Try this: Go to an IETF, NANOG or ARIN meeting and ask the attendees if they would endorse end-user applications/protocols remaining unencrypted at L4-L7, versus implementing free TLS1.2 end to end wherever possible. I already know what 99% of the answers will be. I don't think they will match with the people in the video you posted earlier.
If you don't believe in crypto I encourage you to go to a network security conference, pull out a laptop on the public wifi, and synchronize all your email wtih a non-TLS session to your IMAP server... The threat model is global. On Mon, Apr 9, 2018 at 3:02 PM, Mike Hammett <af...@ics-il.net> wrote: > Why? Why is any of that necessary? > > I have no intentions of inspecting anyone's traffic. I just don't find > HTTPS everywhere necessary. I have yet to hear a viable reason to do it. > > > OH NO! SOMEONE SAW MY WEB SITE!!! > > > https://www.youtube.com/watch?v=18PbwYdjsps > > > > ----- > Mike Hammett > Intelligent Computing Solutions <http://www.ics-il.com/> > <https://www.facebook.com/ICSIL> > <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> > <https://www.linkedin.com/company/intelligent-computing-solutions> > <https://twitter.com/ICSIL> > Midwest Internet Exchange <http://www.midwest-ix.com/> > <https://www.facebook.com/mdwestix> > <https://www.linkedin.com/company/midwest-internet-exchange> > <https://twitter.com/mdwestix> > The Brothers WISP <http://www.thebrotherswisp.com/> > <https://www.facebook.com/thebrotherswisp> > > > <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> > ------------------------------ > *From: *"Eric Kuhnke" <eric.kuh...@gmail.com> > *To: *af@afmug.com > *Sent: *Monday, April 9, 2018 4:59:23 PM > *Subject: *Re: [AFMUG] ssl certs > > I offer a directly contradicting opinion, that's it's foolish in the year > 2018 to not implement end to end TLS wherever possible. The number of > problems you can solve by avoiding things that maliciously MITM regular > http traffic are considerable. The crypto libraries to do it properly > (OpenSSL, etc for apache2 and nginx) and Letsencrypt are free. > > The Internet is moving towards things like DNS-over-TLS. Mail transport > between most properly configured smtpd now will use TLS1.2 (my Postfix > smtpd negotiates TLS successfully with >98% of big ISP/cloud providers' > smtpd clusters). If a WISP thinks that they "need" things to remain > unencrypted so that they can more easily manage their traffic or inspect > it, they'll be left behind in the dustbin of history. > > > On Mon, Apr 9, 2018 at 2:55 PM, Mike Hammett <af...@ics-il.net> wrote: > >> I didn't say it was hard. I said it was unnecessary, perhaps even foolish. >> >> >> >> ----- >> Mike Hammett >> Intelligent Computing Solutions <http://www.ics-il.com/> >> <https://www.facebook.com/ICSIL> >> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> >> <https://www.linkedin.com/company/intelligent-computing-solutions> >> <https://twitter.com/ICSIL> >> Midwest Internet Exchange <http://www.midwest-ix.com/> >> <https://www.facebook.com/mdwestix> >> <https://www.linkedin.com/company/midwest-internet-exchange> >> <https://twitter.com/mdwestix> >> The Brothers WISP <http://www.thebrotherswisp.com/> >> <https://www.facebook.com/thebrotherswisp> >> >> >> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> >> ------------------------------ >> *From: *"Eric Kuhnke" <eric.kuh...@gmail.com> >> *To: *af@afmug.com >> *Sent: *Monday, April 9, 2018 4:54:05 PM >> *Subject: *Re: [AFMUG] ssl certs >> >> What's hard about doing TLS1.2 everywhere? Every web browser shipped or >> updated from mid-2012 onwards supports 1.2. The population of browsers >> that only support TLS1.0 and 1.1 is less than 1% now by most measurements >> of useragent on a large scale. >> >> >> >> On Mon, Apr 9, 2018 at 2:51 PM, Mike Hammett <af...@ics-il.net> wrote: >> >>> "You should have https (TLS1.2) everywhere, on every sort of public >>> facing httpd these days, with at least a letsencrypt certificate." >>> >>> We'll eventually have to because Google, etc. will make us, but it's >>> extremely unnecessary. It's even foolish in many situations. >>> >>> >>> >>> ----- >>> Mike Hammett >>> Intelligent Computing Solutions <http://www.ics-il.com/> >>> <https://www.facebook.com/ICSIL> >>> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> >>> <https://www.linkedin.com/company/intelligent-computing-solutions> >>> <https://twitter.com/ICSIL> >>> Midwest Internet Exchange <http://www.midwest-ix.com/> >>> <https://www.facebook.com/mdwestix> >>> <https://www.linkedin.com/company/midwest-internet-exchange> >>> <https://twitter.com/mdwestix> >>> The Brothers WISP <http://www.thebrotherswisp.com/> >>> <https://www.facebook.com/thebrotherswisp> >>> >>> >>> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> >>> ------------------------------ >>> *From: *"Eric Kuhnke" <eric.kuh...