Im not going to lie, i forgot that https is encrypted. On Mon, Apr 9, 2018, 5:32 PM Mike Hammett <af...@ics-il.net> wrote:
> Being really smart at cryptography has nothing to do with whether it needs > to be encrypted or not in the first place. > > I'm not against encryption. Many things certainly require it. > > That URL is indicative of groupthink, not the case for HTTPS everywhere. > > https://en.wikipedia.org/wiki/Groupthink > > Why might Wikipedia want to HTTPS everything? Their mission is the > dissemination of information to everywhere, including countries that have > content filters. Of course that doesn't actually stop anyone from actually > doing a MITM, it just increases the amount of resources required to do the > job. > > > > ----- > Mike Hammett > Intelligent Computing Solutions <http://www.ics-il.com/> > <https://www.facebook.com/ICSIL> > <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> > <https://www.linkedin.com/company/intelligent-computing-solutions> > <https://twitter.com/ICSIL> > Midwest Internet Exchange <http://www.midwest-ix.com/> > <https://www.facebook.com/mdwestix> > <https://www.linkedin.com/company/midwest-internet-exchange> > <https://twitter.com/mdwestix> > The Brothers WISP <http://www.thebrotherswisp.com/> > <https://www.facebook.com/thebrotherswisp> > > > <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> > ------------------------------ > *From: *"Eric Kuhnke" <eric.kuh...@gmail.com> > *To: *af@afmug.com > *Sent: *Monday, April 9, 2018 5:27:25 PM > *Subject: *Re: [AFMUG] ssl certs > > The discussion has been hashed out quite thoroughly by people who are far > more knowledgeable about cryptography than you or I will ever be - about > twenty years ago, when SSL was first popularized. It's been continually > developed since then. The really funny thing if that you linked to an https > website for your URL promoting the credentials of that one specific dude, > in defense of your argument. Why isn't it plain http? > > > On Mon, Apr 9, 2018 at 3:24 PM, Mike Hammett <af...@ics-il.net> wrote: > >> A position so weak, it can't stand up to a discussion? How sad. >> >> >> >> ----- >> Mike Hammett >> Intelligent Computing Solutions <http://www.ics-il.com/> >> <https://www.facebook.com/ICSIL> >> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> >> <https://www.linkedin.com/company/intelligent-computing-solutions> >> <https://twitter.com/ICSIL> >> Midwest Internet Exchange <http://www.midwest-ix.com/> >> <https://www.facebook.com/mdwestix> >> <https://www.linkedin.com/company/midwest-internet-exchange> >> <https://twitter.com/mdwestix> >> The Brothers WISP <http://www.thebrotherswisp.com/> >> <https://www.facebook.com/thebrotherswisp> >> >> >> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> >> ------------------------------ >> *From: *"Eric Kuhnke" <eric.kuh...@gmail.com> >> *To: *af@afmug.com >> *Sent: *Monday, April 9, 2018 5:22:40 PM >> *Subject: *Re: [AFMUG] ssl certs >> >> Yeah I think I'll skip a 45 minute podcast that seems to have an >> anti-crypto agenda, and continue reading the IETF mailing lists instead. >> Standardization and implementation of TLS1.3 will continue onwards even if >> the techno-luddites ignore its existence. >> >> >> On Mon, Apr 9, 2018 at 3:19 PM, Mike Hammett <af...@ics-il.net> wrote: >> >>> Also, listen to the cast. >>> >>> Well, or don't. It might make you think for yourself. >>> >>> >>> >>> ----- >>> Mike Hammett >>> Intelligent Computing Solutions <http://www.ics-il.com/> >>> <https://www.facebook.com/ICSIL> >>> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> >>> <https://www.linkedin.com/company/intelligent-computing-solutions> >>> <https://twitter.com/ICSIL> >>> Midwest Internet Exchange <http://www.midwest-ix.com/> >>> <https://www.facebook.com/mdwestix> >>> <https://www.linkedin.com/company/midwest-internet-exchange> >>> <https://twitter.com/mdwestix> >>> The Brothers WISP <http://www.thebrotherswisp.com/> >>> <https://www.facebook.com/thebrotherswisp> >>> >>> >>> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> >>> ------------------------------ >>> *From: *"Eric Kuhnke" <eric.kuh...