What are you gonna do with your HTTP sites?

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • sirkonstantine
    Confirmed User
    • Jan 2012
    • 281

    #1

    Tech What are you gonna do with your HTTP sites?

    RE: Google Will Soon Shame All Websites That Are Unencrypted | Motherboard

    Google is gonna display unsecure notices for HTTP sites soon. Are you gonna encrypt them all? If so, check out https://letsencrypt.org/ as it gives you SSL certs for free (here is the cPanel script https://github.com/Prajithp/letsencrypt-cpanel). 301-ing HTTP to HTTPS does not lose PageRank by the way (see No PageRank Loss When 301 or 302 Redirect to HTTPS).

    If not, what are you gonna do?

    For me, I'm gonna sit down and update my sites to HTTPS this quarter. I might also cough up some cash to buy SSL certs on web hosts that can't run Lets Encrypt. For PBNs, I'll let them stay with HTTP since they're not meant to get human visitors anyways.
  • rowan
    Too lazy to set a custom title
    • Mar 2002
    • 17393

    #2
    Been thinking about this myself. Google absolutely loves one of my sites (#1 out of 1m+ results) so this could be a killer.

    This blog post makes me think that Let's Encrypt is maybe not quite ready for widespread deployment yet? I would imagine a browser generated security warning would probably be even more of a roadblcok, when compared to a Google warning...

    https://letsencrypt.org/2016/08/05/l...y-mozilla.html

    What company do people recommend for buying a certificate from, in the meantime?

    Comment

    • rowan
      Too lazy to set a custom title
      • Mar 2002
      • 17393

      #3
      https://letsencrypt.org/docs/certificate-compatibility/

      Looks like it's more widely supported than I thought. I see the occasional Blackberry and Nintendo 3DS user-agent in my logs, nothing much I can do there...

      Comment

      • Serge Litehead
        Confirmed User
        • Dec 2002
        • 5190

        #4
        each SSL cert must be on their own dedicated IP

        usually IPv4 costs monthly $3-5 per IP
        IPv6 supposedly should be cheaper. Does anyone know any hosts letting have bunch of IPv6 for cheap and configurable for SSL/HTTPS?

        Comment

        • rowan
          Too lazy to set a custom title
          • Mar 2002
          • 17393

          #5
          Originally posted by holograph
          each SSL cert must be on their own dedicated IP
          I'd forgotten about that.

          Looks like there is a solution, but it's not universally supported:

          https://en.wikipedia.org/wiki/HTTPS#Limitations

          "Because TLS operates below HTTP and has no knowledge of higher-level protocols, TLS servers can only strictly present one certificate for a particular IP/port combination. This means that, in most cases, it is not feasible to use name-based virtual hosting with HTTPS. A solution called Server Name Indication (SNI) exists, which sends the hostname to the server before encrypting the connection, although many older browsers do not support this extension. Support for SNI is available since Firefox 2, Opera 8, Safari 2.1, Google Chrome 6, and Internet Explorer 7 on Windows Vista."

          Does this mean that Google strongarming webmasters into using HTTPS is going to further accelerate the exhaustion of IPv4 space?

          Comment

          • freecartoonporn
            Confirmed User
            • Jan 2012
            • 7683

            #6
            use cloudflare get free https ...
            SSD Cloud Server, VPS Server, Simple Cloud Hosting | DigitalOcean

            Comment

            • Barry-xlovecam
              It's 42
              • Jun 2010
              • 18083

              #7
              SNI works except on out dated browsers. People with out dated browsers are not buyers ...

              I don't think that is an issue. Google is making more work for a busy world -- that is a problem -- then beating on site owners because of packet sniffing (mostly by world governments).

              So, this is really Google's way of making packet sniffing as difficult an possible (Google's real motivation). Google's second motivation is in reducing the number of websites that they will index -- most of the spammy or legacy domains will not adapt and die

              Comment

              • trevesty
                Confirmed User
                • Aug 2006
                • 3810

                #8
                Any site I've cared about has been HTTPS for a year or so.

