How can I migrate from a server with cPanel AutoSSL to one using Let’s Encrypt without an interruption to my SSL coverage?

I’ve currently got a live website which is set up with it’s SSL cert being provided by cPanels AutoSSL feature. I’m going to be moving my website to a VPS that is provisioned by Laravel Forge and set up to use Let’s Encrypt for SSL certs.

On the new server, I cannot activate the Let’s Encrypt certs because my domain is not pointing at those new servers. However, if I point my domain first, then I run the risk of users hitting my website without a valid SSL cert and seeing a warning about the site being insecure.

Is there some way I can avoid this situation – perhaps by transferring my existing cert to the new server or somehow setting up my Let’s Encrypt cert despite the fact that my domain is not pointing at the new server yet?

I would like a seamless transition where I point the domain at my new server and it already has a valid SSL cert so my users aren’t seeing security warnings.

Thank you!

Can we say that CA produces the hash of TBSCertificate and then encrypt it instead of signing it? [duplicate]

CA signs the TBSCertificate, this is a pretty known fact.

Signing m means producing the hash value of m then encrypting m. For example: https://simple.wikipedia.org/wiki/RSA_algorithm#Signing_messages

Does this apply to signing certificates?

Here the answerer says:

The most important is that both your encrypt boxes are wrong, they should say sign.

How to encrypt /home directories in Ubuntu 20.04 with an alternative to eCryptfs?

I have a specific use case in which there are multiple users and I only need the Home folder for each encrypted using something like eCryptfs – https://www.howtogeek.com/116032/how-to-encrypt-your-home-folder-after-installing-ubuntu/ – but it is buggy and under-maintained and many have reported does not work with Ubuntu 18.04+ and even sometimes stuck in a login loop. Any alternative to eCryptfs? Thanks

how to encrypt and decrypt messages with more than one sender and more than one receiver?

I am creating a chat app. This app contains private messages and channels. These channels include more than one user.

I want to encrypt messages using AES and to transfer the AES key to users of this channel.

I need a secure transport channel so I used diffie hellman. The problem now is how will I get users to generate the same diffie hellman keys so that I can create a shared key which will be the AES encryption key? I have learned the encryption, but between a sender and a receiver only, but here I have more than one sender and more than one receiver.

I had an idea, to make for all users who share the same channel, the same public and private key. Any user who opens the channel takes the public key from the channel and with his own keys he generates the shared key which forms the AES key. user can encrypts and decrypts any message, no matter who sent it, because all users of this channel have the same keys.

Any other ideas?

Note: I am required to use AES encryption but not deffie hellman, so is there another algorithm better than deffie hellman to do this?

Why can’t we encrypt the message with sender’s private key and receiver’s public key in case of sending messages through a server?

I read that why do we need E2EE and can’t rely only on HTTPS for sending messages through a messaging app. The reason which i understood is when sender sends the message to the server, the TLS connection is associated with the server. TLS terminates at the server and whoever controls the server has the ability to view the messages since they are not encrypted.But, In this process when we send a message to the server, we are firstly encrypting the message with sender’s private key and then with server’s public key.

My question is why can’t we encrypt the message with sender’s private key and then receiver’s public key? In this way, even if it reaches server, it won’t be able to view anything since it can only be decrypted using receiver’s private key.

If this is possible, then why do we use methods like Diffie Hellman key exchange?

Is it necessary to encrypt a JSON Web Token more than what is built-in?

As a developer I do have some understanding of OWASP, I am also a member of OWASP community, official due paying one. Anyway, what I may not understand is information security in that I am not a security engineer and so I pose the following question:

Is it necessary to encrypt and encode a JSON Web Token?

In my experience, no secure or confidential information should be in a JSON Web Token anyway, outside of the id and email of the user. I can imagine a customer such as a bank freaking out about that, but what can someone do with an email? The password is salted and hashed and also at least in the NodeJS world that is my wheelhouse, JSON Web Token is tamper resistant.

I can verify that a token was valid by using the signing signature and if it fails due to tampering then the services will no longer trust it, that simple no? Why would it be necessary to encrypt it, Encode it And whatever else an overzealous engineer can think of? What problem is it solving or what use case is it handling that is not already built-in? Is it because in other programming languages there are no libraries built-in that can run a jwt.verify() on the JWT?

Could the case described in this post be what the institution is trying to solve?

JWT(Json Web Token) Tampering

I understand that for a customer for whom this is a big deal, encrypting the cookie contents is an option, but would that be overkill?

I just realized my tax filer does not encrypt my password. Can I anything do for the financial data (eg SSN) that I gave?

Last year due to a complicated tax scenario (for my skills), I used an online tax website recommended by a friend to do my taxes. They were efficient in their job and I wanted to use their services again this year to save time. I had forgotten my password so tried to reset it. Turns out, they stored my password in plain text. Apparently that was to enable their staff to update any information that I provided in case it was incorrect.

I am worried about the financial data that I have already provided to them. I think as a user I have to consider it compromised. But I am a bit optimist so wondering if I can do anything to protect my data.

They don’t seem to be GDPR compliant so I don’t think they will simply delete my data but I definitely am going to request for it.