@gmail.com> >>> *To: *af@afmug.com >>> *Sent: *Monday, April 9, 2018 5:14:32 PM >>> *Subject: *Re: [AFMUG] ssl certs >>> >>> The score: >>> >>> Podcast with six people I've never heard of: 0 >>> >>> Every network security expert currently active in the field: 1 >>> >>> Confidential information aside, having 100% confidence that the content >>> served up by your httpd will appear exactly as you intend it on the end >>> user's browser is useful. There are too many shitty/unethical ISPs that do >>> MITM and javascript injection on plaintext http now. >>> >>> >>> >>> >>> On Mon, Apr 9, 2018 at 3:09 PM, Mike Hammett <af...@ics-il.net> wrote: >>> >>>> Confidential date, sure. Billing portals, shopping carts, etc. sure. >>>> >>>> The marketing materials on my web site? Why? >>>> >>>> >>>> The podcast I linked to goes into a lot of it. >>>> >>>> >>>> >>>> ----- >>>> Mike Hammett >>>> Intelligent Computing Solutions <http://www.ics-il.com/> >>>> <https://www.facebook.com/ICSIL> >>>> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> >>>> <https://www.linkedin.com/company/intelligent-computing-solutions> >>>> <https://twitter.com/ICSIL> >>>> Midwest Internet Exchange <http://www.midwest-ix.com/> >>>> <https://www.facebook.com/mdwestix> >>>> <https://www.linkedin.com/company/midwest-internet-exchange> >>>> <https://twitter.com/mdwestix> >>>> The Brothers WISP <http://www.thebrotherswisp.com/> >>>> <https://www.facebook.com/thebrotherswisp> >>>> >>>> >>>> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> >>>> ------------------------------ >>>> *From: *"Simon Westlake" <simon@sonar.software> >>>> *To: *af@afmug.com, af@afmug.com >>>> *Sent: *Monday, April 9, 2018 5:06:26 PM >>>> *Subject: *Re: [AFMUG] ssl certs >>>> >>>> Moving any kind of confidential data in the clear is irresponsible. >>>> Moving HTTP traffic across the Internet leaves you open to having the >>>> data modified, or having malicious Javascript injected. >>>> >>>> It's up to you whether or not you care about that, but it has been >>>> reduced to pasting 3 lines into a terminal to get a valid, automatically >>>> renewing certificate. It seems pointless not to when the benefits are >>>> tangible. >>>> >>>> ------ Original Message ------ >>>> From: "Mike Hammett" <af...@ics-il.net> >>>> To: af@afmug.com >>>> Sent: 4/9/2018 5:02:29 PM >>>> Subject: Re: [AFMUG] ssl certs >>>> >>>> Why? Why is any of that necessary? >>>> >>>> I have no intentions of inspecting anyone's traffic. I just don't find >>>> HTTPS everywhere necessary. I have yet to hear a viable reason to do it. >>>> >>>> >>>> OH NO! SOMEONE SAW MY WEB SITE!!! >>>> >>>> >>>> https://www.youtube.com/watch?v=18PbwYdjsps >>>> >>>> >>>> >>>> ----- >>>> Mike Hammett >>>> Intelligent Computing Solutions <http://www.ics-il.com/> >>>> <https://www.facebook.com/ICSIL> >>>> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> >>>> <https://www.linkedin.com/company/intelligent-computing-solutions> >>>> <https://twitter.com/ICSIL> >>>> Midwest Internet Exchange <http://www.midwest-ix.com/> >>>> <https://www.facebook.com/mdwestix> >>>> <https://www.linkedin.com/company/midwest-internet-exchange> >>>> <https://twitter.com/mdwestix> >>>> The Brothers WISP <http://www.thebrotherswisp.com/> >>>> <https://www.facebook.com/thebrotherswisp> >>>> >>>> >>>> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> >>>> ------------------------------ >>>> *From: *"Eric Kuhnke" <eric.kuh...@gmail.com> >>>> *To: *af@afmug.com >>>> *Sent: *Monday, April 9, 2018 4:59:23 PM >>>> *Subject: *Re: [AFMUG] ssl certs >>>> >>>> I offer a directly contradicting opinion, that's it's foolish in the >>>> year 2018 to not implement end to end TLS wherever possible. The number of >>>> problems you can solve by avoiding things that maliciously MITM regular >>>> http traffic are considerable. The crypto libraries to do it properly >>>> (OpenSSL, etc for apache2 and nginx) and Letsencrypt are free. >>>> >>>> The Internet is moving towards things like DNS-over-TLS. Mail transport >>>> between most properly configured smtpd now will use TLS1.2 (my Postfix >>>> smtpd negotiates TLS successfully with >98% of big ISP/cloud providers' >>>> smtpd clusters). If a WISP thinks that they "need" things to remain >>>> unencrypted so that they can more easily manage their traffic or inspect >>>> it, they'll be left behind in the dustbin of history. >>>> >>>> >>>> On Mon, Apr 9, 2018 at 2:55 PM, Mike Hammett <af...