I'm trying to get my site running on https, I followed some tutorials on creating certificates and have a functional https server running with node.js. Thing is when I access my site via localhost on chrome I get a "Not Secure" warning. Anybody familiar with this. I don't know how to make it go away, and so far, no idea how to create a certificate that will work.
The draw-back is that their certificates only last for three months, so you HAVE to automate it if you're running a real site. (But there are node modules to do this.)
It's quite easy. Certbot, GetSSL, and a few others will run from a Bash shell and can be put as a cron entry to run periodically If you're windows, letsencrypt-win-simple, ACMESharp, Certify, and a few others can be run as a Windows scheduled task.
There are libraries for various languages (including node) if you want them for building your own system, but there is probably no need to build your own.
Thanks for the quick reply. I also just found out that the certificates are only issued to registered domains. So my thinking is that I can continue on with what I've got, server and client side, and when it comes time to go live, that is when I register a domain and get a certificate. At that time I'm thinking a user connecting to my site won't run into the same security pop-up as I am now... Am I understanding this right? I guess it also costs $20 bucks for you're own certificate.
letsencrypt.org is free. I believe they also allow you to register even if you only have a subdomain. Go check out their site, they've got documentation for putting it together on several major hosting systems.
I believe they also allow you to register even if you only have a subdomain
No certificate authority is going to let you sign a certificate for 'localhost'.
@OP, you should add the certificate to your browser's trust store, and ignore the issue till you deploy to an actual server.
alright. k I think I've got https covered and when this project goes to production if I encounter any problems I'm pretty confident I'll be able to address them then and won't need to do any major overhauls. Unless someone thinks otherwise???
So.. o.k right now I have a few html text-fields that a user needs to input their information so that the site can register them. I'm going to require a username, password and email. Then I'm going to do the email confirmation thing before they can play the game or participate in the forum/discussion feed. My plan is to use JavaScript to grab the info in the text-fields, then fire it off to the server via socket.io. [edit]: I'm thinking of using a closure functions for the purposes of sending socket.io information... thoughts??[/edit] On the server side I'm going to make sure that the characters being used are of a specific type, and then I'm going to use bcrypt with salting before I store their password.
Then, I'm going to send an email to the user with an instance of a webpage used to verify their email address. Once they verify their email, they will have to login and at that point I will create an instance of the website containing access to a link which will direct them to the game server.
What are your thoughts on my proposed approach? what things may I be overlooking??
Note that "you must use one special character and one digit and two uppercase characters and ..." rules are just dumb.
The most important rule: Passwords must be 12 characters or longer (I would even go so far as to require 16 characters for an important account!) and must contain at least 4 different characters, and must not contain the username somewhere within them. That's it! Also make sure you support passwords up to 99 characters long.
So, just tell people "your password must be at least 12 characters," and then check the other rules on the server, and if it violates one of those rules, send back status that says "not valid, and here is why." You don't need to list all the rules up front; that just scares people.
