Moving any kind of confidential data in the clear is irresponsible.
Moving HTTP traffic across the Internet leaves you open to having the
data modified, or having malicious Javascript injected.
It's up to you whether or not you care about that, but it has been
reduced to pasting 3 lines into a terminal to get a valid, automatically
renewing certificate. It seems pointless not to when the benefits are
tangible.
------ Original Message ------
From: "Mike Hammett" <af...@ics-il.net>
To: af@afmug.com
Sent: 4/9/2018 5:02:29 PM
Subject: Re: [AFMUG] ssl certs
Why? Why is any of that necessary?
I have no intentions of inspecting anyone's traffic. I just don't find
HTTPS everywhere necessary. I have yet to hear a viable reason to do
it.
OH NO! SOMEONE SAW MY WEB SITE!!!
https://www.youtube.com/watch?v=18PbwYdjsps
-----
Mike Hammett
Intelligent Computing Solutions <http://www.ics-il.com/>
<https://www.facebook.com/ICSIL>
<https://plus.google.com/+IntelligentComputingSolutionsDeKalb>
<https://www.linkedin.com/company/intelligent-computing-solutions>
<https://twitter.com/ICSIL>
Midwest Internet Exchange <http://www.midwest-ix.com/>
<https://www.facebook.com/mdwestix>
<https://www.linkedin.com/company/midwest-internet-exchange>
<https://twitter.com/mdwestix>
The Brothers WISP <http://www.thebrotherswisp.com/>
<https://www.facebook.com/thebrotherswisp>
<https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg>
--------------------------------------------------------------------------------
From: "Eric Kuhnke" <eric.kuh...@gmail.com>
To: af@afmug.com
Sent: Monday, April 9, 2018 4:59:23 PM
Subject: Re: [AFMUG] ssl certs
I offer a directly contradicting opinion, that's it's foolish in the
year 2018 to not implement end to end TLS wherever possible. The number
of problems you can solve by avoiding things that maliciously MITM
regular http traffic are considerable. The crypto libraries to do it
properly (OpenSSL, etc for apache2 and nginx) and Letsencrypt are free.
The Internet is moving towards things like DNS-over-TLS. Mail transport
between most properly configured smtpd now will use TLS1.2 (my Postfix
smtpd negotiates TLS successfully with >98% of big ISP/cloud providers'
smtpd clusters). If a WISP thinks that they "need" things to remain
unencrypted so that they can more easily manage their traffic or
inspect it, they'll be left behind in the dustbin of history.
On Mon, Apr 9, 2018 at 2:55 PM, Mike Hammett <af...@ics-il.net> wrote:
I didn't say it was hard. I said it was unnecessary, perhaps even
foolish.
-----
Mike Hammett
Intelligent Computing Solutions <http://www.ics-il.com/>
<https://www.facebook.com/ICSIL>
<https://plus.google.com/+IntelligentComputingSolutionsDeKalb>
<https://www.linkedin.com/company/intelligent-computing-solutions>
<https://twitter.com/ICSIL>
Midwest Internet Exchange <http://www.midwest-ix.com/>
<https://www.facebook.com/mdwestix>
<https://www.linkedin.com/company/midwest-internet-exchange>
<https://twitter.com/mdwestix>
The Brothers WISP <http://www.thebrotherswisp.com/>
<https://www.facebook.com/thebrotherswisp>
<https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg>
--------------------------------------------------------------------------------
From: "Eric Kuhnke" <eric.kuh...@gmail.com>
To: af@afmug.com
Sent: Monday, April 9, 2018 4:54:05 PM
Subject: Re: [AFMUG] ssl certs
What's hard about doing TLS1.2 everywhere? Every web browser shipped
or updated from mid-2012 onwards supports 1.2. The population of
browsers that only support TLS1.0 and 1.1 is less than 1% now by most
measurements of useragent on a large scale.
On Mon, Apr 9, 2018 at 2:51 PM, Mike Hammett <af...@ics-il.net> wrote:
"You should have https (TLS1.2) everywhere, on every sort of public
facing httpd these days, with at least a letsencrypt certificate."
We'll eventually have to because Google, etc. will make us, but it's
extremely unnecessary. It's even foolish in many situations.
