Advice about how to bring up LE's services with other orgs

I discovered that as a student at my university, you can set up a blog or whatever on a WordPress instance and it would be hosted on the university servers. I don't know if they offer TLS certs with the service because it wasn't mentioned on the sign-up website, so I would like to send the following email to them to not just ask if the sites come with certs but also if they'd consider issuing a free cert through LE with all the sites created by the department. Would you consider this a polite way of asking these questions or is it a bit too much? Or should I just drop it because it's not really any of my business?

---BEGIN DRAFT---

Greetings,

I've been speaking with various Help Desk staff from time to time regarding TLS certs for [OUR UNIVERSITY] subdomains like those which can be obtained from the [DEPARTMENT] page (realurl.realuniversity.org) and from what I understand, depending on the type of subdomain, it may not be up to the school to obtain TLS certs for any websites created via a subdomain. It could be something that the department or the individual staff/faculty/student is left to do on their own.

If I were to sign up and get one of these sites, would they come with a TLS cert? As you're probably aware, WordPress instances are known to have vulnerabilities that might cause a whole bunch of problems for website maintainers. If they don't currently come with TLS certs due to cost, have you considered working to create a way to do that through getting certs from Let's Encrypt, a nonprofit which offers free TLS certificates for everyone?

If you're not the right person to direct this concern, if you could please forward it to either a supervisor or an operations manager, I'd greatly appreciate it.

Best regards,
MY NAME HERE

---END DRAFT---

2 Likes

The way I'm interpreting these few sentences leaves me with the sense that you think adding a TLS cert to WordPress will prevent or fix vulnerabilities in it or its plugins. But a cert can't really make vulnerable software any less vulnerable. The vulnerability will just be exploited while using encrypted communications.

If the two thoughts were meant to be distinct, I'd move the concerns about WordPress having a history of vulnerabilities to a different paragraph perhaps with questions about whether there are alternatives that can be setup.

If all you ultimately care about is the cert stuff, I'd keep it a simple request about whether the instances come with certs or an option to get a cert (of any kind). If the answer comes back as no, then follow up with the suggestion about LE.

7 Likes

I believe we had a related discussion with someone just the other day... :grin:

I feel that @tlrenkensebastian has tread into a very important area of security worth shining a very bright light upon. Misunderstandings of the purposes and limits of TLS are, IMO, far more dangerous than missing understandings. The latter might at least have the safety of doubt where the former almost certainly will not. There have been a few rather glaring instances of late where severe damage could occur (and at least one where it probably did).

2 Likes

This may be straying a bit from the topic, but I believe it might be worth mentioning for thought.

We're often encountered with this argument:

I closed port 80 of my system for security.

Those with experience with this fallacy (hopefully not gained the hard way) might immediately ask:

How is your system any more secure with port 80 closed? What can be done over port 80 that can't be done over port 443?

2 Likes

I've read a scientific paper on a similar/related topic, that I found to be highly interesting. As I have very close relation to the field of network security, I was surprised to see how far the views of the 'average' user differ, and how far off reality they often are. If someone is interested, here's the link: "If HTTPS Were Secure, I Wouldn't Need 2FA" - End User and Administrator Mental Models of HTTPS

7 Likes

Ooh! :astonished:

That's an excellent add, @Nummer378.

:sparkling_heart:

2 Likes

Hmm, the two thoughts were not meant to be distinct and I take your point. I'll leave that sentence about WP instances out and send the rest as-is. Thanks to you and everyone in this thread, especially @Nummer378 for linking the scientific paper about how end users think about HTTPS.

4 Likes

I remember an earlier thread here where someone complained that her site had been hacked even though she was using a Let's Encrypt certificate (which had presumably been presented to her by someone else as guaranteeing the site's security).

At the time I think I compared it to vaccination, where different vaccines defend against specific pathogens, and usually provide no cross-immunity against other infections. A contemporary example would be that flu shots don't protect against COVID, while COVID shots don't protect against flu.

