"Not Secure" warning

(Dave Farrants) #21

I have 12 sites with one.com - very good uptime, free SSL and 1st year free (small setup fee) - Works for me!

(Jeremy Bohn) #22

I’ve been investigating an SSL certificate through our current host synergywebservices.ca and they offer one for free but the secure URL will be https://secure11.securewebexchange.com/“our domain name”

I don’t see how that would be of use to us. To get it to work with our actual domain name (called “Vanity”) there is an extra fee. I checked out the Cloudfare site and at first it appears to have the certificate for free, but it’s not clear to me if it’s just the same as synergy. Same with One.com - it just says SSL certificate.

Do Cloudflare and One’s free certificates allow me to use my web domain? Is there a way to use Synergy’s free certificate but maintain my actual domain?

(Paul Dennison) #23

I think you should ditch your current host and find one that gives you the SSL for free.

(Doug Bennett) #24

I agree with Paul (@pmjd ) I would look for new new hosting company.

The way they’re offering the “free” SSL is to run your sit as a sub-domain of some other URL. That was a common practice for hosting companies 5 or more years ago.

It sounds as if they’re not keeping current on best practices in hosting.
Let’s Encrypt certificates are free to them to offer, and run your domain as is. The really only reason today to buy a certificate is if you’re concerned about carrying an insurance bond. Most of the paid ones have a liability bond associated with them.

Certificates are issued by domain name so there’s no way to use your URL’s with their certificate. With Let’s Encrypt you get your own certificate that gets installed and renewed on your domain.

CloudFlare will work as a “proxy” server providing your pages over there network. To the end users they aren’t aware that they are getting your pages served via CloudFlare, so the URL’s looks the same.

Keep in mind with CloudFlare pages are only secure from the CloudFlare server to the users computer. Unless you have a certificate on your server they’ll be non secure from your host to the CloudFlare server.

So even if you want to use CloudFlare for speed or other reasons, I’d still want to have a certificate on the server.

If you really don’t want to change hosts, then CloudFlare would get rid of the non secure warning. There’s a ton of posts here about setting up CloudFlare.

(Jeremy Bohn) #25

Thanks. I started doing the Let’s Encrypt thing then realized they only last for a couple of months.

Is there a recommended host that offers a “proper” certificate? Bluehost appears to be top rated.

(Don H) #26

Let’s Encrypt certificates can (should) be setup to auto-renew. Once setup, you should not have to worry about it. There’s no downside to using to on a web server.

(Jeremy Bohn) #27

Hmmm. I only mentioned they expire because they make a point for you to sign up so you’ll be emailed when they expire.

(Paul Dennison) #28

The UK hosting company I use have setup to use Lets Encrypt for free and they have setup the auto renewal process as part of that so that it is a simple set and forget.

(Dave Farrants) #29

Yes, I have 12 sites all with one.com - all SSL - all with my domain names - all FREE.

(Doug Bennett) #30

If your hosting company offers Let’s Encrypt, the certificates should automatically renew prior to the 90 day expiration. With most host I’ve seen that offer the free certificate it’s a simple toggle option in their control panel. The auto renewal is automatic.

If you’re trying to install Let’s Encrypt on your own (the host doesn’t offer the free service) you’ll need shell access on the web server. Without shell access you would have to repeat a manual (time consuming) process several times a year.

The reality is even with shell access, unless you’re comfortable with Unix command line it’s going to be difficult to get setup on your own. Let’s Encrypt has a good support community to help you out, but for most folks its easier to switch to a hosting company that has setup the automatic process.

The hosting company has to go through a similar process once (might take a good admin a few hours) and boom, every client would have a simple toggle to turn on automatic renewing Let’s Encrypt.

(Jeremy Bohn) #31

Thanks guys. My current host only offers up a way to upload a certificate. So I could create one manually with Let’s Encrypt which I already tried, but I’m going to see about switching hosts so it’s not a pain renewing.

(Tom Murray) #32

This tutorial is very good although the Cloudlfare website looks slightly different now.

(Michelle Anderson) #33

I work for a web directory, and one of my tasks is to find sites and list them in the directory. You would be shocked at how many companies – and even governmental sites – do not have secure sites.

I personally have no problem viewing such sites, but I would never list one in the site due to the warnings that most browsers give. It would be suicide, because the the public, for whom we list these sites, would by and large not continue to the sites, and eventually, it reflects badly on our directory.

I’ve spoken to editors with other directories, and it seems that the majority of them would not list them either.

Overall, that would affect the site owner’s traffic.

(Michelle Anderson) #34

Most web hosting company’s support department will tell you how to do it or send you an article or two. But if you try and cannot do it, you can usually get them to do it for you. It’s not that difficult once you understand what you’re doing.

And frankly, it seems to me that if you can make websites in the complicated Rapidweaver, you can most likely take the steps to secure the site. I have faith that you could do it :slight_smile:

(Tom Murray) #35

Indeed, see my previous posts in this thread.
One hosting service simply installed it for me, free of charge.
Godaddy however, still seems to think that they can make money on the SSL deal.

The link to the Realmac tutorial that I posted is very helpful and does not include
much of the unnecessary web esoterica that I was encountering on the forum and other websites, pertaining to this subject.

(Michelle Anderson) #36

Yep. Typical of GoDaddy. They are probably still to recoup the money for their Super bowl ads. :slight_smile:

I left them for a company that has 24/7 support, with all of their support personnel being native American English speakers, and all of whom have tended my 38 domains for years.

(Cathy) #37

This post was flagged by the community and is temporarily hidden.