SSL installation

Hi!

I installed discourse ready vps on digitalocean. My website works on https. Free lets ssl i guess. Is it really safe? I also bought comodossl. When i want to create certificate on comodo panel. It asks me my CSR code. How can I create CSR? Or do i do something wrong? First time I am doing. Please direct me.

The SSL generated by discourse is issued by letsencrypt and it is pretty safe.

However if You want to set up your own ssl.certificate, follow these instructions:

2 Likes

There’s no difference from a security perspective between Let’s Encrypt and Comodo. The encryption supported is the same. The only difference is that one is free and automatic, the other costs money and must be renewed manually. Unless you have a really, really good reason to need a paid cert, stick with Let’s Encrypt and save yourself the headache (and some money).

5 Likes

Let’s Encrypt for forever? Or need to something else annual like renewing?

3 Likes

It renews automatically every three months. It’s free. And works.

5 Likes

There’s no reason to buy certificates for your discourse installation.

3 Likes

A certificate is a certificate*, and Comodo has been pretty well established as a bad actor in this field due to their nonstop FUD against Let’s Encrypt (to the extent of using their own web browser to mark sites using Let’s Encrypt certs as “not secure”, or attempting to trademark Let’s Encrypt themselves). The certificate doesn’t dictate the kind or strength of the encryption used. Bottom line, use the cert from Let’s Encrypt; there’s simply no need for anything else.

*Well, mostly. Certs can be DV (domain validation), OV (organization validation), or EV (extended validation), differing in what they validate (and, naturally, the cost). A DV cert validates that it does in fact belong to the domain it names. An OV cert validates that it belongs to the organization it names (though nothing shows you this in a browser unless you drill down to the certificate details). An EV cert does the same thing as an OV cert, only more so–and historically has given the “green bar” in the browser, though that’s going away shortly. No variety of cert validates that its owner is a “good guy,” and there’s absolutely no difference in encryption levels among them.

4 Likes

Let’s Encrypt effectively achieves this, by validating the DNS name at enrollment.

Chrome 77 removed the green bar, for reference we’re currently on 78.x in release and 79.x in beta.

2 Likes

Hence my saying “historically.” It’s gone away in Chrome, but it’s still there in Firefox and IE (the only others I can readily test at the moment).

1 Like

It’s gone from the address bar in Firefox 70 too, which landed last month. It’s also gone from Safari.

I’m not sure IE counts as a browser any more, with a market share of 1.98% as of October of 2019.

I think we can confirm EV as stone dead at this point.

1 Like

What about Microsoft Edge?

2.05%, so less than the preinstalled browser Samsung ships on their Galaxy phones (3.29%).

Its market share is on par with Internet Explorer? Would that make it not really count as a browser any more too?

Hence Microsoft moving Edge over to Chromium on January 15th 2020.

1 Like

Ah, yes. We’ll have to see how that goes.

Agreed. It will be interesting (and alternately amusing and frustrating, no doubt) to see what other selling points the CAs come up with to try to sell them, though.

EV arrived at a time where PKI wasn’t well understood, SSL was seen as “e-commerce only” and phishing was seeing a sharp uptick.

I appreciated the idea of adding trust, it was really the CAs who screwed it up.

Let’s encrypt is a huge threat to these guys, for all the right reasons.

3 Likes