@ics-il.net> wrote: >>>> >>>>> I didn't say it was hard. I said it was unnecessary, perhaps even >>>>> foolish. >>>>> >>>>> >>>>> >>>>> ----- >>>>> Mike Hammett >>>>> Intelligent Computing Solutions <http://www.ics-il.com/> >>>>> <https://www.facebook.com/ICSIL> >>>>> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> >>>>> <https://www.linkedin.com/company/intelligent-computing-solutions> >>>>> <https://twitter.com/ICSIL> >>>>> Midwest Internet Exchange <http://www.midwest-ix.com/> >>>>> <https://www.facebook.com/mdwestix> >>>>> <https://www.linkedin.com/company/midwest-internet-exchange> >>>>> <https://twitter.com/mdwestix> >>>>> The Brothers WISP <http://www.thebrotherswisp.com/> >>>>> <https://www.facebook.com/thebrotherswisp> >>>>> >>>>> >>>>> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> >>>>> ------------------------------ >>>>> *From: *"Eric Kuhnke" <eric.kuh...@gmail.com> >>>>> *To: *af@afmug.com >>>>> *Sent: *Monday, April 9, 2018 4:54:05 PM >>>>> *Subject: *Re: [AFMUG] ssl certs >>>>> >>>>> What's hard about doing TLS1.2 everywhere? Every web browser shipped >>>>> or updated from mid-2012 onwards supports 1.2. The population of browsers >>>>> that only support TLS1.0 and 1.1 is less than 1% now by most measurements >>>>> of useragent on a large scale. >>>>> >>>>> >>>>> >>>>> On Mon, Apr 9, 2018 at 2:51 PM, Mike Hammett <af...@ics-il.net> wrote: >>>>> >>>>>> "You should have https (TLS1.2) everywhere, on every sort of public >>>>>> facing httpd these days, with at least a letsencrypt certificate." >>>>>> >>>>>> We'll eventually have to because Google, etc. will make us, but it's >>>>>> extremely unnecessary. It's even foolish in many situations. >>>>>> >>>>>> >>>>>> >>>>>> ----- >>>>>> Mike Hammett >>>>>> Intelligent Computing Solutions <http://www.ics-il.com/> >>>>>> <https://www.facebook.com/ICSIL> >>>>>> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> >>>>>> <https://www.linkedin.com/company/intelligent-computing-solutions> >>>>>> <https://twitter.com/ICSIL> >>>>>> Midwest Internet Exchange <http://www.midwest-ix.com/> >>>>>> <https://www.facebook.com/mdwestix> >>>>>> <https://www.linkedin.com/company/midwest-internet-exchange> >>>>>> <https://twitter.com/mdwestix> >>>>>> The Brothers WISP <http://www.thebrotherswisp.com/> >>>>>> <https://www.facebook.com/thebrotherswisp> >>>>>> >>>>>> >>>>>> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> >>>>>> ------------------------------ >>>>>> *From: *"Eric Kuhnke" <eric.kuh...@gmail.com> >>>>>> *To: *af@afmug.com >>>>>> *Sent: *Monday, April 9, 2018 4:49:01 PM >>>>>> *Subject: *Re: [AFMUG] ssl certs >>>>>> >>>>>> I have seen studies showing that ecommerce checkout/cart servers do >>>>>> have lower "abandon order" rates when using EV SSL. If you're going to >>>>>> have >>>>>> one billing server hostname that you fully control (eg: >>>>>> https://billing.ispname.com) it might be worth it. >>>>>> >>>>>> Things like Paypal, online banking and other stuff do make extensive >>>>>> use of EV SSL. >>>>>> >>>>>> It used to cost $395/year, now it's $85/year and dropping in price >>>>>> further. >>>>>> >>>>>> The big change coming in both Chrome and Firefox is that any >>>>>> non-https page will soon be marked as "Insecure" in the URL/address bar. >>>>>> You should have https (TLS1.2) everywhere, on every sort of public facing >>>>>> httpd these days, with at least a letsencrypt certificate. >>>>>> >>>>>> >>>>>> >>>>>> On Mon, Apr 9, 2018 at 1:20 PM, Simon Westlake <simon@sonar.software> >>>>>> wrote: >>>>>> >>>>>>> In 99.9% of cases, EV is useless. If you are going to educate your >>>>>>> customers religiously to look not only for the green padlock, but for >>>>>>> your >>>>>>> name in the address bar, maybe it's worthwhile. Most people don't look >>>>>>> or >>>>>>> care. Google doesn't have an EV cert. Neither does Microsoft or >>>>>>> Facebook. >>>>>>> My power company doesn't. Most insurance companies don't. >>>>>>> >>>>>>> The only place I've seen them used heavily is in the financial >>>>>>> sector, and I'd guess that's more about CYA than technical value. >>>>>>> >>>>>>> ------ Original Message ------ >>>>>>> From: "Eric Kuhnke" <eric.kuh...