@gmail.com> >>> *To: *af@afmug.com >>> *Sent: *Monday, April 9, 2018 4:49:01 PM >>> *Subject: *Re: [AFMUG] ssl certs >>> >>> I have seen studies showing that ecommerce checkout/cart servers do have >>> lower "abandon order" rates when using EV SSL. If you're going to have one >>> billing server hostname that you fully control (eg: >>> https://billing.ispname.com) it might be worth it. >>> >>> Things like Paypal, online banking and other stuff do make extensive use >>> of EV SSL. >>> >>> It used to cost $395/year, now it's $85/year and dropping in price >>> further. >>> >>> The big change coming in both Chrome and Firefox is that any non-https >>> page will soon be marked as "Insecure" in the URL/address bar. You should >>> have https (TLS1.2) everywhere, on every sort of public facing httpd these >>> days, with at least a letsencrypt certificate. >>> >>> >>> >>> On Mon, Apr 9, 2018 at 1:20 PM, Simon Westlake <simon@sonar.software> >>> wrote: >>> >>>> In 99.9% of cases, EV is useless. If you are going to educate your >>>> customers religiously to look not only for the green padlock, but for your >>>> name in the address bar, maybe it's worthwhile. Most people don't look or >>>> care. Google doesn't have an EV cert. Neither does Microsoft or Facebook. >>>> My power company doesn't. Most insurance companies don't. >>>> >>>> The only place I've seen them used heavily is in the financial sector, >>>> and I'd guess that's more about CYA than technical value. >>>> >>>> ------ Original Message ------ >>>> From: "Eric Kuhnke" <eric.kuh...@gmail.com> >>>> To: af@afmug.com >>>> Sent: 4/9/2018 3:03:38 PM >>>> Subject: Re: [AFMUG] ssl certs >>>> >>>> these days there are essentially two types of SSL cert, DV and EV >>>> >>>> DV = domain validated. anyone can get one. this is the same idea for >>>> the $9 SSL certs and free letsencrypt. you only need to prove you control >>>> the domain/server it's issued for. >>>> >>>> EV = extended validation, you need to prove your corporate identity. >>>> should cost around $85/year. >>>> >>>> EV will result in the big green banner with company name in most modern >>>> web browsers. >>>> >>>> https://www.google.com/search?client=ubuntu&channel=fs&q=EV+ >>>> SSL+certificate&ie=utf-8&oe=utf-8 >>>> >>>> On Mon, Apr 9, 2018 at 11:59 AM, Steve Jones <thatoneguyst...@gmail.com >>>> > wrote: >>>> >>>>> tbh, im not really looking for alternative sources, im asking advice >>>>> on what i need in a certificate >>>>> >>>>> On Mon, Apr 9, 2018 at 1:52 PM, Cameron Crum <cc...@murcevilo.com> >>>>> wrote: >>>>> >>>>>> ssls.com >>>>>> >>>>>> On Mon, Apr 9, 2018 at 1:02 PM, Steve Jones < >>>>>> thatoneguyst...@gmail.com> wrote: >>>>>> >>>>>>> Im no webdude is the main reason. I know alot of people use it, >>>>>>> phishermen love them. Theyre "trusted, but not verified" which, to no >>>>>>> webdude me, says "IT WILL BECOME UNTRUSTED". I hate godaddy, but theyre >>>>>>> not >>>>>>> likely to become untrusted, so its not something id have to deal with >>>>>>> with >>>>>>> little to no knowlege. plus I dont understand this 90 day thing >>>>>>> >>>>>>> >>>>>>> On Mon, Apr 9, 2018 at 12:08 PM, Mike Hammett <af...@ics-il.net> >>>>>>> wrote: >>>>>>> >>>>>>>> Can you use Let's Encrypt? >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> ----- >>>>>>>> Mike Hammett >>>>>>>> Intelligent Computing Solutions <http://www.ics-il.com/> >>>>>>>> <https://www.facebook.com/ICSIL> >>>>>>>> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> >>>>>>>> <https://www.linkedin.com/company/intelligent-computing-solutions> >>>>>>>> <https://twitter.com/ICSIL> >>>>>>>> Midwest Internet Exchange <http://www.midwest-ix.com/> >>>>>>>> <https://www.facebook.com/mdwestix> >>>>>>>> <https://www.linkedin.com/company/midwest-internet-exchange> >>>>>>>> <https://twitter.com/mdwestix> >>>>>>>> The Brothers WISP <http://www.thebrotherswisp.com/> >>>>>>>> <https://www.facebook.com/thebrotherswisp> >>>>>>>> >>>>>>>> >>>>>>>> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> >>>>>>>> ------------------------------ >>>>>>>> *From: *"Steve Jones" <thatoneguyst...@gmail.com> >>>>>>>> *To: *af@afmug.com >>>>>>>> *Sent: *Monday, April 9, 2018 12:07:04 PM >>>>>>>> *Subject: *[AFMUG] ssl certs >>>>>>>> >>>>>>>> Our current cert for our billing server (powercode) is about to >>>>>>>> expire. For some time web browsers have been throwing up the insecure >>>>>>>> flag, >>>>>>>> probably needed to update it. >>>>>>>> >>>>>>>> What does a guy need in a certificate these days? godaddy is where >>>>>>>> we have it from, they have all kinds of options like green bar >>>>>>>> guarantee >>>>>>>> cert, etc. >>>>>>>> >>>>>>>> I have thought about getting one thats good for more than one page, >>>>>>>> just to get rid of the annoying security screen on our managment port >>>>>>>> and >>>>>>>> mobile. but the wildcard cert seems more pricey than id prefer for >>>>>>>> something thats just convienient rather than needed >>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >>> >> >> > >
