What is the cheapest way to secure a web site

[Borg]

I have an existing website that I created on a Raspberry Pi at home and have locked it down with a self-signed certificate. I have been getting by fine because I've been using an older browser that allows me to accept the certificate and continue on to the site. However, the newer browsers don't allow that and just deny any access at all which is making it impossible for a friend of mine to connect to the site.

So, I've started looking into getting a real server certificate which is leading to a chain of expenses that I would rather not incur. Server certs require a domain name which then costs a yearly fee. I've looked at several domain name sites and there seems to be a lot of hidden fees, add-ons and other expensive gotchas that you have to watch for.

My question is whether there are alternatives to what I'm trying to solve (accessibility) or what is the cheapest way to get a valid certificate on my server that will be recognized properly by most browsers. I have looked at https://letsencrypt.org/certificates/​​​ for free certs and several domain name sites for purchasing a domain. GoDaddy is cheap for the first year and gets expensive the following years. You also have to pay an extra yearly fee to keep your personal info off of the whois directory. I also looked at Namecheap.com that seems to be a better deal and allows private whois registration. However, I have no experience with these things and could really use some advice from those who have been through this.

Thanks in advance.

 

[Vanadium 50]

Does your friend have a static IP? Then you could just drop packets to port 80 that originate anywhere else.

 

[Borg]

Does your friend have a static IP? Then you could just drop packets to port 80 that originate anywhere else.

I'm not sure that I follow how that would work. The server is configured to run SSL on 8443.

 

[cpscdave]

Does the information being sent to and from the pi need to be strictly encrypted?

 

[Borg]

Does the information being sent to and from the pi need to be strictly encrypted?

Yes. There will be personal information on the server for multiple users.

Based on my research so far, I think that it will cost me about $15 / year for a domain name, free cert and hiding my whois info. I don't know if there is a better or cheaper way to do this though.

 

[Fooality]

There's no getting around SSL cert for public access, anything else is vulnerable and browsers will say so. For private access, you can tunnel http through any shared key encryption schema, but you have to share the keys before hand. You could even probably do this through javascript.

 

[anarchean]

Yes. There will be personal information on the server for multiple users.

Based on my research so far, I think that it will cost me about $15 / year for a domain name, free cert and hiding my whois info. I don't know if there is a better or cheaper way to do this though.

It's only $ 15 / year, sure you can't afford that? You have a lot in return having your own signed certificate and domain name.

 

[Pepper Mint]

...However, the newer browsers don't allow that and just deny any access at all which is making it impossible for a friend of mine to connect to the site...

Please tell us what 'new' browsers your are using and how you configured them to use your self-signed certificate along with the error returned as its rejection.

Yes. There will be personal information on the server for multiple users.
...

Then you may have to spend some fee on SSL certificate to secure your sensitive data sent to and through every hop in your network.

 

[anarchean]

Then you may have to spend some fee on SSL certificate to secure your sensitive data sent to and through every hop in your network.

I completely agree here. You spend some extra bucks and get
A) Encryption
B) Authentication

If you really don't want to spend the money, have you considered using a VPN?

 

[Borg]

There's no getting around SSL cert for public access, anything else is vulnerable and browsers will say so. For private access, you can tunnel http through any shared key encryption schema, but you have to share the keys before hand. You could even probably do this through javascript.

Yes, I definitely want to use a cert as I'm currently doing. I could share the keys but I haven't done something like that before. Plus the other person is very computer illiterate. It is painful to walk him through anything over the phone. I literally have to confirm every instruction and continually ask what he is looking at.

Please tell us what 'new' browsers your are using and how you configured them to use your self-signed certificate along with the error returned as its rejection.

At home, I'm using Firefox 26. I also have 38 installed but that won't let me in. Oddly, I have version 38 on my work computer and that one let's me into the site with my self-signed cert. That leads me to believe that there is a way to configure the browser through about:config or the registry that will override the default setting. Hence, my question about a better way to do this.

It's only $ 15 / year, sure you can't afford that? You have a lot in return having your own signed certificate and domain name.

I didn't say that I couldn't afford it, I just don't like to waste money.

 

[elusiveshame]

You can get a site hosted for $5 a month through ApisNetworks on their low-end package. I've been using them since 2005, and I think my websites have gone down a total of 5 hours.

It's the cheapest solution for a website without having to purchase any home equipment and worrying about security to your home network and web server.

 

[Borg]

You can get a site hosted for $5 a month through ApisNetworks on their low-end package. I've been using them since 2005, and I think my websites have gone down a total of 5 hours.

It's the cheapest solution for a website without having to purchase any home equipment and worrying about security to your home network and web server.

Thanks for the info. However, I am hosting my own site on a Raspberry Pi 2 at home. Part of what I'm learning is working with the Pi. I may someday connect various items at home to the Pi and control them through the website that's on the server currently.

 

[rbelli1]

You may be able to use one of the ddns services. That would be totally free. Check with Let's Encrypt to see if your chosen ddns service is compatible. They have a list.

I just don't like to waste money.

You already wasted $35 on the raspberry pi and obviously are wasting money on electricity and internet service. I would suspect you wasted a bit of money on food recently too. Such flagrant disregard for frugality!

BoB

 

[anarchean]

Thanks for the info. However, I am hosting my own site on a Raspberry Pi 2 at home. Part of what I'm learning is working with the Pi. I may someday connect various items at home to the Pi and control them through the website that's on the server currently.

Okay. Let me tell what I'm doing. You see if this is good for you.

I have a home server, (an old Acer notebook, core i3, 4gb ram), it hosts some services (cloud storage, gitlab, probably email soon). The server works through a OpenVPN tunnel, and has only one port open (the OpenVPN) one.
The devices connected to this server are: my computer, my cell (Android), my girlfriend's computer, my girlfriend's cell (also Android) and my mother's cell (iPhone).

All communication is protected by TLSv1.3 using AES-256 and HMAC-SHA512 for authentication.

When a need to connect another device in the network I generate a certificate for that device and register it on the server (

./build-key device_name

with easy-rsa. Yeap, that easy).

All communications secured, I can do whatever I want with the computers in this network, it's safe. You don't need https. You can use http.

I have an dynamic IP, so I use a DDNS service (Namecheap). Now, to facilitate access to the services inside this network, I'll soon install BIND on the server and use DNS to point to devices in the network. Once the OpenVPN clients are configured, you don't need to be not even close to smart to connect.

Now, this is a *private* network. If you're going public, get the certificate.

I hope that helps. Ohhh! One more thing, all computer are using Linux. I don't know how things are on Windows/Mac. (I imagine it should be essentially the same for *BSD)

PS: I put a lot of time in this, make sure you have the time.

 

[Risha Rommi]

Not all cheap web hosting services are bad The best way to fight this issues is to simply avoid these web hosts and go somewhere else.