Yeah I think I'll skip a 45 minute podcast that seems to have an anti-crypto agenda, and continue reading the IETF mailing lists instead. Standardization and implementation of TLS1.3 will continue onwards even if the techno-luddites ignore its existence.
On Mon, Apr 9, 2018 at 3:19 PM, Mike Hammett <af...@ics-il.net> wrote: > Also, listen to the cast. > > Well, or don't. It might make you think for yourself. > > > > ----- > Mike Hammett > Intelligent Computing Solutions <http://www.ics-il.com/> > <https://www.facebook.com/ICSIL> > <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> > <https://www.linkedin.com/company/intelligent-computing-solutions> > <https://twitter.com/ICSIL> > Midwest Internet Exchange <http://www.midwest-ix.com/> > <https://www.facebook.com/mdwestix> > <https://www.linkedin.com/company/midwest-internet-exchange> > <https://twitter.com/mdwestix> > The Brothers WISP <http://www.thebrotherswisp.com/> > <https://www.facebook.com/thebrotherswisp> > > > <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> > ------------------------------ > *From: *"Eric Kuhnke" <eric.kuh...@gmail.com> > *To: *af@afmug.com > *Sent: *Monday, April 9, 2018 5:14:32 PM > *Subject: *Re: [AFMUG] ssl certs > > The score: > > Podcast with six people I've never heard of: 0 > > Every network security expert currently active in the field: 1 > > Confidential information aside, having 100% confidence that the content > served up by your httpd will appear exactly as you intend it on the end > user's browser is useful. There are too many shitty/unethical ISPs that do > MITM and javascript injection on plaintext http now. > > > > > On Mon, Apr 9, 2018 at 3:09 PM, Mike Hammett <af...@ics-il.net> wrote: > >> Confidential date, sure. Billing portals, shopping carts, etc. sure. >> >> The marketing materials on my web site? Why? >> >> >> The podcast I linked to goes into a lot of it. >> >> >> >> ----- >> Mike Hammett >> Intelligent Computing Solutions <http://www.ics-il.com/> >> <https://www.facebook.com/ICSIL> >> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> >> <https://www.linkedin.com/company/intelligent-computing-solutions> >> <https://twitter.com/ICSIL> >> Midwest Internet Exchange <http://www.midwest-ix.com/> >> <https://www.facebook.com/mdwestix> >> <https://www.linkedin.com/company/midwest-internet-exchange> >> <https://twitter.com/mdwestix> >> The Brothers WISP <http://www.thebrotherswisp.com/> >> <https://www.facebook.com/thebrotherswisp> >> >> >> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> >> ------------------------------ >> *From: *"Simon Westlake" <simon@sonar.software> >> *To: *af@afmug.com, af@afmug.com >> *Sent: *Monday, April 9, 2018 5:06:26 PM >> *Subject: *Re: [AFMUG] ssl certs >> >> Moving any kind of confidential data in the clear is irresponsible. >> Moving HTTP traffic across the Internet leaves you open to having the >> data modified, or having malicious Javascript injected. >> >> It's up to you whether or not you care about that, but it has been >> reduced to pasting 3 lines into a terminal to get a valid, automatically >> renewing certificate. It seems pointless not to when the benefits are >> tangible. >> >> ------ Original Message ------ >> From: "Mike Hammett" <af...@ics-il.net> >> To: af@afmug.com >> Sent: 4/9/2018 5:02:29 PM >> Subject: Re: [AFMUG] ssl certs >> >> Why? Why is any of that necessary? >> >> I have no intentions of inspecting anyone's traffic. I just don't find >> HTTPS everywhere necessary. I have yet to hear a viable reason to do it. >> >> >> OH NO! SOMEONE SAW MY WEB SITE!!! >> >> >> https://www.youtube.com/watch?v=18PbwYdjsps >> >> >> >> ----- >> Mike Hammett >> Intelligent Computing Solutions <http://www.ics-il.com/> >> <https://www.facebook.com/ICSIL> >> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> >> <https://www.linkedin.com/company/intelligent-computing-solutions> >> <https://twitter.com/ICSIL> >> Midwest Internet Exchange <http://www.midwest-ix.com/> >> <https://www.facebook.com/mdwestix> >> <https://www.linkedin.com/company/midwest-internet-exchange> >> <https://twitter.com/mdwestix> >> The Brothers WISP <http://www.thebrotherswisp.com/> >> <https://www.facebook.com/thebrotherswisp> >> >> >> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> >> ------------------------------ >> *From: *"Eric Kuhnke" <eric.kuh...