Smartmontools.org web site is now running with Lets Encrypt!


#1

Hi, i just switched www.smartmontools.org to use certificate from Lets Encrypt!. You can find more information about the process in the article i wrote about it - https://smallhacks.wordpress.com/2015/11/01/lets-encrypt/. Thank you for such great and free service :slight_smile:


#2

Just tested it. Planning to make the site HTTPS-only? That is very important because you have password-protected areas that are currently available by plaintext, which is a security vulnerability.


#3

First of all - login form is https only, and when you logged in - it is switching to https only. But yes, i am thinking to make site https only at some point


#4

Then I have a bug report for your site. While the login link redirects to HTTPS, the register link does not.


#5

Thank you for reporting, fixed now. It seems that it would be easier to switch to https completely instead :smile:


#6

Good. Because an attacker can change any links on plaintext pages to go to their login form instead of yours, so the user’s password is sent to them instead of you.

Site-wide HTTPS is the only good way to go.


#7

Finally done, also configured HSTS header to avoid protocol downgrade attack.