Re: [AFMUG] ssl certs

Mon, 09 Apr 2018 15:06:42 -0700 

Moving any kind of confidential data in the clear is irresponsible.
Moving HTTP traffic across the Internet leaves you open to having the data modified, or having malicious Javascript injected. 


It's up to you whether or not you care about that, but it has been 
reduced to pasting 3 lines into a terminal to get a valid, automatically 
renewing certificate. It seems pointless not to when the benefits are 
tangible.


------ Original Message ------
From: "Mike Hammett" <af...@ics-il.net>
To: af@afmug.com
Sent: 4/9/2018 5:02:29 PM
Subject: Re: [AFMUG] ssl certs


Why? Why is any of that necessary?


I have no intentions of inspecting anyone's traffic. I just don't find 
HTTPS everywhere necessary. I have yet to hear a viable reason to do 
it.



OH NO!  SOMEONE SAW MY WEB SITE!!!


https://www.youtube.com/watch?v=18PbwYdjsps



-----
Mike Hammett
Intelligent Computing Solutions <http://www.ics-il.com/>

<https://www.facebook.com/ICSIL> 
<https://plus.google.com/+IntelligentComputingSolutionsDeKalb> 
<https://www.linkedin.com/company/intelligent-computing-solutions> 
<https://twitter.com/ICSIL>

Midwest Internet Exchange <http://www.midwest-ix.com/>

<https://www.facebook.com/mdwestix> 
<https://www.linkedin.com/company/midwest-internet-exchange> 
<https://twitter.com/mdwestix>

The Brothers WISP <http://www.thebrotherswisp.com/>
<https://www.facebook.com/thebrotherswisp>


<https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg>
--------------------------------------------------------------------------------
From: "Eric Kuhnke" <eric.kuh...@gmail.com>
To: af@afmug.com
Sent: Monday, April 9, 2018 4:59:23 PM
Subject: Re: [AFMUG] ssl certs


I offer a directly contradicting opinion, that's it's foolish in the 
year 2018 to not implement end to end TLS wherever possible. The number 
of problems you can solve by avoiding things that maliciously MITM 
regular http traffic are considerable. The crypto libraries to do it 
properly (OpenSSL, etc for apache2 and nginx) and Letsencrypt are free.



The Internet is moving towards things like DNS-over-TLS. Mail transport 
between most properly configured smtpd now will use TLS1.2 (my Postfix 
smtpd negotiates TLS successfully with >98% of big ISP/cloud providers' 
smtpd clusters). If a WISP thinks that they "need" things to remain 
unencrypted so that they can more easily manage their traffic or 
inspect it, they'll be left behind in the dustbin of history.



On Mon, Apr 9, 2018 at 2:55 PM, Mike Hammett <af...@ics-il.net> wrote:

I didn't say it was hard. I said it was unnecessary, perhaps even 
foolish.




-----
Mike Hammett
Intelligent Computing Solutions <http://www.ics-il.com/>

<https://www.facebook.com/ICSIL> 
<https://plus.google.com/+IntelligentComputingSolutionsDeKalb> 
<https://www.linkedin.com/company/intelligent-computing-solutions> 
<https://twitter.com/ICSIL>

Midwest Internet Exchange <http://www.midwest-ix.com/>

<https://www.facebook.com/mdwestix> 
<https://www.linkedin.com/company/midwest-internet-exchange> 
<https://twitter.com/mdwestix>

The Brothers WISP <http://www.thebrotherswisp.com/>
<https://www.facebook.com/thebrotherswisp>


<https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg>
--------------------------------------------------------------------------------
From: "Eric Kuhnke" <eric.kuh...@gmail.com>
To: af@afmug.com
Sent: Monday, April 9, 2018 4:54:05 PM
Subject: Re: [AFMUG] ssl certs


What's hard about doing TLS1.2 everywhere?  Every web browser shipped 
or updated from mid-2012 onwards supports 1.2.  The population of 
browsers that only support TLS1.0 and 1.1 is less than 1% now by most 
measurements of useragent on a large scale.




On Mon, Apr 9, 2018 at 2:51 PM, Mike Hammett <af...@ics-il.net> wrote:

"You should have https (TLS1.2) everywhere, on every sort of public 
facing httpd these days, with at least a letsencrypt certificate."



We'll eventually have to because Google, etc. will make us, but it's 
extremely unnecessary. It's even foolish in many situations.