                I'm glad the rest of the industry is extremely slow to adapt, though. Makes competition pretty easy.
                The Fap Guide

                Comment

                • rowan
                  Too lazy to set a custom title
                  • Mar 2002
                  • 17393

                  #9
                  Originally posted by freecartoonporn
                  use cloudflare get free https ...
                  Wouldn't be surprised if in 5 or 10 years time Google starts "warning" people about cloudflare hosted sites, too. They don't exactly keep their noses clean. Also, their faux HTTPS product defeats the purpose of using certificates and encryption - surfers think the connection is fully encrypted, with a nice padlock showing in their browser, when it's actually all clear text between cloudflare and the web server, and can be sniffed or MITM'd just like any other HTTP connection...

                  Comment

                  • The Porn Nerd
                    Living The Dream
                    • Jun 2009
                    • 19780

                    #10
                    Fuck Google in the ass.
                    My Affiliate Programs:
                    Porn Nerd Cash | Porn Showcase | Aggressive Gold

                    Over 90 paysites to promote!
                    Now on Teams: peabodymedia

                    Comment

                    • ErectMedia
                      Confirmed Chicago Pimp
                      • Aug 2004
                      • 7100

                      #11
                      Originally posted by rowan
                      What company do people recommend for buying a certificate from, in the meantime?
                      https://www.NameCheap.com

                      Comment

                      • rowan
                        Too lazy to set a custom title
                        • Mar 2002
                        • 17393

                        #12
                        Originally posted by ErectMedia
                        Sneaky using your affiliate URL. Have you actually used them for certificates?

                        Comment

                        • Major (Tom)
                          So Fucking Banned
                          • Nov 2003
                          • 32492

                          #13
                          We did this and our sales litterally shut off. We reverted

                          Comment

                          • rowan
                            Too lazy to set a custom title
                            • Mar 2002
                            • 17393

                            #14
                            Originally posted by DukeSkywalker
                            We did this and our sales litterally shut off. We reverted
                            I guess this is going to sound like a stupid question, but did you double check that everything was working - certificates valid, no weird errors in logs etc - so you could conclusively say it was the switch to HTTPS that killed the sales? If it wasn't a technical issue, why do you think the switch caused that effect?

                            Comment

                            • directfiesta
                              Too lazy to set a custom title
                              • Oct 2002
                              • 30148

                              #15
                              Originally posted by holograph
                              each SSL cert must be on their own dedicated IP

                              usually IPv4 costs monthly $3-5 per IP
                              IPv6 supposedly should be cheaper. Does anyone know any hosts letting have bunch of IPv6 for cheap and configurable for SSL/HTTPS?
                              I have an HTTPS site for a client, no dedicated IP .
                              Godaddy host , Godaddy SSL
                              I know that Asspimple is stoopid ... As he says, it is a FACT !

                              But I can't figure out how he can breathe or type , at the same time ....

                              Comment

                              • Kafka
                                Confirmed User
                                • Oct 2002
                                • 466

                                #16
                                HTTPS is very useful for adult

                                Comment

                                • Serge Litehead
                                  Confirmed User
                                  • Dec 2002
                                  • 5190

                                  #17
                                  Originally posted by directfiesta
                                  I have an HTTPS site for a client, no dedicated IP .
                                  Godaddy host , Godaddy SSL
                                  are you sure it's not a dedicated IP? I mean, does client have other domains under same ip all working fine?
                                  I don't see how it is possible, having multiple domains and a single or multiple SSLs on one IP.

                                  If that is true, then it is super cool and means anyone could have all their sites HTTPSed affordably, virtually hosted on only one IP. - but that's not how it works, as far as I know
                                  Also, godday is in the business of leasing extra ipv4 IPs at $6 a pop, monthly I think

                                  Comment

                                  • ErectMedia
                                    Confirmed Chicago Pimp
                                    • Aug 2004
                                    • 7100

                                    #18
                                    Originally posted by rowan
                                    Have you actually used them for certificates?
                                    Use a good handful of the RapidSSL ones at $10.95. They have a $9 Comodo one as well but haven't tried that one.

