Adding SSL to website

Associate
Joined
13 Jan 2009
Posts
48
Hi all my missus wants to add SSL to her website as it was hacked via WordPress blog last week and redirected to a dodgy pharmaceutical site. After getting it fixed and removing WordPress blog function the web developer advised it needs SSL and so far he has sunk 10 hours in and achieved nothing that we can see with it no further forward

We have now been given the below options by him:

1 > Upgrade the hosting to have CPanel installed, but with doing that, The connection strings to the database will change, this will cause the website to fail when submitting quotes.

2 > Transfer the website + Databases to his other hosting account, but in doing so, he will need to work through the complete website updating all PHP code and database connection strings.

Can anyone comment on the plausability of the above? How difficult would adding SSL to the website www.kennankay.co.uk be?

Can anyone also recommend a good reliable web development company that offer content management and don't look at any changes that need doing on a website as an excuse to rack up as many hours as possible?

Thanks for any help!
 
Last edited:
If the web dev has spent 10 hours trying and failing, fire him and get someone else.

If he was any good he'd know that Let's Encrypt exists and provides free ssl certificates and is supported by a myriad of companies and is easy to set up for individuals or businesses.

You are correct when you say he's attempting to rack up as many hours as possible for work that will take at most, several minutes and can be added to a cron job to be automatically updated come certificate renewal time.
 
Last edited:
If the web dev has spent 10 hours trying and failing, fire him and get someone else.

If he was any good he'd know that Let's Encrypt exists and provides free ssl certificates and is supported by a myriad of companies and is easy to set up for individuals or businesses.

You are correct when you say he's attempting to rack up as many hours as possible for work that will take at most, several minutes and can be added to a cron job to be automatically updated come certificate renewal time.

After heartbleed id be looking at an ssl cert from a credible provider. Also 10 hours for ssl just lol. I cant think of a platform where it is more than a 10 to 15 min job.

Also to add your dev is a fool, all the connection strings if you move will be wrong but a simple sql statement "Update/Where" and all those connection strings change. Again 5 min job tops. 99% of tye code should be simple to update with a script or two.

Ive moved more sharepoint/wordpree/Jumla sites than i can remember and total time never tends to be more than an hour start to finish.
 
Last edited:
After heartbleed id be looking at an ssl cert from a credible provider. Also 10 hours for ssl just lol. I cant think of a platform where it is more than a 10 to 15 min job.

Let's Encrypt is credible. Look at it's sponsors. The only difference between Let's Encrypt and any other SSL certificate provider is you pay the others to do a job that is easily automated and for their brand name. Prior to Let's Encrypt I used self signed certificates and startssl for web facing, because paying for a certificate from a "credible provider" is a mugs game when you can easily do it yourself.
 
Let's Encrypt is credible. Look at it's sponsors. The only difference between Let's Encrypt and any other SSL certificate provider is you pay them to do a job that is easily automated and for their brand name. Prior to Let's Encrypt I used self signed certificates and startssl for web facing, because paying for a certificate from a "credible provider" is a mugs game when you can easily do it yourself.

Most companies imo would disagree. 100£ for 3 years is hardly big money for a corporate.

I did have a look and doesnt look half bad that, mind you it seems to work on the same premis as openssl and as somebody who is using them in corporate applications that sometimes run into 100's of thousands saving 100 quid every few years is chickens feed. Smaller projects though I see the appeal.

I think we agree on one thing though, the dev hasn't a clue.
 
Last edited:
That wasn't your point though, was it? Your point was about credibility. What is a credible provider?

I dunno what do most corporates use? verisign.. probably the biggest and most credible provider who also provide a level of supprt and guarantee on their certs. But there are others. Open source and free ssl has its place but that isnt really in corporates or in fact anybody who can spend a few quid for 100% peace of mind. And yes that was kinda my point.

Just because a project is sponsored doesnt mean it comes with any cast iron guarantee. At least if you use a known certification authority you get that guarantee. You may not agree and tbh your view may vary but id spend the money.
 
Not having SSL on a site with contact forms is a bad idea, I think Google penalise you in the search results too.

Before using letsencrypt we were using PossitiveSSL certs from SSLS.com (https://www.ssls.com/ssl-certificates/comodo-positivessl) which are $3.77/year currently. It's a validated certificate, it did the job fine unless you're running a shop taking credit card payments.