@gmail.com> >> *To: *af@afmug.com >> *Sent: *Monday, April 9, 2018 4:59:23 PM >> *Subject: *Re: [AFMUG] ssl certs >> >> I offer a directly contradicting opinion, that's it's foolish in the year >> 2018 to not implement end to end TLS wherever possible. The number of >> problems you can solve by avoiding things that maliciously MITM regular >> http traffic are considerable. The crypto libraries to do it properly >> (OpenSSL, etc for apache2 and nginx) and Letsencrypt are free. >> >> The Internet is moving towards things like DNS-over-TLS. Mail transport >> between most properly configured smtpd now will use TLS1.2 (my Postfix >> smtpd negotiates TLS successfully with >98% of big ISP/cloud providers' >> smtpd clusters). If a WISP thinks that they "need" things to remain >> unencrypted so that they can more easily manage their traffic or inspect >> it, they'll be left behind in the dustbin of history. >> >> >> On Mon, Apr 9, 2018 at 2:55 PM, Mike Hammett <af...@ics-il.net> wrote: >> >>> I didn't say it was hard. I said it was unnecessary, perhaps even >>> foolish. >>> >>> >>> >>> ----- >>> Mike Hammett >>> Intelligent Computing Solutions <http://www.ics-il.com/> >>> <https://www.facebook.com/ICSIL> >>> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> >>> <https://www.linkedin.com/company/intelligent-computing-solutions> >>> <https://twitter.com/ICSIL> >>> Midwest Internet Exchange <http://www.midwest-ix.com/> >>> <https://www.facebook.com/mdwestix> >>> <https://www.linkedin.com/company/midwest-internet-exchange> >>> <https://twitter.com/mdwestix> >>> The Brothers WISP <http://www.thebrotherswisp.com/> >>> <https://www.facebook.com/thebrotherswisp> >>> >>> >>> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> >>> ------------------------------ >>> *From: *"Eric Kuhnke" <eric.kuh...@gmail.com> >>> *To: *af@afmug.com >>> *Sent: *Monday, April 9, 2018 4:54:05 PM >>> *Subject: *Re: [AFMUG] ssl certs >>> >>> What's hard about doing TLS1.2 everywhere? Every web browser shipped or >>> updated from mid-2012 onwards supports 1.2. The population of browsers >>> that only support TLS1.0 and 1.1 is less than 1% now by most measurements >>> of useragent on a large scale. >>> >>> >>> >>> On Mon, Apr 9, 2018 at 2:51 PM, Mike Hammett <af...@ics-il.net> wrote: >>> >>>> "You should have https (TLS1.2) everywhere, on every sort of public >>>> facing httpd these days, with at least a letsencrypt certificate." >>>> >>>> We'll eventually have to because Google, etc. will make us, but it's >>>> extremely unnecessary. It's even foolish in many situations. >>>> >>>> >>>> >>>> ----- >>>> Mike Hammett >>>> Intelligent Computing Solutions <http://www.ics-il.com/> >>>> <https://www.facebook.com/ICSIL> >>>> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> >>>> <https://www.linkedin.com/company/intelligent-computing-solutions> >>>> <https://twitter.com/ICSIL> >>>> Midwest Internet Exchange <http://www.midwest-ix.com/> >>>> <https://www.facebook.com/mdwestix> >>>> <https://www.linkedin.com/company/midwest-internet-exchange> >>>> <https://twitter.com/mdwestix> >>>> The Brothers WISP <http://www.thebrotherswisp.com/> >>>> <https://www.facebook.com/thebrotherswisp> >>>> >>>> >>>> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> >>>> ------------------------------ >>>> *From: *"Eric Kuhnke" <eric.kuh...@gmail.com> >>>> *To: *af@afmug.com >>>> *Sent: *Monday, April 9, 2018 4:49:01 PM >>>> *Subject: *Re: [AFMUG] ssl certs >>>> >>>> I have seen studies showing that ecommerce checkout/cart servers do >>>> have lower "abandon order" rates when using EV SSL. If you're going to have >>>> one billing server hostname that you fully control (eg: >>>> https://billing.ispname.com) it might be worth it. >>>> >>>> Things like Paypal, online banking and other stuff do make extensive >>>> use of EV SSL. >>>> >>>> It used to cost $395/year, now it's $85/year and dropping in price >>>> further. >>>> >>>> The big change coming in both Chrome and Firefox is that any non-https >>>> page will soon be marked as "Insecure" in the URL/address bar. You should >>>> have https (TLS1.2) everywhere, on every sort of public facing httpd these >>>> days, with at least a letsencrypt