The Trouble with Let’s Encrypt

Lets Encrypt Free SSL

Lets Encrypt Free SSL

Lets Encrypt Free SSL

SSL certificates all perform the same task, but they aren’t all equal in quality. Let’s Encrypt issues certificates that are free of cost and easy to install, with the aim of making secure Web connections as universal as possible. The downside of this approach is that its certificates don’t offer much confidence in their authenticity. At OrangeWebsite, we’ve decided not to accept them on our shared hosting, though you can use them on a VPS or dedicated server. We’d like to let you know our reasons.

Not all SSL certificates are the same

Having an SSL certificate provides an encrypted connection between a browser and a Web server. The protocol family that supports this is widely known as SSL, but current versions are more properly called TLS. Connecting by TLS guarantees that the server belongs to the owner of the certificate. A certificate authority (CA) digitally signs the certificate, indicating it has confirmed its authenticity.

Anyone can create a self-signed certificate. It will enable encrypted connections, but without a CA’s signature, there’s no guarantee that the site owner is who it claims it is. Browsers warn users against trusting self-signed certificates.

Let’s Encrypt acts as a “free, automated, and open certificate authority.” It allows anyone to set up a secure website at no cost and with little effort. This is good, but prominent figures in the tech industry have expressed serious concerns about its certificates.

The process for setting up a certificate is simple. A couple of commands on a Linux server will do the whole job. The problem is with the level of authentication provided. The only validation is that the applicant for the certificate controls the domain it’s issued to. If you’re getting a certificate for example.com, you have to register it from example.com. There’s no checking who you are. This type is known as a “domain validated” certificate. Let’s Encrypt isn’t the only CA to issue domain validated certificates, but it’s the only one that doesn’t charge anything for them.

Lets Encrypt Free SSL

Certificates and trust

Just having an SSL certificate, especially one that’s only domain validated, doesn’t make a site trustworthy. It could be a near-lookalike for a well-known domain (e.g., micros0ft.com). Let’s Encrypt has reportedly issued over 14,000 certificates to domains that impersonate PayPal.

Some domains allow users control of subdomains (e.g., mydomain.example.com). They can obtain certificates for their subdomains. This can give the impression of approval by a well-known site. The subdomain may redirect to a different domain, on an independent server which the primary domain has no control over.

The most trustworthy SSL certificates are EV certificates. EV stands for “extended validation” and signifies that the CA has met certain standards for checking the applicant’s identity. It has checked and confirmed that the applying organization legally exists and is who it claims to be. Browsers generally indicate an EV certificate with a green symbol, such as a padlock.

Unfortunately, most people don’t recognize the nuances. If they see a padlock, they’re likely to assume the site is trustworthy. Since Let’s Encrypt doesn’t even require a payment method, its bar to registering a certificate is very low. It plans to check the Google Safe Browsing API for known phishing or malware sites, but that’s about the extent of its checking. There have been confirmed reports of malvertisers using its certificates. When certificates are free, it’s easy to set them up with throwaway domains.

We hope that in time, Internet users will better understand the difference between a secure site and a legitimate one. When the large majority of sites display a padlock in the address bar, browsers will need to make a clearer distinction among the levels of validation. Eventually they may warn users about sites whose certificates are only domain validated. If a browser did that today, though, it would have to issue a constant stream of warnings.

For the present, it’s a good habit to click on the padlock symbol of a secure site if there’s any doubt about it. The browser should give information about the site’s level of validation and its owner of record. Some browsers, though, will say nothing more than “This site is secure.”

Lets Encrypt Free SSL

Openness and trust

Let’s Encrypt has explained its policy. It argues that a CA is in a poor position to police a site’s content. It’s difficult to determine if a site is clean, and harder to check if it stays clean. The primary aim of the project is to make as much of the Web as possible use TLS. That will inevitably include rogue websites. These sites exist anyway; the only difference is that some people may trust them more when they see the padlock symbol.

Any issuer of domain validated certificates faces this risk, and even the EV level isn’t completely safe against malicious sites. A signed certificate isn’t and can’t be proof of trustworthiness. Let’s Encrypt doesn’t want to take on the role of a censor, and we appreciate that. At the same time, we don’t want to give dishonest websites the appearance of legitimacy if we can avoid it.

We offer several options for purchasing SSL certificates. The lowest priced ones are domain validated, but the annual fee will discourage acquiring certificates for throwaway domains. For a better level of validation, we offer the Comodo InstantSSL certificate with business-level validation. The best validation comes with our Comodo EV certificates, either for a single domain or for multiple domains sharing the same IP address.

