Getting Free HTTPS without installing anything to the server


#1

Hey there I am transferring a website from wordpress.com to a self-hosted Wordpress. Since Wordpress.com is using https I am trying to install a https to my self-hosted wordpress.

I requested CSR from my hosting company and I just received all the keys etc.

As far as I understand Let’s Encrypt needs me to install a software at the server which my hosting company says cannot happen.

Can I get HTTPS differently?

What about https://gethttpsforfree.com/ ? Is that safe to use?


#2

It’s not strictly necessary to install software on your web server. Using something like https://gethttpsforfree.com/ or certbot with the manual plugin allows you to get a certificate by simply uploading a file under a specific path on your web server. Services like https://gethttpsforfree.com/ are safe to use as long as they don’t ask for your private key (which https://gethttpsforfree.com/ doesn’t do).

Note that with either of these options, you’ll have to repeat this manual process at least once every three months (that’s how long certificates issued by Let’s Encrypt are valid for).


#3

Did the certificate lifetimes shorten when I wasn’t looking or is this a typo?


#4

The certificate lifetime is 90 days, and it’s a good idea to renew every 60 days. See https://letsencrypt.org/2015/11/09/why-90-days.html


#5

Yeah, that was supposed to read “3 months”, thanks! :smile:


#6

All sites which do NOT generate a private key for you, are safe. gethttpsforfree.com is such a site. You’ll have to generate the private key on your local computer and generate a CSR (AFAIK)… That way, all the important stuff is always on your local computer.

There are sites which generate the site for you… Those can be safe, but that’s only the case when the private key is generated in the browser and you’re sure the private key isn’t transfered to the site through JavaScript or something like that. So you’d have to go through all the HTML and scripts to be sure that doesn’t happen.
There are also sites who generate the private key on their own server: those sites are inherently unsafe. I wouldn’t use such a site.


#7

@Tolkin Basically use common sense, like with everything on the Internet. For example, when you do your Internet shopping, you entrust a lot of valuable information, such as your credit card details, billing address and so on to an unknown (personally to yourself) party. You don’t necessarily know how all that information is going to be stored, who is going to have access to it (customer support, database administrators, someone else), etc.

So what do you normally do to decide whether to buy something there? You probably check if the site is new or established time ago, whether there is a known person or company behind it, etc. If the site looks dodgy, there is no information about who is behind it and whois data is protected, that would make you think twice perhaps.

In this case the same logic is applicable, even though the actual risks are lower (no one in its right mind would risk the reputation by capturing someone’s key to the sites like my-super-sturdy-garden-shovel.site or something similar). But it never hurts to see if there are options which might provide additional assurance of the safety. For example, as it was mentioned before, if it is possible to make your own CSR and use it, that’s a big plus already. Again, similar to how you might use Paypal on a shopping site instead of giving away your card details.

If everything was done on the server, I would say that it is not very safe indeed, and not necessarily because whoever runs the site is up to no good - as recent events with Yahoo and the likes show, everything that is stored can be compromised. So the best option is when it is either manual (or semi-manual as in the case of gethttpsforfree) or runs in your browser only (like with ZeroSSL).


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.