1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

Question Why Plesk try to force users to use Symantec SSL certificates

Discussion in 'Plesk Extensions' started by virtubox, Dec 1, 2017.

  1. virtubox

    virtubox Regular Pleskian Plesk Guru

    19
    60%
    Joined:
    May 4, 2016
    Messages:
    204
    Likes Received:
    70
    Location:
    France
    Hello,

    I really love the integration of Let's Encrypt in Plesk, and I also love the extension security advisor to make easier the migration from http to https on wordpress websites.
    But if I was already thinking if the third panel of Security advisor was really useful or not for normal users (because http/2 should be enabled by default and the plesk interface should be automatically protected with a SSL certificate) , other informations like KernelCare or Patchman were already very commercial.

    So, I do not understand why Plesk enable by default the Symantec SSL certificates buttons , and require to use the panel.ini editor extension to disable it.
    At first because , it 's already hard enough to explain to our customers the fact than let's encrypt provide the same level of security than any paid certificates, but also because Symantec is not really a good choice. They are selling their SSL certificates business to Digicert due to several security issues with their Certificate Authority in the past :

    Timeline: Symantec certificate authority improprieties

    If I do not have anything against the Symantec extension in Plesk, I do not think it should be enabled by default or promoted in Plesk.
     
    trialotto and Tomek like this.
  2. Tomek

    Tomek Basic Pleskian

    7
    20%
    Joined:
    Oct 27, 2017
    Messages:
    46
    Likes Received:
    1
    Location:
    Poland
    +1 for this
     
  3. trialotto

    trialotto Golden Pleskian Plesk Guru

    37
     
    Joined:
    Sep 28, 2009
    Messages:
    1,445
    Likes Received:
    206
    @virtubox

    Your statement

    is completely correct, I fully agree.

    Even though it is quite common that Plesk endusers require specific types of certificates (EV, DV and so on) and/or that Plesk Inc. wants to offer a simple service......

    ........it is still is not right that Plesk Panel becomes a sort of advertising channel for Symantec.

    For that reason, I will assign a like to your post.

    Regards.......
     
  4. Ruslan Kosolapov

    Ruslan Kosolapov Basic Pleskian Staff Member

    7
    70%
    Joined:
    Sep 29, 2016
    Messages:
    26
    Likes Received:
    13
    Location:
    Novosibirsk
    Hi.

    We fully share your love of Let's Encrypt and plan to actively continue the development of our Let's Encrypt extension. In fact, we have released a new version of Let's Encrypt yesterday ( Change Log for Plesk ).

    However, we are also aware that some customers need things that cannot be provided by Let's Encrypt - for example, OV and EV certificates. Symantec SSL extension is currently the only extension in our catalog that can address these needs in automated way, so we've integrated it with our Security Advisor to help those customers who have these needs.

    We're aware of the past issues with Symantec CA and we'd like to note that Symantec SSL extension offers certificates by GeoTrust, Thawte and so on. If you don't trust Symantec, you can purchase certificates issued by the authorities you trust, including Let's Encrypt - we're definitely not forcing anyone to buy Symantec certificates.

    If you don't want to see the "Secure" buttons, you can modify your server/VPS deployment scripts and tell Security Advisor do not suggest Symantec certificates.
     
  5. trialotto

    trialotto Golden Pleskian Plesk Guru

    37
     
    Joined:
    Sep 28, 2009
    Messages:
    1,445
    Likes Received:
    206
    @Ruslan Kosolapov

    I would like to opportunity to respond to some of your statements.

    The new release is brilliant!

    I would really recommend to be more specific on this forum about the new features!


    True...........and it is good that this would be more explicitly mentioned on this Plesk forum, because not everybody seems to be aware of "normal" certificates.

    For instance, any webshop should not simply implement LE certificates, it is often better (and sometimes required!) to implement an EV or other type of certificate.

