[AFMUG] ssl certs
Our current cert for our billing server (powercode) is about to expire. For some time web browsers have been throwing up the insecure flag, probably needed to update it. What does a guy need in a certificate these days? godaddy is where we have it from, they have all kinds of options like green bar guarantee cert, etc. I have thought about getting one thats good for more than one page, just to get rid of the annoying security screen on our managment port and mobile. but the wildcard cert seems more pricey than id prefer for something thats just convienient rather than needed
Re: [AFMUG] ssl certs
Can you use Let's Encrypt? - Mike Hammett Intelligent Computing Solutions Midwest Internet Exchange The Brothers WISP - Original Message - From: "Steve Jones" To: af@afmug.com Sent: Monday, April 9, 2018 12:07:04 PM Subject: [AFMUG] ssl certs Our current cert for our billing server (powercode) is about to expire. For some time web browsers have been throwing up the insecure flag, probably needed to update it. What does a guy need in a certificate these days? godaddy is where we have it from, they have all kinds of options like green bar guarantee cert, etc. I have thought about getting one thats good for more than one page, just to get rid of the annoying security screen on our managment port and mobile. but the wildcard cert seems more pricey than id prefer for something thats just convienient rather than needed
Re: [AFMUG] ssl certs
Domain validation is usually cheaper. Nobody's complained about it yet. I have one wildcard cert on POP/SMTP server, webmail, website, customer portal, etc. The only problem is when you forget to pay for it they're all broken at the same time lol. -- Original Message -- From: "Steve Jones" To: af@afmug.com Sent: 4/9/2018 1:07:05 PM Subject: [AFMUG] ssl certs Our current cert for our billing server (powercode) is about to expire. For some time web browsers have been throwing up the insecure flag, probably needed to update it. What does a guy need in a certificate these days? godaddy is where we have it from, they have all kinds of options like green bar guarantee cert, etc. I have thought about getting one thats good for more than one page, just to get rid of the annoying security screen on our managment port and mobile. but the wildcard cert seems more pricey than id prefer for something thats just convienient rather than needed
Re: [AFMUG] ssl certs
Im no webdude is the main reason. I know alot of people use it, phishermen love them. Theyre "trusted, but not verified" which, to no webdude me, says "IT WILL BECOME UNTRUSTED". I hate godaddy, but theyre not likely to become untrusted, so its not something id have to deal with with little to no knowlege. plus I dont understand this 90 day thing On Mon, Apr 9, 2018 at 12:08 PM, Mike Hammett wrote: > Can you use Let's Encrypt? > > > > - > Mike Hammett > Intelligent Computing Solutions <http://www.ics-il.com/> > <https://www.facebook.com/ICSIL> > <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> > <https://www.linkedin.com/company/intelligent-computing-solutions> > <https://twitter.com/ICSIL> > Midwest Internet Exchange <http://www.midwest-ix.com/> > <https://www.facebook.com/mdwestix> > <https://www.linkedin.com/company/midwest-internet-exchange> > <https://twitter.com/mdwestix> > The Brothers WISP <http://www.thebrotherswisp.com/> > <https://www.facebook.com/thebrotherswisp> > > > <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> > -- > *From: *"Steve Jones" > *To: *af@afmug.com > *Sent: *Monday, April 9, 2018 12:07:04 PM > *Subject: *[AFMUG] ssl certs > > Our current cert for our billing server (powercode) is about to expire. > For some time web browsers have been throwing up the insecure flag, > probably needed to update it. > > What does a guy need in a certificate these days? godaddy is where we have > it from, they have all kinds of options like green bar guarantee cert, etc. > > I have thought about getting one thats good for more than one page, just > to get rid of the annoying security screen on our managment port and > mobile. but the wildcard cert seems more pricey than id prefer for > something thats just convienient rather than needed > >
Re: [AFMUG] ssl certs