One thing I found challenging at EFF was that what HTTPS protects against is not a set of attacks most people have thought much about. In that case, to stretch the analogy about, the "vaccine" we're offering protects against a disease that is rare, or, more plausibly, not so rare but usually ostensibly asymptomatic.

The security issues that most web site operators and Internet users have encountered the most are possibly things like account takeovers, database breaches, DDoS, network censorship, website defacement, website hijacking to inject spam or malware, and malware downloads (especially pop-up ads and web browser redirectors). (Not necessarily in that order.) HTTPS sort of helps with some plausible (but not necessarily the most common) vectors for maybe three of these?

6 Likes

This brings to mind the CIA triad of confidentiality, integrity, and availability:


The Parkerian hexad extends the CIA triad:

2 Likes

The triad. CISSP. CEH. Dont tease me now.

3 Likes

OMG, I finally got the uni Help Desk to say that they'll be forwarding the tickets I create about sites not having certs to the InfoSec desk so that the IS staff can help the end users get certs. I reported the initial lack of a cert on a specific website on March 30, and that Help Desk person's response to me was for me to contact the website administrator.

2 Likes

:+1:
I'm glad you received a positive reply.

3 Likes

Ah... pass the buck :dollar:, a classic strategy. You could follow up your request with the casual question of: where's the hr office? When they ask why, just say that you need to know how to get your paycheck for the work you're doing for them. :grin:

3 Likes

As amusing as the idea is, I know from my studies that this kind of "buck-passing" is necessary for Help Desk procedure. The more complicated a thing is, the less able is a junior or staff member will know how to help. And as we all know, installing a cert is not an easy task for some people.

Tangentially, I find it interesting that an org like the ISRG created a thing which was intended to be so easy that a program could do it, yet, the medium of network systems is so complex that they can't do automated tech support. :wink:

2 Likes

Just came up with an email template that I'll be using where the context is that the website is maintained by an actual I.T. department but the contact info for the Help Desk can't be found by looking at the About or Contacts page:

I hope all is well with you today. I am a second year grad student who was doing research and noticed that your website doesn't have a security certificate (aka "cert) for your home page, as seen in the attached image. This is probably something that can be handled by your I.T. department and if you could please forward this message to them and confirm that it was forwarded, I'd greatly appreciate it.

It's a low-pressure way of addressing the problem and it makes sure that the message gets to the right people. The image I attach is one where the name of the site and URL are fully present and I add a yellow highlight to the "Not secure" part of the browser address bar. If I were doing my research in a different field, I could totally do a whole project on this alone.

5 Likes

Just a suggestion, but you might want to direct them towards resources supporting why they should do this (raise search engine rankings, avoid man-in-the-middle (MITM) attacks, future-proofing, etc.). This should help them with their cost-benefit analysis.

4 Likes

If it were an org that wasn't likely to have its own I.T. department or a website that is hosted by a webhost that wasn't in the LE list, then I would definitely do that. But one of the sites I did this for recently was one connected to a Canadian public school district and the other was for the freaking New York State Department of Education. I should hope they have I.T. departments in those orgs and that staff knows about MITM, etc.

I'm also in the middle of composing a letter to someone whose site is hosted by Squarespace and I'll use a similar template for this use case scenario as well, except in that I'll be adding the link to the "Source" page. That template looks like this:

Dear WEBSITE OWNER,

I hope all is well with you today. I found your website while doing THIS THING AND I THOUGHT YOUR SITE WAS USEFUL, ETC.

At the same time, I noticed that YOURWEBSITE.com doesn't have a security certificate (aka "cert") as in the attached image. YOURHOST offers free certs for all their website customers and here's a link to the Support page that tells you how to do it: LINK TO PAGE LISTED IN THE LE THREAD LABELED SOURCE.

Thanks again!

Again, this is low-pressure and something that other folks in this community who want to encourage more SSL use can do without needing to vet articles. In fact, just looking at the Squarespace article it's even written in an excellent way because it talks about the benefits in ways that are tailored to their customer base's use case scenarios.

4 Likes