Also FYI, the IP of your domain is 173.201.97.1 which belongs to GoDaddy so it's probably being hosted on their shared hosting. I'm not an expect but you might have to be careful storing/transfering EU citizens data outside the EU due to GDPR too.

I'd probably ditch him and move the site to somewhere like Krystal Hosting / EUKhost, both were very highly rated last time I checked. Both offer free letsencrypt support.
 
Find out who the host is and contact them directly regarding adding a SSL certificate - how it's done etc. And even with a web panel backed host (cPanel, Plesk etc), some require the host to intervene to add/modify certificates - certainly the case with our VPS's from Tsohost, as we don't have root access to the cPanel for the AutoSSL module.

Can anyone also recommend a good reliable web development company that offer content management and don't look at any changes that need doing on a website as an excuse to rack up as many hours as possible?!

That's the business model unfortunately and you'll be hard pushed (unless it's friends etc) to find a developer/agency that won't do that - question is how much you get screwed for when doing (basic) changes.

The only difference...

Depends what type of certificate but even comparing DV certificates, there can be differences in what a charging provider offers over free offerings.

....from a credible provider.

A 'credible' provider doesn't mean it's any more secure; a few have had keys leaked for example. So for a vanilla DV certificate, you can't go wrong with Let's Encrypt. Although it certainly isn't a 'one size fits all' solution by any means.
 
I dunno what do most corporates use? verisign..

Most companies that have a clue will run their own CA.

probably the biggest and most credible provider who also provide a level of supprt and guarantee on their certs.

That's what you pay for.

But there are others. Open source and free ssl has its place but that isnt really in corporates or in fact anybody who can spend a few quid for 100% peace of mind. And yes that was kinda my point.

This is where you're completely wrong. What tools do you think every single certificate authority uses to generate their certificate aside from open source and free ssl tools? Anyone spending a few quid for 100% piece of mind is not a massive company since any company that has their own network security department would control their own CA and certs across all departments and machines.

Just because a project is sponsored doesnt mean it comes with any cast iron guarantee. At least if you use a known certification authority you get that guarantee. You may not agree and tbh your view may vary but id spend the money.

Just because you paid for a certificate doesn't mean it's any better than a free certificate generated from a network department with their own CA or an organisation using an open alternative like Let's Encrypt. You might be willing to pay for your certificates, and that's entirely up to you, but it's a complete waste of money if you have at least any inkling into what you're doing.
 
Find out who the host is and contact them directly regarding adding a SSL certificate - how it's done etc. And even with a web panel backed host (cPanel, Plesk etc), some require the host to intervene to add/modify certificates - certainly the case with our VPS's from Tsohost, as we don't have root access to the cPanel for the AutoSSL module.



That's the business model unfortunately and you'll be hard pushed (unless it's friends etc) to find a developer/agency that won't do that - question is how much you get screwed for when doing (basic) changes.



Depends what type of certificate but even comparing DV certificates, there can be differences in what a charging provider offers over free offerings.



A 'credible' provider doesn't mean it's any more secure; a few have had keys leaked for example. So for a vanilla DV certificate, you can't go wrong with Let's Encrypt. Although it certainly isn't a 'one size fits all' solution by any means.

Its all about the levels of validation and your right is based really on what you need. In reality though they are cheap enough that imo most of the time at least for me its worth paying a few quid.
 
Most companies that have a clue will run their own CA.



That's what you pay for.



This is where you're completely wrong. What tools do you think every single certificate authority uses to generate their certificate aside from open source and free ssl tools? Anyone spending a few quid for 100% piece of mind is not a massive company since any company that has their own network security department would control their own CA and certs across all departments and machines.



Just because you paid for a certificate doesn't mean it's any better than a free certificate generated from a network department with their own CA or an organisation using an open alternative like Let's Encrypt. You might be willing to pay for your certificates, and that's entirely up to you, but it's a complete waste of money if you have at least any inkling into what you're doing.

So if im completely wrong which btw im not. Explain to me why i run my own ca primarily for email encryption in particular S/MIME yet still buy ssl certs from a provider for most of my infrastructure? Again what validation do these open certs or even locally generated certs go through?
 
So if im completely wrong which btw im not. Explain to me why i run my own ca primarily for email encryption in particular S/MIME yet still buy ssl certs from a provider for most of my infrastructure? Again what validation do these open certs or even locally generated certs go through?

Because you're a mug that's content to waste money on certs? I don't know. What validation do your "credible" certs go through that make them any better than open or locally generated certs? I'm really interested to know what your credible certificates offer over Let's Encrypt aside from support...
 