                                    Comment

                                    • ironwebmaster
                                      Confirmed User
                                      • Apr 2016
                                      • 411

                                      #19
                                      Originally posted by rowan
                                      Wouldn't be surprised if in 5 or 10 years time Google starts "warning" people about cloudflare hosted sites, too. They don't exactly keep their noses clean. Also, their faux HTTPS product defeats the purpose of using certificates and encryption - surfers think the connection is fully encrypted, with a nice padlock showing in their browser, when it's actually all clear text between cloudflare and the web server, and can be sniffed or MITM'd just like any other HTTP connection...
                                      I'm a little intrigued by your answers, would you add me on skype pls? I'd like to talk
                                      The Ultimate Affiliate Directory for Adult Webmasters

                                      Comment

                                      • directfiesta
                                        Too lazy to set a custom title
                                        • Oct 2002
                                        • 30148

                                        #20
                                        Originally posted by holograph
                                        are you sure it's not a dedicated IP? I mean, does client have other domains under same ip all working fine?
                                        I don't see how it is possible, having multiple domains and a single or multiple SSLs on one IP.

                                        If that is true, then it is super cool and means anyone could have all their sites HTTPSed affordably, virtually hosted on only one IP. - but that's not how it works, as far as I know
                                        Also, godday is in the business of leasing extra ipv4 IPs at $6 a pop, monthly I think
                                        Here are the screen capos ... I was surprised too . As you can see, it is an https site :







                                        and it is cleary not the only site on that IP :




                                        cost the SSL , first year cheap, about 14.00


                                        Site is actually done , but hidden to public and not live as client has not yet given the OK .
                                        I know that Asspimple is stoopid ... As he says, it is a FACT !

                                        But I can't figure out how he can breathe or type , at the same time ....

                                        Comment

                                        • rowan
                                          Too lazy to set a custom title
                                          • Mar 2002
                                          • 17393

                                          #21
                                          Originally posted by holograph
                                          are you sure it's not a dedicated IP? I mean, does client have other domains under same ip all working fine?
                                          I don't see how it is possible, having multiple domains and a single or multiple SSLs on one IP.

                                          If that is true, then it is super cool and means anyone could have all their sites HTTPSed affordably, virtually hosted on only one IP. - but that's not how it works, as far as I know
                                          Also, godday is in the business of leasing extra ipv4 IPs at $6 a pop, monthly I think
                                          See the above reference to Server Name Indication (SNI) which lets you use more than one hostname per SSL IP.

                                          It is apparently widely supported, but not quite 100% (eg not supported by XP+IE)

                                          Hmm, come to think of it, I used XP SP3 until about 2 years ago.

                                          Comment

                                          • rowan
                                            Too lazy to set a custom title
                                            • Mar 2002
                                            • 17393

                                            #22


                                            Was checking out Comodo, went to bed, got up to find this.

                                            That's like one popup attempt every 30-40 seconds. They really want to get my attention. There's also a window floating around that asks me to explain why I don't want to buy.

                                            Comment

                                            • NemesisEnforcer
                                              Confirmed User
                                              • Aug 2003
                                              • 2122

                                              #23
                                              Good conversation
                                              The Only Time When Success Comes Before Work Is In A Dictionary.

                                              Did you ever notice: When you put the 2 words 'The' and 'IRS' together it spells 'Theirs.'

                                              Comment

                                              • Jigster715
                                                So Fucking Banned
                                                • Jul 2015
                                                • 1459

                                                #24
                                                Originally posted by rowan


                                                Was checking out Comodo, went to bed, got up to find this.

                                                That's like one popup attempt every 30-40 seconds. They really want to get my attention. There's also a window floating around that asks me to explain why I don't want to buy.
                                                We tried Comodo one year. Never again. Hard sell then support falls off the planet. They got upset when I posted a support request in their forum which they use as a sales tool. "ALL Hail, the Great Comodo" kind of bullshit.

