SSL
- Thread starter DRE
- Start date
DRE
Well-known member
How?
Jeremy
in memoriam 1991-2020
DRE
Well-known member
Thanks!
DRE
Well-known member
https://www.startssl.com/?app=34
The cover of your passport- The first pages of the passport
- The picture of you with your personal detail of your passport
- Both sides of your drivers license or identity card or
- Photo ID document issued by a local, state or federal authority.
^^^^Did you have to to do all of that?
DRE
Well-known member
Now that I've forced SSL I had to force SSL in some of the links in my templates. I had to do so with my logo and Better Blogs because they don't act right together due to Multi blog vanity urls set up. I have Metamirror installed which at first I was thinking was overkill and unnecessary but now I see how useful it is because locally hosted images do not trip that yellow alert in the address bar. This has really been a huge learning experience. @MattW helped me out with the CDN.net SSL integration which was the hardest part because the url was confusing. My next step, which will be the most tedious, is to go through all my smilies, moods and bb codes and fix the urls that are tripping the yellow warning sign in the address bar. I also had to manually edit a taigachat template, turn https compatibility mode and turned off bb code images in the chat box
DRE
Well-known member
lol word. I ain't doing all that. I'll settle for this $6 Go Daddy SSL for now. Didn't have to enter any of that stuff.Would knock me out then... don't have a passport, don't plan on going anywhere I do need one and not going to spend the coin to get one.
DRE
Well-known member
For some reason my site's sigs aren't being converted by MetaMirror. 
So I'm going to turn sigs off because I dont want sigs tripping the warning flag now that my site's in SSL.
I tried turning them off but that has been a huge pain since individual users who have special user permissions set to their account.
You pretty much have to revoke images and video bbcode to each individual user who has a special user permission
http://xenforo.com/community/threads/signature-permissions.47456/page-6#post-634731
So I'm going to turn sigs off because I dont want sigs tripping the warning flag now that my site's in SSL.
I tried turning them off but that has been a huge pain since individual users who have special user permissions set to their account.
You pretty much have to revoke images and video bbcode to each individual user who has a special user permission
http://xenforo.com/community/threads/signature-permissions.47456/page-6#post-634731
Marcus
Well-known member
For my startcom ssl webpage I noticed on webpagetest.org that the browser downloads an intermediate certificate the first time (does not happen once I restart the test). That slows down the page load obviously.
Is it possible that startcom cert are not stored in the browser, just the certificate that certifies the startcom cert? Then the startcom cert has to be downloaded first which is checked against the cert available on the browser.
Is it possible that startcom cert are not stored in the browser, just the certificate that certifies the startcom cert? Then the startcom cert has to be downloaded first which is checked against the cert available on the browser.
Jason
Well-known member
If you're using something like a StartSSL Class 1 certificate, it's signed by an intermediate CA, which is signed by the StartCom (master) root CA. Your server needs to send the complete trust chain to the browser so it can verify your certificate is trusted.
It's only being imported once, as most browsers will cache it.
Jason
Well-known member
Most CAs have abandoned the practice of issuing single root certificates, since chained certificates offer a higher level of security, as it keeps the root's private key inaccessible. Also should the intermediate ever become compromised, a new one can be created and new certificates issued off it.
There is also another (good) side-effect from intermediaries, they keep the size of CRLs optimal, which brings up another issue. If you're worried about roundtrips, then you might consider implementing OCSP stapling (a TLS extension) for browsers that support it, which also has a privacy benefit.
There is also another (good) side-effect from intermediaries, they keep the size of CRLs optimal, which brings up another issue. If you're worried about roundtrips, then you might consider implementing OCSP stapling (a TLS extension) for browsers that support it, which also has a privacy benefit.
Last edited:
Marcus
Well-known member
I guess if I get a certificate from a well known authority like Verisign most of my users browser already downloaded the intermediate ca before they visit my page the first time. In that case, there will be no need for them to download the intermediate ca.
I do not know about OCSP, I will take a look into that whether it helps me and how I could activate it in nginx (if it isn't already at work).
I do not know about OCSP, I will take a look into that whether it helps me and how I could activate it in nginx (if it isn't already at work).
DRE
Well-known member
Hey what do we do with links that we embed breaking SSL?? I seem to recall @digitalpoint saying he found a workaround for that.
digitalpoint
Well-known member
Similar threads
- Question
- Question
- Question