ssls.com On Mon, Apr 9, 2018 at 1:02 PM, Steve Jones wrote: > Im no webdude is the main reason. I know alot of people use it, phishermen > love them. Theyre "trusted, but not verified" which, to no webdude me, says > "IT WILL BECOME UNTRUSTED". I hate godaddy, but theyre not likely to become > untrusted, so its not something id have to deal with with little to no > knowlege. plus I dont understand this 90 day thing > > > On Mon, Apr 9, 2018 at 12:08 PM, Mike Hammett wrote: > >> Can you use Let's Encrypt? >> >> >> >> - >> Mike Hammett >> Intelligent Computing Solutions <http://www.ics-il.com/> >> <https://www.facebook.com/ICSIL> >> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> >> <https://www.linkedin.com/company/intelligent-computing-solutions> >> <https://twitter.com/ICSIL> >> Midwest Internet Exchange <http://www.midwest-ix.com/> >> <https://www.facebook.com/mdwestix> >> <https://www.linkedin.com/company/midwest-internet-exchange> >> <https://twitter.com/mdwestix> >> The Brothers WISP <http://www.thebrotherswisp.com/> >> <https://www.facebook.com/thebrotherswisp> >> >> >> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> >> -- >> *From: *"Steve Jones" >> *To: *af@afmug.com >> *Sent: *Monday, April 9, 2018 12:07:04 PM >> *Subject: *[AFMUG] ssl certs >> >> Our current cert for our billing server (powercode) is about to expire. >> For some time web browsers have been throwing up the insecure flag, >> probably needed to update it. >> >> What does a guy need in a certificate these days? godaddy is where we >> have it from, they have all kinds of options like green bar guarantee cert, >> etc. >> >> I have thought about getting one thats good for more than one page, just >> to get rid of the annoying security screen on our managment port and >> mobile. but the wildcard cert seems more pricey than id prefer for >> something thats just convienient rather than needed >> >> >
Re: [AFMUG] ssl certs
tbh, im not really looking for alternative sources, im asking advice on what i need in a certificate On Mon, Apr 9, 2018 at 1:52 PM, Cameron Crum wrote: > ssls.com > > On Mon, Apr 9, 2018 at 1:02 PM, Steve Jones > wrote: > >> Im no webdude is the main reason. I know alot of people use it, >> phishermen love them. Theyre "trusted, but not verified" which, to no >> webdude me, says "IT WILL BECOME UNTRUSTED". I hate godaddy, but theyre not >> likely to become untrusted, so its not something id have to deal with with >> little to no knowlege. plus I dont understand this 90 day thing >> >> >> On Mon, Apr 9, 2018 at 12:08 PM, Mike Hammett wrote: >> >>> Can you use Let's Encrypt? >>> >>> >>> >>> - >>> Mike Hammett >>> Intelligent Computing Solutions <http://www.ics-il.com/> >>> <https://www.facebook.com/ICSIL> >>> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> >>> <https://www.linkedin.com/company/intelligent-computing-solutions> >>> <https://twitter.com/ICSIL> >>> Midwest Internet Exchange <http://www.midwest-ix.com/> >>> <https://www.facebook.com/mdwestix> >>> <https://www.linkedin.com/company/midwest-internet-exchange> >>> <https://twitter.com/mdwestix> >>> The Brothers WISP <http://www.thebrotherswisp.com/> >>> <https://www.facebook.com/thebrotherswisp> >>> >>> >>> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> >>> -- >>> *From: *"Steve Jones" >>> *To: *af@afmug.com >>> *Sent: *Monday, April 9, 2018 12:07:04 PM >>> *Subject: *[AFMUG] ssl certs >>> >>> Our current cert for our billing server (powercode) is about to expire. >>> For some time web browsers have been throwing up the insecure flag, >>> probably needed to update it. >>> >>> What does a guy need in a certificate these days? godaddy is where we >>> have it from, they have all kinds of options like green bar guarantee cert, >>> etc. >>> >>> I have thought about getting one thats good for more than one page, just >>> to get rid of the annoying security screen on our managment port and >>> mobile. but the wildcard cert seems more pricey than id prefer for >>> something thats just convienient rather than needed >>> >>> >> >
Re: [AFMUG] ssl certs