Balancing trust and openness can require some difficult tradeoffs. One of our chief goals is to enable free expression, but we don’t want to be a magnet for deceptive and dangerous sites. We hope you understand the reasons for our choice. Feel free to contact us with any questions.

What Is a 403 Error?

What Is a 403 Error?
What Is a 403 Error?

What Is a 403 Error?

Every response on the Web comes with an HTTP status code. Users don’t see most of them on their browsers. The browser just uses them to do its work. The most common one, 200, says that the request succeeded. Others indicate redirection to another URL, a software error, or a problem delivering the requested content.

The last category — that the server can’t or won’t deliver what was requested — uses numbers starting with 4, and those often are visible on the browser. Everyone has run into code 404, “not found.” It comes back when the user enters the wrong URL, or when the page it used to serve is no longer available.

Code 403, meaning “forbidden,” isn’t as common, but most regular Web users have seen it. The World Wide Web Consortium’s official description is “The server understood the request, but is refusing to fulfill it.” It generally means that the content exists but isn’t available to the user.

Sometimes this code indicates a bug on the server side. If OrangeWebsite hosts your content, we’ll help you to make sure your audience doesn’t get it by mistake.

Causes of 403 responses

A request can get a 403 response for several reasons. Some are legitimate rejections of the request, but others may indicate errors in setting up the server. Legitimate refusals can be for these reasons:

  • The content is private, and the viewer isn’t logged in as its owner.
  • The content is restricted to a set of authenticated users.
  • The IP address in the request is prohibited. This can happen if the client is listed as a malicious site, or if the content is geographically restricted.
  • The IP address is temporarily blocked, for reasons such as too many failed login attempts.
  • Security software has flagged the request as malicious. For instance, its data might look like an SQL injection attempt.
What Is a 403 Error?

A 403 response can result from a mistake in setting up the server:

  • There is no default file that manages the site’s configuration. This will happen if the user enters a request like http://example.com/ and there is no file with the name index.html or another name which the server configuration recognizes as a default. The site configuration may allow directory listing, in which case the user will see a list of files instead. This option is a bad idea for both user-friendliness and security. The directory should have a default file.
  • File permissions aren’t set up correctly. This often happens when the owner of a file is different from the user the Web server runs as. For instance, if a file belongs to “admin” and is readable only by its owner, and the server runs as “apache,” it won’t be able to read the file and will return a 403 error.
  • A bug or configuration error is making security software refuse legitimate requests.
  • The .htaccess file, which controls the requests the server accepts, contains errors. A defective .htaccess file might block all requests or allow ones that shouldn’t be allowed.

Another possibility is that the user’s employer or ISP is blocking the request. Some countries mandate blocking on a nationwide scale. The blocking node returns a 403 code without passing the request on to the server.

What to do

A legitimate 403 response is no problem, but if users are getting them when they shouldn’t, it’s necessary to fix the issue. This checklist will let the administrator fix many problems:

  • Make sure the account that the server runs under has all necessary file permissions. The simplest way to do this is to have the content files belong to the same account. Alternatively, the files can belong to another user in the same group and be set as group-readable.
  • Review the .htaccess file to make sure it does what is intended and doesn’t have syntax errors.
  • Check that any security configuration software (e.g., mod_security) has the correct rules and isn’t excessively strict.
  • If only certain users are getting 403 resopnses, try to find out if the site is on a blacklist.
What Is a 403 Error?

Related status codes

The 403 response has a different meaning from other codes in the 400 and 500 series. Websites don’t always use the right code, and sometimes it’s unclear which one should be used. These are some that might appear:

  • 401 (unauthorized): The site is asking the user to present credentials, such as a password, before it will make the content available. This is different from a request to log in to the site.
  • 404 (not found): A site may use this when it doesn’t want unauthorized users even to know it’s a valid URL. Giving a 403 response tells the user that something resides there, and sometimes that’s more information than they want to give.
  • 406 (not acceptable): The content is available, but the request insisted on giving it in a form (e.g., a certain encoding) which the server can’t deliver.
  • 410 (gone): The content is no longer available. This is rare; most sites use 404 in this situation.
  • 451 (unavailable for legal reasons): This code is an IETF proposed standard. You may see it for legally blocked content as an alternative to 403. It could indicate regional blocking for copyright reasons or prohibition by a government. The number is a play on Ray Bradbury’s novel about book-burning, Fahrenheit 451.
  • 500 (internal server error): This usually indicates an uncaught error in the software running on the server.
  • 503 (service unavailable): A server may return this when it’s down for maintenance or overloaded. The resource will be available at a later time.

