07-25 16:22:01 UTC
Permalink
Post by Theo
Post by RJH
Hope this isn't too far off-topic . . . I do a web site for a small magazine -
it's basically a repository for their articles, with a few pictures.
I've had a few reports of people finding it impossible to access. The latest,
from an Android phone, returns the message 'Your connection is not private' .
. . hackers might be trying to steal your data, passwords, credit cards (etc),
with the footnote NET::ERR_CERT_AUTHORITY_INVALID.
Could this be because it's an http address - and not https? Or some zealous
protection on phones - also Windows users have reported the same problem? or
maybe the site has been blacklisted somewhere.
Some browsers automatically upgrade http to https if there's something
listening on the https port, which there is in this case. Unfortunately
what's listening there is broken.
Post by RJH
Any ideas on how to get round this appreciated. I'm no expert, but the people
accessing the site are pretty clueless when it comes to such things.
https://www.ssllabs.com/ssltest/analyze.html?d=post16educator.org.uk&latest
Common names post16educator.ifyoucan.org.uk
Alternative names post16educator.ifyoucan.org.uk
mail.post16educator.org.uk post16educator.org.uk
www.post16educator.ifyoucan.org.uk www.post16educator.org.uk
cpanel.post16educator.org.uk webmail.post16educator.org.uk
webdisk.post16educator.org.uk cpcontacts.post16educator.org.uk
cpcalendars.post16educator.org.uk autodiscover.post16educator.org.uk
Valid until Sat, 25 Jun 2022 02:34:21 UTC (expired 2 years ago) EXPIRED
Trusted No NOT TRUSTED (Why?)
Mozilla Apple Android Java Windows
1 Sent by server
Not in trust store post16educator.ifyoucan.org.uk Self-signed
788d1ad2f35d76f27f5ae88bb8c67ef4e962c5df4af99aede3a8643c248811c4
Pin SHA256: GxRKjr83KTrgJxxC93UOz1AOin6srnmXGhAmxonOqVQ=
RSA 2048 bits (e 65537) / SHA256withRSA
Valid until: Sat, 25 Jun 2022 02:34:21 UTC
EXPIRED
So there's two problems. The main one is the certificate is self-signed,
not from a known certification authority. Roughly, that's a bit like the
process where you might need to get your doctor to sign your passport photo
as a true likeness, but instead you sign it yourself - now nobody can trust
the photo. The other problem is that it's two years out of date.
The easier way to resolve this is to get a free certificate from Let's
Encrypt, who will vouch for your site if you configure it a particular way.
You can't do this yourself on a shared server, but Heart should be able to
do it - ask them. If they refuse then they're clueless and you need a new
host.
Theo
Thanks *very* much for that reply. I'll have a work through . . .
--
Cheers, Rob, Sheffield UK
Loading...