Let's Encrypt is credible. Look at it's sponsors. The only difference between Let's Encrypt and any other SSL certificate provider is you pay the others to do a job that is easily automated and for their brand name. Prior to Let's Encrypt I used self signed certificates and startssl for web facing, because paying for a certificate from a "credible provider" is a mugs game when you can easily do it yourself.

The other difference with Lets Encrypt is the certificate is only valid for 3 months at a time, but they provide a tool to auto-renew a month before. Been using them since I built my mail server about 4 years ago and no issues at all. Lets Encrypt are a recognised and fully supported company with backing from a lot of major providers.
 
Because you're a mug that's content to waste money on certs? I don't know. What validation do your "credible" certs go through that make them any better than open or locally generated certs? I'm really interested to know what your credible certificates offer over Let's Encrypt aside from support...

Says it all, you dont know but are willing to sit there calling people mugs. Seen as you clearly know it all i shouldnt have to explain it, should i big man? :rolleyes:
 
On another note SSL isn't going to stop wordpress from being hacked. SSL is for point to point encryption. If you have cpanel it does it all automatically for you. I would move away from Wordpress it's nothing but trouble! Always has been and always will.

You also need to update your date at the bottom of the webpage as well.

There isn't anything wrong with running non Lets Encrypt certs. The difference is that one is paid for and one is not and with Lets Encrypt you need to usually manage it yourself. You also need to renew Lets Encrypt every 3 months where as a paid one is usually every year.


I have 3 SSL certs both by Lets Encrypt and the one where ocukrogues.ml is hosted is by cpanel and an auto generating SSL cert.
 
Last edited:
Says it all, you dont know but are willing to sit there calling people mugs. Seen as you clearly know it all i shouldnt have to explain it, should i big man? :rolleyes:

Or maybe it just boils down to you can't explain it? Seeing as you run your own CA for your email servers in particular S/MIME, you should have known that there is absolutely no difference between a self hosted CA and self signed cert and a paid for CA other than support, the fact you didn't even know Let's Encrypt existed and is one of the biggest cert providers on the internet means you probably know a lot less about CAs and certs than you're pretending.
 
letsencrypt don't just offer out certificates randomly for the record; you have to pass a challenge in order for them to give you a certificate. This means you must either be in control of the domain to alter the DNS, or in control of the website to be able to write a file to the .well-known folder that their servers use to validate you. You can't generate certificates for non-public URLs.

Arguably, this is somewhat more secure than a random SSL host that lets you stick a domain name in!

https://letsencrypt.org/docs/challenge-types/
 
Arguably, this is somewhat more secure than a random SSL host that lets you stick a domain name in!

As the name suggests, all DV (Domain Validation) have to validate the domain in some way, usually through DNS or something being publicly hosted (like what Let's Encrypt does) - so there's no random sticking anything in.

Because you're a mug that's content to waste money on certs? I don't know. What validation do your "credible" certs go through that make them any better than open or locally generated certs? I'm really interested to know what your credible certificates offer over Let's Encrypt aside from support...

If you wanted EV or OV certificates then you don't really have much choice other than to pay as there aren't any, from what i know, providers that offer those certificates for free.
As said, Let's Encrypt is a good solution but isn't suitable, nor preferable, for all SSL situations.

Either way, i think this thread has been derailed enough with us lot arguing over SSL certificates :D
 
Or maybe it just boils down to you can't explain it? Seeing as you run your own CA for your email servers in particular S/MIME, you should have known that there is absolutely no difference between a self hosted CA and self signed cert and a paid for CA other than support, the fact you didn't even know Let's Encrypt existed and is one of the biggest cert providers on the internet means you probably know a lot less about CAs and certs than you're pretending.

I would google it for you but am pretty sure you are capable of googling and making up you own mind. Either way I wont derail the ops thread further arguing the toss with you. You are right I didnt know lets encrypt existed but then for me its worth paying a few quid for 1, 2 or 3 year certs and ill be honest I havent bothered looking in years because I have people to do that for me. I use locally generated certs for S/MIME for ease of revocation and a few other bits but regardless that's not really relavent to the op.

Perhaps I do know less or I might even be properly clued up, to be honest I couldn't really care. Its not worth even continuing because literally none of this is relavant to the op.

Op, you should look for a new dev regardless and if you are rocking wordpress move it to somebody like WPEngine who will look after it properly for you.
 
Back
Top Bottom