We can help

If your site is hosted on OrangeWebsite, we’re ready to help you fix mysterious 403 errors and other problems. Our service is second to none, with an average ticket response time of just fifteen minutes. Signing up for site hosting is simple and quick, and we don’t believe in censorship. As long as your content complies with our terms of service and Iceland’s laws, it won’t be “forbidden.”

What Can We Learn from the Cloudflare Leak?

Cloudflare Leak
Cloudflare Leak

What Can We Learn from the Cloudflare Leak?

Cloudflare calls itself the “web performance and security company,” so it was a serious blow to its reputation when researchers discovered that it had a security bug that made sites’ data visible on other sites. What was really disturbing was that supposedly secure data from HTTPS requests leaked out this way. Passwords, session cookies, credit card information, and other sensitive data simply showed up in random places.

Google researcher Tavis Ormandy discovered this problem on February 17, and tech media have attached the name “Cloudbleed” to it. Cloudflare provides services to millions of websites, and any of them could have suffered a loss of confidential data. Many of them have urged users to change their passwords. The risk to any individual is low, but the effect was so widespread that personal data could have been stolen from a significant number of people.

Cloudflare has fixed the bug, but the leaked data could still be lurking in the caches of search engines and edge servers, and data thieves now know to look for it.

Cloudflare’s incident report explains that the problem stemmed from a buffer overrun bug. For efficiency reasons, low-level system software is often written in programming languages, such as C, which don’t automatically guard against accessing memory structures outside their limits. An HTML parser had a bug of this type, resulting in its picking up data from whatever was past the end of a memory buffer. It could be anything, and sometimes it was private data from another website.

The risk in third-party services

Any website can have bugs in its software that open security holes. That’s one reason HTTPS connections aren’t 100% secure. Old versions of SSL (TLS) have problems. The “Heartbleed” bug in older versions of the widely used OpenSSL software showed it was possible to exploit the weaknesses. The latest version fixes the problem, but there’s no guarantee that it’s completely bug-free. Many websites still use old versions of OpenSSL, with known weaknesses.

When a site uses a third-party service such as a caching proxy or a content delivery network, it can gain or lose security. A top-quality CDN has better security measures than most do-it-yourself sites, and it filters requests to the sites’ servers. It can absorb DDoS attacks that would kill a one-machine server. Cloudflare features a web application firewall (WAF) that protects sites at the application level from many kinds of attacks.

This comes at a price, though.

To get the full range of services from Cloudflare, a website has to hand over its most precious secret: its private SSL key. Without that datum, Cloudflare couldn’t do anything with HTTPS requests and responses but pass them through. It wouldn’t be able to see anything except what server and port number they were going to.

The fact that the breach included HTTPS data underscores this issue. If Cloudflare didn’t have sites’ private keys, it could never have leaked passwords that were properly sent through HTTPS. By the same token, it couldn’t have provided a useful WAF to protect servers that use secure communication. Sharing a private key with a CDN creates a potential risk, even if there’s an overall gain in security.

Cloudflare Leak

Vulnerability to governments

However, giving a CDN a site’s private key opens up one serious hole, which no software can guard against. A government can demand it, compel the CDN to stay silent, and have access to all of the site’s SSL transactions. Government agents can spy on it indefinitely, and the site’s owners won’t have a clue that it’s happening.

In the United States, a National Security Letter can accomplish this. Anyone who receives one isn’t allowed to say anything about it or challenge it in an open court hearing. The Electronic Frontier Foundation has called the power to issue them “one of the most frightening and invasive” surveillance power created by the PATRIOT Act.

Cloudflare has received at least two NSLs and possibly more. The FBI could have compelled it to turn over customers’ private keys and not tell them. In a similar case, the FBI tried to compel Lavabit, a confidential email service, to turn over keys that would give it access to every user’s private mail, even though it was just after Edward Snowden. Founder Ladar Levison was under a gag order not to disclose this until recently.

Other countries have similar or worse issues. The UK’s Investigatory Powers Act gives law enforcement the authority to make telecommunication companies break their encryption. They would be under a compulsion of secrecy comparable to a National Security Letter. In the truly authoritarian states, the situation is even worse, with privacy being virtually non-existent.

How many websites do governments have access to, without their knowledge, because CDNs had to give up their private keys? There’s no way to know.

The OrangeWebsite Difference

At OrangeWebsite we take your privacy seriously. We don’t share our private keys, or yours, with third-party services. Government agencies in North America or Europe can’t demand anything from us. We maintain state-of-the-art server security, performing regular security audits and keeping system software up to date. Optional two-factor authentication is available.

Nomad Capitalist has called Iceland the best host country for data privacy. The Icelandic Modern Media Initiative, passed by our Parliament in 2010, commits the country to freedom of information and expression. We allow anonymous registration, so that even torture or telepathy wouldn’t get us to disclose your identity. Contact us to learn how to set up a secure, censorship-free website.

