When I login into Elevatesoft's web site, I do not see the use of HTTPS to secure my user name and password.

How do I achieve the same result with EWB without using Stunnel? I do not like to use Stunnel because I keep getting an "Invalid certificate" message from the browser and it is both annoying and unprofessional looking.

Frederick

Frederick Chin wrote:

> When I login into Elevatesoft's web site, I do not see the use of HTTPS to secure my user name and password.
>
> How do I achieve the same result with EWB without using Stunnel? I do not like to use Stunnel because I keep getting an "Invalid certificate" message from the browser and it is both annoying and unprofessional looking.

The Elevate web site is not secure at all, so that's why you don't see it.

The fix for your certificate issue is to get a certified one. You can either buy one, or get one "free" from somewhere like Let's Encrypt letsencrypt.org. I quote the free because there is effort involved, which is designed to be automated. There are scripts available for lots of systems and you can code it yourself, but it may be too much for some. Some of the commercial vendors are doing short term free certificates to compete.

If you are getting into this, I also recommend buying a wildcard certificate. It is about 2.5 times the price, but you can use it all over for testing etc. So I have on our DNS server a number of test hosts, like test1.mydomain.com which maps to a local only IP number (like 192.168.1.111), which is a test VM I use. This means that I can connect to the "server" running in the IDE, using a domain that is fully validated. No more annoying certificate warnings.

--

Matthew Jones

Matthew,

<< The Elevate web site is not secure at all, so that's why you don't see it. >>

Whoa, hold on a second.  The user profile login process isn't secured (that's changing soon, BTW), but all e-commerce functions are 100% secure and we get an A- from the Qualys SSL tests:

https://www.ssllabs.com/ssltest/

on our SSL implementation.

Tim Young
Elevate Software
www.elevatesoft.com

Tim Young [Elevate Software] <timyoung@elevatesoft.com> wrote:
> Matthew,
>
> << The Elevate web site is not secure at all, so that's why you don't see it. >>
>
> Whoa, hold on a second.  The user profile login process isn't secured
> (that's changing soon, BTW), but all e-commerce functions are 100% secure
> and we get an A- from the Qualys SSL tests:
>
> https://www.ssllabs.com/ssltest/
>
> on our SSL implementation.
>
> Tim Young
> Elevate Software
> www.elevatesoft.com
>
>

Apologies - I was incomplete in my answer and just referring to the part
referred to in the original.

--
Matthew Jones

"Matthew Jones" wrote:

/*
The fix for your certificate issue is to get a certified one. You can either buy one, or get one "free" from somewhere like Let's Encrypt letsencrypt.org. I quote the free because there is effort involved, which is designed to be automated. There are scripts available for lots of systems and you can code it yourself, but it may be too much for some. Some of the commercial vendors are doing short term free certificates to compete.
*/

I think I will try the Let's Encrypt option first and see how things turn out since I need to make some effort anyway because the web server is not hosted on shared hosting sites where someone can install it for me.

/*
If you are getting into this, I also recommend buying a wildcard certificate. It is about 2.5 times the price, but you can use it all over for testing etc. So I have on our DNS server a number of test hosts, like test1.mydomain.com which maps to a local only IP number (like 192.168.1.111), which is a test VM I use. This means that I can connect to the "server" running in the IDE, using a domain that is fully validated. No more annoying certificate warnings.
*/

I can live with the warnings when I am testing the application but it is when they appear when the client uses it live that causes embarrassing answers to be given.

Frederick