@gmail.com> >>>>>>> To: af@afmug.com >>>>>>> Sent: 4/9/2018 3:03:38 PM >>>>>>> Subject: Re: [AFMUG] ssl certs >>>>>>> >>>>>>> these days there are essentially two types of SSL cert, DV and EV >>>>>>> >>>>>>> DV = domain validated. anyone can get one. this is the same idea for >>>>>>> the $9 SSL certs and free letsencrypt. you only need to prove you >>>>>>> control >>>>>>> the domain/server it's issued for. >>>>>>> >>>>>>> EV = extended validation, you need to prove your corporate identity. >>>>>>> should cost around $85/year. >>>>>>> >>>>>>> EV will result in the big green banner with company name in most >>>>>>> modern web browsers. >>>>>>> >>>>>>> >>>>>>> https://www.google.com/search?client=ubuntu&channel=fs&q=EV+SSL+certificate&ie=utf-8&oe=utf-8 >>>>>>> >>>>>>> On Mon, Apr 9, 2018 at 11:59 AM, Steve Jones < >>>>>>> thatoneguyst...@gmail.com> wrote: >>>>>>> >>>>>>>> tbh, im not really looking for alternative sources, im asking >>>>>>>> advice on what i need in a certificate >>>>>>>> >>>>>>>> On Mon, Apr 9, 2018 at 1:52 PM, Cameron Crum <cc...@murcevilo.com> >>>>>>>> wrote: >>>>>>>> >>>>>>>>> ssls.com >>>>>>>>> >>>>>>>>> On Mon, Apr 9, 2018 at 1:02 PM, Steve Jones < >>>>>>>>> thatoneguyst...@gmail.com> wrote: >>>>>>>>> >>>>>>>>>> Im no webdude is the main reason. I know alot of people use it, >>>>>>>>>> phishermen love them. Theyre "trusted, but not verified" which, to no >>>>>>>>>> webdude me, says "IT WILL BECOME UNTRUSTED". I hate godaddy, but >>>>>>>>>> theyre not >>>>>>>>>> likely to become untrusted, so its not something id have to deal >>>>>>>>>> with with >>>>>>>>>> little to no knowlege. plus I dont understand this 90 day thing >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On Mon, Apr 9, 2018 at 12:08 PM, Mike Hammett <af...@ics-il.net> >>>>>>>>>> wrote: >>>>>>>>>> >>>>>>>>>>> Can you use Let's Encrypt? >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> ----- >>>>>>>>>>> Mike Hammett >>>>>>>>>>> Intelligent Computing Solutions <http://www.ics-il.com/> >>>>>>>>>>> <https://www.facebook.com/ICSIL> >>>>>>>>>>> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> >>>>>>>>>>> <https://www.linkedin.com/company/intelligent-computing-solutions> >>>>>>>>>>> <https://twitter.com/ICSIL> >>>>>>>>>>> Midwest Internet Exchange <http://www.midwest-ix.com/> >>>>>>>>>>> <https://www.facebook.com/mdwestix> >>>>>>>>>>> <https://www.linkedin.com/company/midwest-internet-exchange> >>>>>>>>>>> <https://twitter.com/mdwestix> >>>>>>>>>>> The Brothers WISP <http://www.thebrotherswisp.com/> >>>>>>>>>>> <https://www.facebook.com/thebrotherswisp> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> >>>>>>>>>>> ------------------------------ >>>>>>>>>>> *From: *"Steve Jones" <thatoneguyst...@gmail.com> >>>>>>>>>>> *To: *af@afmug.com >>>>>>>>>>> *Sent: *Monday, April 9, 2018 12:07:04 PM >>>>>>>>>>> *Subject: *[AFMUG] ssl certs >>>>>>>>>>> >>>>>>>>>>> Our current cert for our billing server (powercode) is about to >>>>>>>>>>> expire. For some time web browsers have been throwing up the >>>>>>>>>>> insecure flag, >>>>>>>>>>> probably needed to update it. >>>>>>>>>>> >>>>>>>>>>> What does a guy need in a certificate these days? godaddy is >>>>>>>>>>> where we have it from, they have all kinds of options like green bar >>>>>>>>>>> guarantee cert, etc. >>>>>>>>>>> >>>>>>>>>>> I have thought about getting one thats good for more than one >>>>>>>>>>> page, just to get rid of the annoying security screen on our >>>>>>>>>>> managment port >>>>>>>>>>> and mobile. but the wildcard cert seems more pricey than id prefer >>>>>>>>>>> for >>>>>>>>>>> something thats just convienient rather than needed >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>>> >>>>> >>>>> >>>> >>>> >>>> >>> >>> >> >> > >