                                                Comment

                                                • Serge Litehead
                                                  Confirmed User
                                                  • Dec 2002
                                                  • 5190

                                                  #25
                                                  Originally posted by directfiesta
                                                  Here are the screen capos ... I was surprised too . As you can see, it is an https site :
                                                  ...
                                                  and it is cleary not the only site on that IP :
                                                  ...
                                                  cost the SSL , first year cheap, about 14.00


                                                  Site is actually done , but hidden to public and not live as client has not yet given the OK .
                                                  Originally posted by rowan
                                                  See the above reference to Server Name Indication (SNI) which lets you use more than one hostname per SSL IP.

                                                  It is apparently widely supported, but not quite 100% (eg not supported by XP+IE)

                                                  Hmm, come to think of it, I used XP SP3 until about 2 years ago.
                                                  That's pretty neat. I've got a VPS at godaddy I manage, will be toying around with setting up SSL there in some time. Will be seeing if I could get ipv6 and config it that way or get the SNI work. So far I remember checking out SSL config through WHM/Cpanel is that they make a point that the dedicated IP is required.

                                                  Comment

                                                  • rowan
                                                    Too lazy to set a custom title
                                                    • Mar 2002
                                                    • 17393

                                                    #26
                                                    Originally posted by Jigster715
                                                    We tried Comodo one year. Never again. Hard sell then support falls off the planet. They got upset when I posted a support request in their forum which they use as a sales tool. "ALL Hail, the Great Comodo" kind of bullshit.
                                                    Interesting.

                                                    I did notice that the testimonials shown their product page seem to be excessively positive, like they're manipulated (delete anything negative), or totally fake.

                                                    For the moment I'll continue playing around with https://letsencrypt.org/ , as my site doesn't need strong verification/trust from its users, just HTTPS to keep the big G happy.

                                                    Comment

                                                    • sandman!
                                                      Icq: 14420613
                                                      • Mar 2001
                                                      • 15427

                                                      #27
                                                      SNI works on almost al browsers the only traffic you will loose is from people on windows xp running IE and some very old cell phones which is not all that much if the website is important get a dedicated ip if its not use SNI.



                                                      Originally posted by rowan
                                                      I'd forgotten about that.

                                                      Looks like there is a solution, but it's not universally supported:

                                                      https://en.wikipedia.org/wiki/HTTPS#Limitations

                                                      "Because TLS operates below HTTP and has no knowledge of higher-level protocols, TLS servers can only strictly present one certificate for a particular IP/port combination. This means that, in most cases, it is not feasible to use name-based virtual hosting with HTTPS. A solution called Server Name Indication (SNI) exists, which sends the hostname to the server before encrypting the connection, although many older browsers do not support this extension. Support for SNI is available since Firefox 2, Opera 8, Safari 2.1, Google Chrome 6, and Internet Explorer 7 on Windows Vista."

                                                      Does this mean that Google strongarming webmasters into using HTTPS is going to further accelerate the exhaustion of IPv4 space?
                                                      Need WebHosting ? Email me for some great deals [email protected]

                                                      Comment

                                                      • Markul
                                                        Likes Pie
                                                        • Dec 2007
                                                        • 12403

                                                        #28
                                                        Originally posted by rowan
                                                        Been thinking about this myself. Google absolutely loves one of my sites (#1 out of 1m+ results) so this could be a killer.

                                                        This blog post makes me think that Let's Encrypt is maybe not quite ready for widespread deployment yet? I would imagine a browser generated security warning would probably be even more of a roadblcok, when compared to a Google warning...

                                                        https://letsencrypt.org/2016/08/05/l...y-mozilla.html

                                                        What company do people recommend for buying a certificate from, in the meantime?
                                                        I hate to say it.. But go with Godaddy for SSL certs.
                                                        But.... I pulled out...

                                                        Comment

                                                        • Jigster715
                                                          So Fucking Banned
                                                          • Jul 2015
                                                          • 1459

                                                          #29
                                                          Originally posted by rowan
                                                          Interesting.

                                                          I did notice that the testimonials shown their product page seem to be excessively positive, like they're manipulated (delete anything negative), or totally fake.

                                                          For the moment I'll continue playing around with https://letsencrypt.org/ , as my site doesn't need strong verification/trust from its users, just HTTPS to keep the big G happy.
                                                          They leave posts up but they will complain to you privately.

                                                          Comment

                                                          Working...