certificate. >>>> >>>> >>>> >>>> On Mon, Apr 9, 2018 at 1:20 PM, Simon Westlake <simon@sonar.software> >>>> wrote: >>>> >>>>> In 99.9% of cases, EV is useless. If you are going to educate your >>>>> customers religiously to look not only for the green padlock, but for your >>>>> name in the address bar, maybe it's worthwhile. Most people don't look or >>>>> care. Google doesn't have an EV cert. Neither does Microsoft or Facebook. >>>>> My power company doesn't. Most insurance companies don't. >>>>> >>>>> The only place I've seen them used heavily is in the financial sector, >>>>> and I'd guess that's more about CYA than technical value. >>>>> >>>>> ------ Original Message ------ >>>>> From: "Eric Kuhnke" <eric.kuh...@gmail.com> >>>>> To: af@afmug.com >>>>> Sent: 4/9/2018 3:03:38 PM >>>>> Subject: Re: [AFMUG] ssl certs >>>>> >>>>> these days there are essentially two types of SSL cert, DV and EV >>>>> >>>>> DV = domain validated. anyone can get one. this is the same idea for >>>>> the $9 SSL certs and free letsencrypt. you only need to prove you control >>>>> the domain/server it's issued for. >>>>> >>>>> EV = extended validation, you need to prove your corporate identity. >>>>> should cost around $85/year. >>>>> >>>>> EV will result in the big green banner with company name in most >>>>> modern web browsers. >>>>> >>>>> https://www.google.com/search?client=ubuntu&channel=fs&q=EV+ >>>>> SSL+certificate&ie=utf-8&oe=utf-8 >>>>> >>>>> On Mon, Apr 9, 2018 at 11:59 AM, Steve Jones < >>>>> thatoneguyst...@gmail.com> wrote: >>>>> >>>>>> tbh, im not really looking for alternative sources, im asking advice >>>>>> on what i need in a certificate >>>>>> >>>>>> On Mon, Apr 9, 2018 at 1:52 PM, Cameron Crum <cc...@murcevilo.com> >>>>>> wrote: >>>>>> >>>>>>> ssls.com >>>>>>> >>>>>>> On Mon, Apr 9, 2018 at 1:02 PM, Steve Jones < >>>>>>> thatoneguyst...@gmail.com> wrote: >>>>>>> >>>>>>>> Im no webdude is the main reason. I know alot of people use it, >>>>>>>> phishermen love them. Theyre "trusted, but not verified" which, to no >>>>>>>> webdude me, says "IT WILL BECOME UNTRUSTED". I hate godaddy, but >>>>>>>> theyre not >>>>>>>> likely to become untrusted, so its not something id have to deal with >>>>>>>> with >>>>>>>> little to no knowlege. plus I dont understand this 90 day thing >>>>>>>> >>>>>>>> >>>>>>>> On Mon, Apr 9, 2018 at 12:08 PM, Mike Hammett <af...@ics-il.net> >>>>>>>> wrote: >>>>>>>> >>>>>>>>> Can you use Let's Encrypt? >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> ----- >>>>>>>>> Mike Hammett >>>>>>>>> Intelligent Computing Solutions <http://www.ics-il.com/> >>>>>>>>> <https://www.facebook.com/ICSIL> >>>>>>>>> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> >>>>>>>>> <https://www.linkedin.com/company/intelligent-computing-solutions> >>>>>>>>> <https://twitter.com/ICSIL> >>>>>>>>> Midwest Internet Exchange <http://www.midwest-ix.com/> >>>>>>>>> <https://www.facebook.com/mdwestix> >>>>>>>>> <https://www.linkedin.com/company/midwest-internet-exchange> >>>>>>>>> <https://twitter.com/mdwestix> >>>>>>>>> The Brothers WISP <http://www.thebrotherswisp.com/> >>>>>>>>> <https://www.facebook.com/thebrotherswisp> >>>>>>>>> >>>>>>>>> >>>>>>>>> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> >>>>>>>>> ------------------------------ >>>>>>>>> *From: *"Steve Jones" <thatoneguyst...@gmail.com> >>>>>>>>> *To: *af@afmug.com >>>>>>>>> *Sent: *Monday, April 9, 2018 12:07:04 PM >>>>>>>>> *Subject: *[AFMUG] ssl certs >>>>>>>>> >>>>>>>>> Our current cert for our billing server (powercode) is about to >>>>>>>>> expire. For some time web browsers have been throwing up the insecure >>>>>>>>> flag, >>>>>>>>> probably needed to update it. >>>>>>>>> >>>>>>>>> What does a guy need in a certificate these days? godaddy is where >>>>>>>>> we have it from, they have all kinds of options like green bar >>>>>>>>> guarantee >>>>>>>>> cert, etc. >>>>>>>>> >>>>>>>>> I have thought about getting one thats good for more than one >>>>>>>>> page, just to get rid of the annoying security screen on our >>>>>>>>> managment port >>>>>>>>> and mobile. but the wildcard cert seems more pricey than id prefer for >>>>>>>>> something thats just convienient rather than needed >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>>> >>> >>> >> >> >> > >