The Ultimate How-to Guide for Domain Registration

How to register a domain
How to register a domain

Ultimate Guide on How to register a domain.

Your domain name is one of the most important aspects to your web presence. It exudes the essence of your brand, expresses who you are through your email and website address, and is among the first impressions you give to prospective customers.

In addition to choosing the right domain name that represents your company (or new project), it’s important to have a general understanding of how domains work and ways you can manage them to your business advantage. Actions like parking a domain, for example, may prove useful for a new marketing campaign you’re implementing. The goal in this guide is to highlight these actions and provide how-to steps to domain registration and management.

How to Register a Domain:

If you’ve thought of the domain name for your website, registering your domain is a breeze. As a client, you can simply register your domain here with OrangeWebsite to begin managing them under one account. The major advantages to having your domain with us is that we give you extended privacy and low online censorship. We also offer advanced security options, ensuring that your prices always stay the same.

As long as your website isn’t currently being used, you’re safe to secure your domain.  In this process, you’ll choose the domain extension, whether it’s .com, .net, .org, etc. The most common of course is .com but it’s best to select the extension that’s most congruent to your website’s purpose.  Your domain registration lasts one-year until renewal unless you’ve elected to pay for multiple years.

Prior to securing your domain name, here some do’s and do not’s to consider when choosing your site’s name:

  • Include a location or keywords in your domain name, if applicable and possible, to help boost SEO
  • Abstain from using dashes, abbreviations or numbers in your domain. You want to make it easy for your audience to remember
  • Be sure that you’re named as the owner of the domain, not your marketing agency or personnel
How to register a domain

How to Transfer a Domain:

On occasion, some business owners choose to transfer their domain name to us. The following illustrate a few reasons why brands opt to transfer domains:

  • Your hosting provider (us) is also a domain registrar company and provides better features when you put both services under one umbrella
  • It’s cost-efficient, meaning, you’ve found a company that’s offering a lower price than your renewal rate
  • You’ve experienced various issues (support and/or technical) and ready to make a much needed change
  • With OrangeWebsite, you’ll get a FREE one-year extension included when you transfer your domain to us!

Transferring your domain is not an overnight process.  It can take several days to complete and can only occur after you’ve registered your domain for 60 days.

Here are the steps to transferring your domain:

Complete these actions with your current registrar first

  • Confirm that the administrator’s contact information is correct since all communications regarding the transfer will be sent to the email address listed
  • Unlock your domain
  • Cancel any Protected or Private Registrations that will prevent the transfer

Unsure how to complete any of these steps?  Locate the helpdesk of your domain provider for step-by-step instructions.

Once you’ve finished the steps, easily start the transfer of your domain over to OrangeWebsite. Be sure to check your email as you’ll receive confirmation of the transfer along with the final steps necessary to finalize the process

How to Park a Domain:

Park domains are used when a business wants more than one web address for advertising reasons. These additional domains display the same website and its content as your primary domain. Similar to mask forwarding, the address bar will still show the parked domain website address.

This feature is accessible on our VPS Hosting Service and above. Here’s how you would add a parked domain to your account:

  1. Log into cPanel
  2. In the Domains section, click the Parked Domains icon
  3. Under Create a New Parked Domain, enter the domain name you would like to park on top of your primary domain
  4. Click Add Domain
How to register a domain

How to Buy a Domain:

Purchasing new domains is as simple as logging into your account and researching to see if your desired domain name is available.

How to Renew a Domain:

Prior to your renewal date, you’ll begin receiving reminder emails that your domain is set to expire. If you have it set for automatic renewal, your credit card will be charged on the date and you’re active for another year.

If you fail to renew on the scheduled date, your domain enters redemption or a 30-day grace period as a final chance to maintain your domain.  After the redemption period, the domain will officially expire and be placed back into the market for sale.

How to Sell a Domain:

Perhaps you’ve bought domain names that you never used or there are ones sitting around going unused because it no longer serves your business. You can sell these domains back into the marketplace to recoup some (or all) or your costs.

Consider these key pointers if you plan to put your domains up for sale:

  1. Keep in mind that its harder to sell names no one has heard of.  Short, basic, relatable and common domain names tend to have higher value
  2. Determine your domain’s value by taking into account traffic, top level domains, and name length (again, shorter is better)
  3. Be realistic about your price.  Don’t overprice which can result in missed selling opportunities
  4. List your domain with a selling service.  Popular ones include Flippa, eBay, and Sedo

What other questions do you have regarding domain registration and management? Contact us here or leave us a buzz in the comments below.