-----
Mike Hammett
Intelligent Computing Solutions <http://www.ics-il.com/>
<https://www.facebook.com/ICSIL>
<https://plus.google.com/+IntelligentComputingSolutionsDeKalb>
<https://www.linkedin.com/company/intelligent-computing-solutions>
<https://twitter.com/ICSIL>
Midwest Internet Exchange <http://www.midwest-ix.com/>
<https://www.facebook.com/mdwestix>
<https://www.linkedin.com/company/midwest-internet-exchange>
<https://twitter.com/mdwestix>
The Brothers WISP <http://www.thebrotherswisp.com/>
<https://www.facebook.com/thebrotherswisp>
<https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg>
--------------------------------------------------------------------------------
From: "Eric Kuhnke" <eric.kuh...@gmail.com>
To: af@afmug.com
Sent: Monday, April 9, 2018 4:49:01 PM
Subject: Re: [AFMUG] ssl certs
I have seen studies showing that ecommerce checkout/cart servers do
have lower "abandon order" rates when using EV SSL. If you're going
to have one billing server hostname that you fully control (eg:
https://billing.ispname.com) it might be worth it.
Things like Paypal, online banking and other stuff do make extensive
use of EV SSL.
It used to cost $395/year, now it's $85/year and dropping in price
further.
The big change coming in both Chrome and Firefox is that any
non-https page will soon be marked as "Insecure" in the URL/address
bar. You should have https (TLS1.2) everywhere, on every sort of
public facing httpd these days, with at least a letsencrypt
certificate.
On Mon, Apr 9, 2018 at 1:20 PM, Simon Westlake <simon@sonar.software>
wrote:
In 99.9% of cases, EV is useless. If you are going to educate your
customers religiously to look not only for the green padlock, but
for your name in the address bar, maybe it's worthwhile. Most people
don't look or care. Google doesn't have an EV cert. Neither does
Microsoft or Facebook. My power company doesn't. Most insurance
companies don't.
The only place I've seen them used heavily is in the financial
sector, and I'd guess that's more about CYA than technical value.
------ Original Message ------
From: "Eric Kuhnke" <eric.kuh...@gmail.com>
To: af@afmug.com
Sent: 4/9/2018 3:03:38 PM
Subject: Re: [AFMUG] ssl certs
these days there are essentially two types of SSL cert, DV and EV
DV = domain validated. anyone can get one. this is the same idea
for the $9 SSL certs and free letsencrypt. you only need to prove
you control the domain/server it's issued for.
EV = extended validation, you need to prove your corporate
identity. should cost around $85/year.
EV will result in the big green banner with company name in most
modern web browsers.
https://www.google.com/search?client=ubuntu&channel=fs&q=EV+SSL+certificate&ie=utf-8&oe=utf-8
On Mon, Apr 9, 2018 at 11:59 AM, Steve Jones
<thatoneguyst...@gmail.com> wrote:
tbh, im not really looking for alternative sources, im asking
advice on what i need in a certificate
On Mon, Apr 9, 2018 at 1:52 PM, Cameron Crum <cc...@murcevilo.com>
wrote:
ssls.com
On Mon, Apr 9, 2018 at 1:02 PM, Steve Jones
<thatoneguyst...@gmail.com> wrote:
Im no webdude is the main reason. I know alot of people use it,
phishermen love them. Theyre "trusted, but not verified" which,
to no webdude me, says "IT WILL BECOME UNTRUSTED". I hate
godaddy, but theyre not likely to become untrusted, so its not
something id have to deal with with little to no knowlege. plus
I dont understand this 90 day thing
On Mon, Apr 9, 2018 at 12:08 PM, Mike Hammett <af...@ics-il.net>
wrote:
Can you use Let's Encrypt?
-----
Mike Hammett
Intelligent Computing Solutions <http://www.ics-il.com/>
<https://www.facebook.com/ICSIL>
<https://plus.google.com/+IntelligentComputingSolutionsDeKalb>
<https://www.linkedin.com/company/intelligent-computing-solutions>
<https://twitter.com/ICSIL>
Midwest Internet Exchange <http://www.midwest-ix.com/>
<https://www.facebook.com/mdwestix>
<https://www.linkedin.com/company/midwest-internet-exchange>
<https://twitter.com/mdwestix>
The Brothers WISP <http://www.thebrotherswisp.com/>
<https://www.facebook.com/thebrotherswisp>
<https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg>
--------------------------------------------------------------------------------
From: "Steve Jones" <thatoneguyst...@gmail.com>
To: af@afmug.com
Sent: Monday, April 9, 2018 12:07:04 PM
Subject: [AFMUG] ssl certs
Our current cert for our billing server (powercode) is about to
expire. For some time web browsers have been throwing up the
insecure flag, probably needed to update it.
What does a guy need in a certificate these days? godaddy is
where we have it from, they have all kinds of options like
green bar guarantee cert, etc.
I have thought about getting one thats good for more than one
page, just to get rid of the annoying security screen on our
managment port and mobile. but the wildcard cert seems more
pricey than id prefer for something thats just convienient
rather than needed