    The suggested solution, as such a work-around, is not a good solution: it is likely that an upgrade or patch will undo any changes, this besides the fact that it is often a very bad idea to mess with the nature of the default scripts, as shipped with Plesk or it's extensions.

    Nevertheless, a work-around is a work-around and if it helps, it helps.

    But why not implement a feature that allows to check one checkbox that disables or enables specific certificate suggestions?

    Are you implying that other SSL issuers will also be allowed if there is some way of implementing a solution in a Plesk Extension?

    I really am interested in the honest answer to the above question.

    Kind regards.......
     
  6. virtubox

    virtubox Regular Pleskian Plesk Guru

    19
    60%
    Joined:
    May 4, 2016
    Messages:
    204
    Likes Received:
    70
    Location:
    France
    The issue (in my opinion) isn't to provide an extension to purchase SSL Certificates from Symantec (I understand some customers want EV certificates for their business), but to enable it by default in Security Advisor with the text "Free Let’s Encrypt SSL/TLS certificates provide a baseline level of protection" .

    I have to install panel.ini extension on every Plesk initial configuration and to add the lines :
    Code:
    [ext-security-advisor] 
    promoteSymantec = false 
    
    [ext-catalog] 
    contextAds = off
    I do not agree on this point. An EV certificate will never be required (and should never be required) because it doesn't provide a better security or a higher level of encryption than a Let's Encrypt certificate.

    Some (trusted) people are fighting enough against EV Certificates and all their issues :
    Are EV certificates worth the paper they're written on?
     
  7. trialotto

    trialotto Golden Pleskian Plesk Guru

    37
     
    Joined:
    Sep 28, 2009
    Messages:
    1,445
    Likes Received:
    206
    @virtubox,

    With respect to

    note that there are countries where it is required by law and/or required (for participating in "trusted webshop" programs, for instance) to have a EV (or better) certificate.

    Moreover, what you (and most people) seem to forget is that a certificate is not only a "thingy with ciphers and numbers".

    A certificate issuer offers a whole range of services .......... and one of them is assurance ("people, it is trusted and verified!")

    and the most forgotten one is insurance.

    Paying a specific amount to an insurance company or some small amount to a cerificate issuing company is not the same: a certificate with insurance is a better choice.

    The problem is that these types of advantages are not valued by anybody, until the worst case scenario is happening.

    Well, before you say "that worst case scenario often does not occur"........... it often does, but the other fact is that people do not know it: a good hack is virtually unnoticeable.

    Actually, the second worst scenario is already happening: the huge degree of adaption and/or huge number of implementations of LE certificates.

    It is just asking for trouble: reliance on LE makes one security loophole the gateway to a security breach in millions of sites using LE certificates.

    In short, the attack vector is huge...........any hacker can just focus on LE in order to sniff traffic at millions and millions of sites.

    And a good sysadmin therefore knows that he should not rely on a LE certificate for company critical applications.

    Regards........

    Not that a good sysadmin would host company critical applications with Plesk Panel .... it happens, but they really should not. ;)

     
  8. trialotto

    trialotto Golden Pleskian Plesk Guru

    37
     
    Joined:
    Sep 28, 2009
    Messages:
    1,445
    Likes Received:
    206
    This is another issue.

    None of the certificates are worth the paper they are written on.

    Security does not only entail certificates........security should be emphasizing all that creates a tiny moment of access to critical data, applications or servers.

    The author you are referring simply states the same, but chooses to do so in a context of EV evaluation.

    But really, he is not thé expert on the issue............ actually, the real experts are the ones designing the processes behind certification.

    One should see it like this: a certificate is the key..........and that is barely relevant, it is all about the lock that is intended to keep people out.

    A lock on a door in a wall in a home without a window open..........well, burglars are not focussing on the lock or the key, they just enter the open window. ;)

    The real experts are the cryptographic geniuses.

    And that is so old skool, in the sense that most certificates we are using right now are based upon cryptographic work in the 1970s.

    If you are interested, try to read up on the work of Diffie Hellmann, on elliptic curve cryptography and on perfect forward secrecy.

