Hope this isn't too far off-topic . . . I do a web site for a small magazine - it's basically a repository for their articles, with a few pictures.

I've had a few reports of people finding it impossible to access. The latest, from an Android phone, returns the message 'Your connection is not private' .
. . hackers might be trying to steal your data, passwords, credit cards (etc), with the footnote NET::ERR_CERT_AUTHORITY_INVALID.

Could this be because it's an http address - and not https? Or some zealous protection on phones - also Windows users have reported the same problem? or maybe the site has been blacklisted somewhere.

Any ideas on how to get round this appreciated. I'm no expert, but the people accessing the site are pretty clueless when it comes to such things.

The site is: http://post16educator.org.uk

--
Cheers, Rob, Sheffield UK

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 21/07/2024 18:30, RJH wrote:

I do a web site for a small magazine
I've had a few reports of people finding it impossible to access. The latest, from an Android phone, returns the message 'Your connection is not private' .

The site is: http://post16educator.org.uk

My browser accepted that http:// link without "promoting" it to https://
but many devices will try to use https, and then object because the site
only has a self-signed certificate, which nothing is going to trust.

SSL certificates can be had for free, e.g. from LetsEncrypt, where is
the site hosted?

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

RJH wrote:

Andy Burns wrote:

SSL certificates can be had for free, e.g. from LetsEncrypt, where is
the site hosted?

Heart. I've only recently looked at this and their service looks pretty rubbish:
Think I'll go with Mythic Beasts.

I'm with them for email, keep meaning to move a couple of websites to
them. They do support letsencrypt, so it won't cost you (other than
some time) to set it up.

They give instructions for "the complicated way" which they say you
probably shouldn't use

<https://www.mythic-beasts.com/support/domains/letsencrypt_dns_01>

But I can't see instructions for "the straightforward way" ...

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 21 Jul 2024 at 19:10:56 BST, Andy Burns wrote:

On 21/07/2024 18:30, RJH wrote:

I do a web site for a small magazine
I've had a few reports of people finding it impossible to access. The latest,
from an Android phone, returns the message 'Your connection is not private' .

The site is: http://post16educator.org.uk

My browser accepted that http:// link without "promoting" it to https://
but many devices will try to use https, and then object because the site
only has a self-signed certificate, which nothing is going to trust.

Yep, I can sort of see why that 'needs to be' - but all of my devices accept
it without complaint.

SSL certificates can be had for free, e.g. from LetsEncrypt, where is
the site hosted?

Heart. I've only recently looked at this and their service looks pretty rubbish:

https://www.heartinternet.uk/ssl-certificates

Think I'll go with Mythic Beasts. I followed a thread on here about them recently . . .
Cheers, Rob, Sheffield UK

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 21/07/2024 in message <v7jk7b$72t6$1@dont-email.me> RJH wrote:

Think I'll go with Mythic Beasts. I followed a thread on here about them >recently . . .
Cheers, Rob, Sheffield UK

Mythic Beasts over Heart Internet every tie, I am with both and gradually moving all to Mythic Beasts.

--
Jeff Gaines Dorset UK
If it's not broken, mess around with it until it is

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

RJH <patchmoney@gmx.com> wrote:

Hope this isn't too far off-topic . . . I do a web site for a small magazine -
it's basically a repository for their articles, with a few pictures.

I've had a few reports of people finding it impossible to access. The latest, from an Android phone, returns the message 'Your connection is not private' . . . hackers might be trying to steal your data, passwords, credit cards (etc),
with the footnote NET::ERR_CERT_AUTHORITY_INVALID.

Could this be because it's an http address - and not https? Or some zealous protection on phones - also Windows users have reported the same problem? or maybe the site has been blacklisted somewhere.

Some browsers automatically upgrade http to https if there's something listening on the https port, which there is in this case. Unfortunately
what's listening there is broken.

Any ideas on how to get round this appreciated. I'm no expert, but the people accessing the site are pretty clueless when it comes to such things.

First step is to use an SSL/TLS checker:

https://www.ssllabs.com/ssltest/analyze.html?d=post16educator.org.uk&latest

which shows several problems:

Common names post16educator.ifyoucan.org.uk
Alternative names post16educator.ifyoucan.org.uk mail.post16educator.org.uk post16educator.org.uk www.post16educator.ifyoucan.org.uk www.post16educator.org.uk cpanel.post16educator.org.uk webmail.post16educator.org.uk webdisk.post16educator.org.uk cpcontacts.post16educator.org.uk cpcalendars.post16educator.org.uk autodiscover.post16educator.org.uk

Valid until Sat, 25 Jun 2022 02:34:21 UTC (expired 2 years ago) EXPIRED Trusted No NOT TRUSTED (Why?)
Mozilla Apple Android Java Windows

and the reason for that being:

