CloudFlare accelerator?

[back]

Why does Xenforo, it's own forum not migrate to Cloudflare? Their servers, especially global CDN are pretty fast. I would like to see they will optimize it more for CDN use.

 

[Ozzy47]

If they needed to they would.

 

[MickkD]

I have always struggled with the first byte time. But now with Cloudflare Argo I achieve sub 200ms.

I love Cloudflare, my only gripe with Cloudflare is that you must be a business user $200 a month+ to have EV Certificates (Green URL in browsers).

EDIT: And Cloudflare works well with Xenforo, we use it to cache everything, and also serve all static content without any integration. We use Cloudflare to serve lossless images too.

Mick

 

[WoodiE]

I love Cloudflare, my only gripe with Cloudflare is that you must be a business user $200 a month+ to have EV Certificates (Green URL in browsers).

Why spend the silly prices for an EV cert when a free cert from Lets Encrypt will do the same just fine.

 

[MickkD]

Why spend the silly prices for an EV cert when a free cert from Lets Encrypt will do the same just fine.

Pretty sure that Lets Encrypt free certs are not GREEN URL Compatible, as these are free and to achieve the green URL status like apple.com etc, you need to verify the company not just the ssl connection.

Cloudflare also offer free SSL certs, with their free service... which is pretty cool anyway.

Mick

 

[WoodiE]

Pretty sure that Lets Encrypt free certs are not GREEN URL Compatible

And that would be a false assumption.

All of Lets Encrypts certs will provide the green padlock and "secure" - exactly how google.com looks.

 

[MickkD]

google was the wrong comparison.

maybe apple.com

 

[DragonByte Tech]

And that would be a false assumption.

All of Lets Encrypts certs will provide the green padlock and "secure" - exactly how google.com looks.

I think Mick might have used the wrong term, maybe they were thinking of DV certificates where your company information is displayed in the padlock area?


Fillip

 

[MickkD]

Thank you @DragonByte Tech , got a bit confused, I thought GREEN URL lol was only a DV cert ???

That is why I Said:
you need to verify the company not just the ssl connection

I do apologise for the confusion

 

[WoodiE]

maybe they were thinking of DV certificates where your company information is displayed in the padlock area?

That's incorrect as well. A DV cert is Domain Verified, a DV cert will not show your company name. An EV (extended validation) cert will, however that's not what Google uses. In his last example, apple.com - they do use an EV cert. Both an EV and DV cert will give you a green padlock and a DV cert will give you the green "secure" - just like google.

So I go back to the original question, what's the point of spending that kind of money on an EV cert... just so you can have your company name shown?!?

That said I'll just leave this here for anyone that might be interested, https://scotthelme.co.uk/are-ev-certificates-worth-the-paper-theyre-written-on/

 

[MickkD]

It was just a simple typo, I thought google did use it.

Look your right Im wrong alls right in the world

 

[WoodiE]

I'm not trying to prove anyone wrong or right. Simply asking why spending the extra on the EV? But now I know, you simply want your company name up there I guess.

 

[Jeremy P]

Why does Xenforo, it's own forum not migrate to Cloudflare?

They do use Cloudflare:

I would like to see they will optimize it more for CDN use.

What changes would you like to see? Serving javascript, avatars, and attachment thumbnails over (origin pull) CDNs is already supported.

 

[TPerry]

And that would be a false assumption.

All of Lets Encrypts certs will provide the green padlock and "secure" - exactly how google.com looks.

No, he's correct.. there is a difference between this

And this

The latter is what he is referring to.
And the main reason to do it if you are a business is to guarantee to the visitor that they are on a validated site.

 

[WoodiE]

Yup I think we already got that part sorted. ha.

 

[TPerry]

Yup I think we already got that part sorted. ha.

Wasn't sure if you understood the "why" since you asked

I'm not trying to prove anyone wrong or right. Simply asking why spending the extra on the EV? But now I know, you simply want your company name up there I guess.

On a larger commercial entity it does make a difference on the users feeling of "security" as they know they aren't on some phishing site.

 

[back]

They do use Cloudflare:
View attachment 173015


What changes would you like to see? Serving javascript, avatars, and attachment thumbnails over (origin pull) CDNs is already supported.