    So, you are right to say.......

    "people are fighting enough against EV Certificates and all their issues"

    but that really should be applying to the actual root cause of the problem: the considerable challenge to create almost perfectly secure certificates.

    Now we can return to Let's Encrypt, both to the LE certificates and the organisation behind it.

    The organisation behind LE is founded by some cryptographic geniuses, as a non-profit initiative for the better of (the security of) the internet.

    The LE certificates are (almost) the best available in the business.

    Nevertheless, LE certificates are failing in one area: anybody can claim a LE certificate ...........and that is bad.

    It is better if companies and their owners are verified
    .

    AND that is the added value of what certificate issuers can do, since it is chosen policy of Let's Encrypt's organization to not do so.

    As long as Let's Encrypt's organization will not opt for "personal or company verification", there is added value to all certificates other than those of LE.

    To start a discussion about prices and/or about a comparison between LE and other certificate issuers......

    ....... well, that is not meaningful at all: the pure fact is that Let's Encrypt's organization will never choose to offer "personal/company verification", hence also allowing a lot of space for other companies to offer this type of service at the price they think is appropriate.

    Regards.......
     
  9. trialotto

    trialotto Golden Pleskian Plesk Guru

    37
     
    Joined:
    Sep 28, 2009
    Messages:
    1,445
    Likes Received:
    206
    @virtubox,

    One thing I have to mention, in relation to my previous post.

    Let's Encrypt's organization seems to grasp the reality of the internet and some weaknesses.

    As a result of that, they have chosen the right path in the form of a policy that does not entail "company/person verification".

    One of the major weaknesses in the internet is that everybody is (directly or indirectly) able to register a domain under the name of somebody else.

    That is a weakness in the area of the DNS registry of the internet.

    The major consequence is that one can ask for a certificate that seems to suggest that somebody is another person, a trusted person.

    Let's Encrypts organization does not really want to cater for this: their primary objective is to make traffic more secure.

    Other certificate issuers have a mixed objective: they want to secure traffic with cheap and simple certificates and also reduce the probability of impersonification with the EV and various other types of (very) expensive certificates.

    Banks are not allowed to have a simple certificate, the European law requires them to prevent any type of impersonification or misleading (even if the misleading is the result of actions by others that have malicious intents).

    Banks are also liable for any mishaps...........so they are happy to pay a huge price for extended certificates, in order to reduce liability costs.

    This is only one example of one type of party that really want to buy an extended type of certificate....... and many other examples can be given.


    However, in the end it is always a matter of opinion and choice by the person or organization obtaining the certificate.

    AND THAT allows us to return to the topic in this thread.


    It is just a matter of choice............and we should have the freedom of choice.

    It should not be suggested at all that we can only have one (paid-for) alternative for the (free) LE certificates.

    For that reason, I am inclined to say that the Symantec links should be completely absent by default in Plesk Panel.
     
  10. virtubox

    virtubox Regular Pleskian Plesk Guru

    19
    60%
    Joined:
    May 4, 2016
    Messages:
    204
    Likes Received:
    70
    Location:
    France
    This is the main point of this thread. Any website with a login form (including wordpress backend access) should be secure with a SSL certificate nowadays.
    And letsencrypt make this process easier . Then if a company want to use an EV certificate , it's a choice.
     
  11. trialotto

    trialotto Golden Pleskian Plesk Guru

    37
     
    Joined:
    Sep 28, 2009
    Messages:
    1,445
    Likes Received:
    206
    @virtubox

    Correct.

    But an even more startling point in this topic thread seems to be absent: Plesk offers Plesk Panel to hosting providers, enabling them in their business and/or supporting a very efficient and viable business model, whilst also taking away customers by offering to purchase good with Plesk or Plesk partners, instead of the hosting provider itself.

    And that is a bit odd.........it is like saying: you pay us for Plesk Panel, which for an advertising channel for sales that you do not benefit by.
     
Loading...