-----
Mike Hammett
Intelligent Computing Solutions <http://www.ics-il.com/>

<https://www.facebook.com/ICSIL> 
<https://plus.google.com/+IntelligentComputingSolutionsDeKalb> 
<https://www.linkedin.com/company/intelligent-computing-solutions> 
<https://twitter.com/ICSIL>

Midwest Internet Exchange <http://www.midwest-ix.com/>

<https://www.facebook.com/mdwestix> 
<https://www.linkedin.com/company/midwest-internet-exchange> 
<https://twitter.com/mdwestix>

The Brothers WISP <http://www.thebrotherswisp.com/>
<https://www.facebook.com/thebrotherswisp>


<https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg>
--------------------------------------------------------------------------------
From: "Eric Kuhnke" <eric.kuh...@gmail.com>
To: af@afmug.com
Sent: Monday, April 9, 2018 4:49:01 PM
Subject: Re: [AFMUG] ssl certs


I have seen studies showing that ecommerce checkout/cart servers do 
have lower "abandon order" rates when using EV SSL. If you're going 
to have one billing server hostname that you fully control (eg: 
https://billing.ispname.com) it might be worth it.



Things like Paypal, online banking and other stuff do make extensive 
use of EV SSL.



It used to cost $395/year, now it's $85/year and dropping in price 
further.



The big change coming in both Chrome and Firefox is that any 
non-https page will soon be marked as "Insecure" in the URL/address 
bar. You should have https (TLS1.2) everywhere, on every sort of 
public facing httpd these days, with at least a letsencrypt 
certificate.





On Mon, Apr 9, 2018 at 1:20 PM, Simon Westlake <simon@sonar.software> 
wrote:

In 99.9% of cases, EV is useless. If you are going to educate your 
customers religiously to look not only for the green padlock, but 
for your name in the address bar, maybe it's worthwhile. Most people 
don't look or care. Google doesn't have an EV cert. Neither does 
Microsoft or Facebook. My power company doesn't. Most insurance 
companies don't.



The only place I've seen them used heavily is in the financial 
sector, and I'd guess that's more about CYA than technical value.


------ Original Message ------
From: "Eric Kuhnke" <eric.kuh...@gmail.com>
To: af@afmug.com
Sent: 4/9/2018 3:03:38 PM
Subject: Re: [AFMUG] ssl certs


these days there are essentially two types of SSL cert, DV and EV


DV = domain validated. anyone can get one. this is the same idea 
for the $9 SSL certs and free letsencrypt. you only need to prove 
you control the domain/server it's issued for.



EV = extended validation, you need to prove your corporate 
identity. should cost around $85/year.



EV will result in the big green banner with company name in most 
modern web browsers.


https://www.google.com/search?client=ubuntu&channel=fs&q=EV+SSL+certificate&ie=utf-8&oe=utf-8


On Mon, Apr 9, 2018 at 11:59 AM, Steve Jones 
<thatoneguyst...@gmail.com> wrote:

tbh, im not really looking for alternative sources, im asking 
advice on what i need in a certificate



On Mon, Apr 9, 2018 at 1:52 PM, Cameron Crum <cc...@murcevilo.com> 
wrote:

ssls.com


On Mon, Apr 9, 2018 at 1:02 PM, Steve Jones 
<thatoneguyst...@gmail.com> wrote:

Im no webdude is the main reason. I know alot of people use it, 
phishermen love them. Theyre "trusted, but not verified" which, 
to no webdude me, says "IT WILL BECOME UNTRUSTED". I hate 
godaddy, but theyre not likely to become untrusted, so its not 
something id have to deal with with little to no knowlege. plus 
I dont understand this 90 day thing




On Mon, Apr 9, 2018 at 12:08 PM, Mike Hammett <af...@ics-il.net> 
wrote:

Can you use Let's Encrypt?



-----
Mike Hammett
Intelligent Computing Solutions <http://www.ics-il.com/>

<https://www.facebook.com/ICSIL> 
<https://plus.google.com/+IntelligentComputingSolutionsDeKalb> 
<https://www.linkedin.com/company/intelligent-computing-solutions> 
<https://twitter.com/ICSIL>

Midwest Internet Exchange <http://www.midwest-ix.com/>

<https://www.facebook.com/mdwestix> 
<https://www.linkedin.com/company/midwest-internet-exchange> 
<https://twitter.com/mdwestix>

The Brothers WISP <http://www.thebrotherswisp.com/>
<https://www.facebook.com/thebrotherswisp>


<https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg>
--------------------------------------------------------------------------------
From: "Steve Jones" <thatoneguyst...@gmail.com>
To: af@afmug.com
Sent: Monday, April 9, 2018 12:07:04 PM
Subject: [AFMUG] ssl certs


Our current cert for our billing server (powercode) is about to 
expire. For some time web browsers have been throwing up the 
insecure flag, probably needed to update it.



What does a guy need in a certificate these days? godaddy is 
where we have it from, they have all kinds of options like 
green bar guarantee cert, etc.



I have thought about getting one thats good for more than one 
page, just to get rid of the annoying security screen on our 
managment port and mobile. but the wildcard cert seems more 
pricey than id prefer for something thats just convienient 
rather than needed









































					Reply via email to