1 Sent by server
Not in trust store post16educator.ifyoucan.org.uk Self-signed Fingerprint SHA256: 788d1ad2f35d76f27f5ae88bb8c67ef4e962c5df4af99aede3a8643c248811c4
Pin SHA256: GxRKjr83KTrgJxxC93UOz1AOin6srnmXGhAmxonOqVQ=
RSA 2048 bits (e 65537) / SHA256withRSA
Valid until: Sat, 25 Jun 2022 02:34:21 UTC
EXPIRED


So there's two problems. The main one is the certificate is self-signed,
not from a known certification authority. Roughly, that's a bit like the process where you might need to get your doctor to sign your passport photo
as a true likeness, but instead you sign it yourself - now nobody can trust
the photo. The other problem is that it's two years out of date.

The easier way to resolve this is to get a free certificate from Let's
Encrypt, who will vouch for your site if you configure it a particular way.

You can't do this yourself on a shared server, but Heart should be able to
do it - ask them. If they refuse then they're clueless and you need a new host.

Theo

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Andy Burns <usenet@andyburns.uk> wrote:

They give instructions for "the complicated way" which they say you
probably shouldn't use

<https://www.mythic-beasts.com/support/domains/letsencrypt_dns_01>

But I can't see instructions for "the straightforward way" ...

The simple way is you can select one of four options:

Security
--------
* Disable TLS:
Only http: URLs will work.

* Enable TLS
Generate and maintain a TLS certificate for this site. Both http: and https: URLs will work.

* Enable TLS and redirect to https:
All http: URLs will redirect to the corresponding https: URL.

* Enable TLS, redirect to https: and enable HSTS
HTTP Strict Transport Security (HSTS) tells browsers to only use https: for this site for 14 days from the most recent visit. This makes it harder for attackers to impersonate your site without a valid certificate, but also
makes it difficult for you to disable TLS in the future. It is recommended that you only select this option once you are confident that TLS is working correctly for your site.


Just ticking one of the last three should do it.

Theo

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 21 Jul 2024 at 23:03:06 BST, Theo wrote:

RJH <patchmoney@gmx.com> wrote:

Hope this isn't too far off-topic . . . I do a web site for a small magazine -
it's basically a repository for their articles, with a few pictures.

I've had a few reports of people finding it impossible to access. The latest,
from an Android phone, returns the message 'Your connection is not private' .
. . hackers might be trying to steal your data, passwords, credit cards (etc),
with the footnote NET::ERR_CERT_AUTHORITY_INVALID.

Could this be because it's an http address - and not https? Or some zealous >> protection on phones - also Windows users have reported the same problem? or >> maybe the site has been blacklisted somewhere.

Some browsers automatically upgrade http to https if there's something listening on the https port, which there is in this case. Unfortunately what's listening there is broken.

Any ideas on how to get round this appreciated. I'm no expert, but the people
accessing the site are pretty clueless when it comes to such things.

First step is to use an SSL/TLS checker:

https://www.ssllabs.com/ssltest/analyze.html?d=post16educator.org.uk&latest

which shows several problems:

Common names post16educator.ifyoucan.org.uk
Alternative names post16educator.ifyoucan.org.uk mail.post16educator.org.uk post16educator.org.uk www.post16educator.ifyoucan.org.uk www.post16educator.org.uk cpanel.post16educator.org.uk webmail.post16educator.org.uk webdisk.post16educator.org.uk cpcontacts.post16educator.org.uk cpcalendars.post16educator.org.uk autodiscover.post16educator.org.uk

Valid until Sat, 25 Jun 2022 02:34:21 UTC (expired 2 years ago) EXPIRED Trusted No NOT TRUSTED (Why?)
Mozilla Apple Android Java Windows

and the reason for that being:

1 Sent by server
Not in trust store post16educator.ifyoucan.org.uk Self-signed Fingerprint SHA256: 788d1ad2f35d76f27f5ae88bb8c67ef4e962c5df4af99aede3a8643c248811c4
Pin SHA256: GxRKjr83KTrgJxxC93UOz1AOin6srnmXGhAmxonOqVQ=
RSA 2048 bits (e 65537) / SHA256withRSA
Valid until: Sat, 25 Jun 2022 02:34:21 UTC
EXPIRED

So there's two problems. The main one is the certificate is self-signed,
not from a known certification authority. Roughly, that's a bit like the process where you might need to get your doctor to sign your passport photo as a true likeness, but instead you sign it yourself - now nobody can trust the photo. The other problem is that it's two years out of date.

The easier way to resolve this is to get a free certificate from Let's Encrypt, who will vouch for your site if you configure it a particular way.

You can't do this yourself on a shared server, but Heart should be able to
do it - ask them. If they refuse then they're clueless and you need a new host.

Theo

Thanks *very* much for that reply. I'll have a work through . . .
--
Cheers, Rob, Sheffield UK

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)