by ipconfigzNo Comments

Why Encrypt a website?

Simple, when you visit a website, you may enter forms, passwords, credit card info, social security numbers, upload/download images or any other sensitive data. It’s not too difficult to “intercept” that data by novice hackers. They may use tools like network sniffers with rogue wireless access points in a pubic environment like an airport or cafe. Or simply by organizations that like to snoop or keep a tab on all the traffic in their network. That data can also get compromised (Believe it or not!🤗).

If a website begins with https:// it will have the lock 🔒  sign, showing that data between your browser and the website is now encrypted and no one in between intercepting the traffic can decipher it. Your data is seen as garbage to them and decrypted only at he 2 end points.

Encryption/Decryption explained

What is Let’s Encrypt

Let’s Encrypt is a FREE SSL Certificate Authority! Yes completely free! A lot of companies have made a ton of money, simply by acting as a Trusted Certificate Authority (CA) and selling their certificates to websites, servers, applications, etc, in order to encrypt traffic between the user (browser) and the website (web server). Browsers have a certain set number of root CA certificates pre-installed that “trust” a website that has a certificate “signed” by that CA. Well, Let’s Encrypt, a non-profit organization, is doing this for free. And yes, they ARE a trusted CA pre-installed in most popular browsers (Safari, FireFox, IE, Chrome, and more).

So does this mean other CAs should run out of business? Not really, but it will slowly affect it, probably bringing down prices, better offers, etc. Competition is a great thing!

The 3 shortcomings of Let’s Encrypt are:

  1. Only 90 day certificats are issued, not 1 year like the other paid ones.
  2. They only issue web server certificates and they do that by
  3. domain validation (DV) only.

There are many levels of validation, they only make sure that the domain is valid (which is easy and instant as you can create txt entries in your DNS to verify that you own the domain).

  • They do not take it a step further with Extended Validation (EV) validating the physical, legal, rights, etc of the organization.
  • They also don’t issue Wildcard certificates (like *.domain.com) or multiple domains in a singe cert. But that’s not a big deal, they validate the top level domain plus you can have up to 10 sub-domain in the Subject Alternate Name (SAN) field of the certificate. Plus you can issue more separately if you have more than 10 subdomains.
  • Certificate validity is only 90 days, but with some simple automation, it renews itself indefinitely!

That being said, it’s a great option for websites if you’re on a tight budget or want to support such initiatives.

Hey, I’m all for free stuff!

Their Getting Started setup guide is relatively simple and straightforward covering different scenarios so I’ll leave the procedure to them, I’m not going to recreate their site. I’ll just give you a short run down of what I did with THIS website.

1. Login to Apache and install the Certificate

I host my website on Google Cloud, so I can SSH into the Apache server and download and setup the certificate.

sudo apt-get install python-certbot-apache -t jessie-backports

Issue the cert and follow the interactive prompts for your domain name and SAN, etc:

certbot --apache

Auto renew:

certbot renew --dry-run

For some reason, my auto renewal gave me errors. It was because the certificate got installed in a sub-directory rather than the root directory. But the following WordPress plugin made it real easy!

2. Install WordPress plugin

If your CMS is WordPress, then WP Encrypt is a useful plugin for Let’s Encrypt certificates. In a nice and simple GUI screen, it shows you the location of your public and private certificate, org name, auto renewal checkbox, etc.

There’s not much more to do! Enjoy the lock logo, make your website not only look more authentic but encrypt transactions from prying eyes.

3. Post Installation

Most people will tell you that you’re done. But from doing this on many websites, there’s often a few more steps.

Redirecting to HTTPS

If someone browses to the non-encrypted http link of your site, that’s what they get. Or if you have older links, they will not automatically get redirected unless you modify a setting in your apache server.

/opt/bitnami/apache2/conf/[your path]/httpd.conf

<VirtualHost _default_:80>
 RewriteEngine On
 RewriteCond %{HTTPS} !=on
 RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [R,L]
 ...
</VirtualHost>

Sometimes you cannot change the base url in the WordPress interface. But you can do so in linux by editing the wp-config file to set your base url to https.

(Replace links and paths with your own)
sudo nano /opt/apps/wordpress/htdocs/wp-config.php

define('WP_SITEURL', 'https://www.ipconfigz.com/');
define('WP_HOME', 'https://www.ipconfigz.com/');

Ctrl+O
Ctrl+X

Restart Apache

sudo /opt/ctlscript.sh restart apache

Manually Changing Website links from http to https

When browsing thought the site, FireFox will often give the error of mixed encryption. The page will be https but the images inside it will have links to http content. Unfortunately, WordPress will hard code the image links in its MySQL database. A simple WordPress plugin can find and replace all http links to https. You can follow the simple procedure from this post.

 

 

Related posts:

CyberSecurity Career Checklist
Top FREE Applications Every Mac 💻 Should Have
Website Safeguards: Security Hardening Checklist
Cyber Warfare: Bringing a Knife to a Gunfight