Vesta: Optional NoSSL version

Created on 1 Jul 2015  路  10Comments  路  Source: serghey-rodin/vesta

Not every user owns a SSL Certificate for his domain therefore it should be possible to provide a no-SSL Version of VestaCP to this users in order to prevent errors.

Related to #398

All 10 comments

:+1:

By default should be provided in https, but with the option to disable it.

Why would you want to lower security?

@SysVoid as @nobodypb says, not everybody have a ssl certificate, therefore make sense that the best is to enforce ssl by default, but with an option to disable it for who wants to take the risk.

In my case i use a self signed certificate, the only inconvenient is to allow the exception in the Browser every time i clean the cookies, but once i do not do that very often it works for me :)

But what is a click or two when it comes to much better security? I don't see why they should let people lower the security on their systems. Also, letsencrypt is coming out sometime this year (or is it next year?), meaning we can have fully signed certificates for free. So that could be part of the Vesta installation. :)

425

@SysVoid :+1:

@SysVoid I agree with you, that security is important and should be enabled by default, but at least it should be possible to make a choice. If someone wants to do it without SSL why don't allow it?
It's his own choice.
But I also agree with you, that a builtin support for letsencrypt would be a very nice feature and should be considered to be default.

I'm against disabling SSL, rather do 425 as SysVoid mentioned.

It's a security risk and people shouldn't be allowed to use idiotic defaults.

@n1trux I agree with you that SSL should be always enabled and with working let's encrypt for vestacp itself, this is no problem. But without there will be many users with self signed certificates.
If those don't install thier CA on every of their devices or don't make their users do that, SSL is nearly as insecure as an unencrypted connection due to things like sslsplit.
So I don't see much improvement in using a self signed certificate. But there are still users which don't want or don't need to buy an certificate. ( or setup le ) Those would be forced to disable SSL in vesta themselves to prevent error messages which just confuse their users. I'd prefer an inbuilt option to preserve updatability what in that case could prevent security risks.
-> You don't rly need SSL on a machine behind a firewall which only allows connections to vesta through VPN

tl;dr In general you're right, but keep your mind open for border cases

LE integration added, closed.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

developer-av picture developer-av  路  7Comments

tlcd96 picture tlcd96  路  5Comments

cakama3a picture cakama3a  路  5Comments

ssd-disclosure picture ssd-disclosure  路  5Comments

patricmutwiri picture patricmutwiri  路  8Comments