Sorry. Its because they use their own SSL.

 

[WoodiE]

On a larger commercial entity it does make a difference on the users feeling of "security" as they know they aren't on some phishing site.

um sure?

To view this content we will need your consent to set third party cookies.
For more detailed information, see our cookies page.

Accept third party cookies

 

[TPerry]

None of which actually carry on a transactional relationship with the users except Amazon, and I'm actually surprised that they don't have the certificate.
An appropriate answer that was given in a stackexchange:

Extended Validation certificates are intended to show the user more visibly the institution to which they were issued. The technical aspects of the certificates themselves is combined with visual clues in the user interface of the application verifying them: the green bar and a visible name next to the location bar in the browser.

For example, the EV certificate at http://www.paypal.com/ will make the browser show a green bar and display "PayPal, Inc." next to it. This is designed not only to link the certificate to the domain owner (like standard domain-validated certificates do), but also link it to a more physical institution (here, PayPal, Inc.). To do this, the CA must verify that the named institution is indeed the one owning the domain.

Ultimately, this is more about making a more authenticated link between the domain name and the company name than making "more secure" certificates. From a cipher suite point of view (which is what determines the encryption algorithm and key size), EV certificates are no different from DV certificates (blue bar).

Stepping back a little, you need to realise that the effectiveness of HTTPS relies on the user checking that it's used correctly. (The server has no way to find out whether the client is victim of a MITM attack otherwise, unless using client-certificates too.) This means that the users have to:

• check that HTTPS is used when they expect it to be,
• check that there are no warnings,
• check that the website they're using is indeed the one they're intending to visit, which leads to a couple of sub-points:
  • checking that it's the domain name they expect,
  • checking that the domain name belongs to the company they expect.

EV certificates are intended to solve that last sub-point. If you already know that amazon.combelongs to Amazon.com, Inc. or that google.com belongs to Google Inc., you don't really need them.

I'm not personally convinced that this approach completely works, since they can be misused (see NatWest/RBS example below) and some CAs seem to propagate vague (and potentially misleading) information as to what they really are, in an effort to promote them.

In general, if your users already know that your domain name is yours, you don't really need one.

DV certificates are easy enough to get (think LetsEncrypt) that a phishing site can get one and if the domain is similar but with a common transliteration of the domain name a non-savvy user may not catch it (and we all know there are a bunch of people using the internet that don't pay that much attention to safe hex practices). The EV certificate allows those companies to bypass that issue as when you visit their site they are readily apparent to be who they say they are.
It ultimately depends on how safe that company/corporation desires to make their users feel.

 

[WoodiE]

It ultimately depends on how safe that company/corporation desires to make their users feel.

I think you're giving the user way to much credit. I truly don't believe most end users could tell you the difference between an EV or DV certificate.

Heck I don't think even most forum admins could tell you the difference and many of admins don't even seem to care about HTTPS - that's evident by just looking in the showcase forum and all the forums without HTTPS (they are going to hate the Chrome update in July ) Many still don't think HTTPS is even needed, such as the "seo expert" Niel Patel - https://www.troyhunt.com/dont-take-security-advice-from-seo-experts-or-psychics-neil-patel/

I certainly agree an EV could possibly make the link between the "real" site and a fake site, so long as the url and the registered company name is the same. As Scott points out that's not always the same - https://scotthelme.co.uk/are-ev-certificates-worth-the-paper-theyre-written-on/

There are plenty of other sites out there that carry on a transnational relationship, such as capitalone.com, wellsfargo.com, morganstanley.com - all of which that also don't use EV certs.

A big downside of the EV certs, well expect their cost, is their lifespan. These usually have an expiration date of 1-3 years which means if the private keys get stolen there is a potential for the bad guys to do more harm verses with that cert compared to a cert that only has a life span of 90 days.

It's obvious I question the fact if EV certs have any real value or not. I don't know one person who went to Google, Amazon, CapitalOne, or really any other site, looked for the company name instead of "Secure" and if they didn't see the company name said "the heck with this I'm outta here".

If users want to spend the big money for an EV cert so they can get the name next to the url then by all means ago head. But I personally don't believe 99% of our users could tell you the difference or even know why there is a difference (DV vs EV).