They are trusted just as well as GoDaddy is. If you're just using a regular cert, there's no reason not to use Let's Encrypt at this point. The 90 day thing is solved by following https://certbot.eff.org/lets-encrypt/centosrhel7-apache.html (assuming you're using CentoS 7.) It's less work than going through the GoDaddy process. -- Original Message -- From: "Steve Jones" To: af@afmug.com Sent: 4/9/2018 1:02:39 PM Subject: Re: [AFMUG] ssl certs Im no webdude is the main reason. I know alot of people use it, phishermen love them. Theyre "trusted, but not verified" which, to no webdude me, says "IT WILL BECOME UNTRUSTED". I hate godaddy, but theyre not likely to become untrusted, so its not something id have to deal with with little to no knowlege. plus I dont understand this 90 day thing On Mon, Apr 9, 2018 at 12:08 PM, Mike Hammett wrote: Can you use Let's Encrypt? - Mike Hammett Intelligent Computing Solutions <http://www.ics-il.com/> <https://www.facebook.com/ICSIL> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> <https://www.linkedin.com/company/intelligent-computing-solutions> <https://twitter.com/ICSIL> Midwest Internet Exchange <http://www.midwest-ix.com/> <https://www.facebook.com/mdwestix> <https://www.linkedin.com/company/midwest-internet-exchange> <https://twitter.com/mdwestix> The Brothers WISP <http://www.thebrotherswisp.com/> <https://www.facebook.com/thebrotherswisp> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> ------------ From: "Steve Jones" To: af@afmug.com Sent: Monday, April 9, 2018 12:07:04 PM Subject: [AFMUG] ssl certs Our current cert for our billing server (powercode) is about to expire. For some time web browsers have been throwing up the insecure flag, probably needed to update it. What does a guy need in a certificate these days? godaddy is where we have it from, they have all kinds of options like green bar guarantee cert, etc. I have thought about getting one thats good for more than one page, just to get rid of the annoying security screen on our managment port and mobile. but the wildcard cert seems more pricey than id prefer for something thats just convienient rather than needed
Re: [AFMUG] ssl certs
You mean to ask: Is it worth paying for the magical, certified, unicorn, green bar, padlock, trustwaved, turbo extended validation cert for $700/year? IDK bro. Pretty sure the encryption is the same though. Pretty sure the end user doesn't care as long as they don't get an error message. I'd pay more to have it renew all by itself, but I don't think that's an option. -Adam -- Original Message -- From: "Steve Jones" To: af@afmug.com Sent: 4/9/2018 2:59:57 PM Subject: Re: [AFMUG] ssl certs tbh, im not really looking for alternative sources, im asking advice on what i need in a certificate On Mon, Apr 9, 2018 at 1:52 PM, Cameron Crum wrote: ssls.com On Mon, Apr 9, 2018 at 1:02 PM, Steve Jones wrote: Im no webdude is the main reason. I know alot of people use it, phishermen love them. Theyre "trusted, but not verified" which, to no webdude me, says "IT WILL BECOME UNTRUSTED". I hate godaddy, but theyre not likely to become untrusted, so its not something id have to deal with with little to no knowlege. plus I dont understand this 90 day thing On Mon, Apr 9, 2018 at 12:08 PM, Mike Hammett wrote: Can you use Let's Encrypt? - Mike Hammett Intelligent Computing Solutions <http://www.ics-il.com/> <https://www.facebook.com/ICSIL> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> <https://www.linkedin.com/company/intelligent-computing-solutions> <https://twitter.com/ICSIL> Midwest Internet Exchange <http://www.midwest-ix.com/> <https://www.facebook.com/mdwestix> <https://www.linkedin.com/company/midwest-internet-exchange> <https://twitter.com/mdwestix> The Brothers WISP <http://www.thebrotherswisp.com/> <https://www.facebook.com/thebrotherswisp> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> ------------ From: "Steve Jones" To: af@afmug.com Sent: Monday, April 9, 2018 12:07:04 PM Subject: [AFMUG] ssl certs Our current cert for our billing server (powercode) is about to expire. For some time web browsers have been throwing up the insecure flag, probably needed to update it. What does a guy need in a certificate these days? godaddy is where we have it from, they have all kinds of options like green bar guarantee cert, etc. I have thought about getting one thats good for more than one page, just to get rid of the annoying security screen on our managment port and mobile. but the wildcard cert seems more pricey than id prefer for something thats just convienient rather than needed
Re: [AFMUG] ssl certs
these days there are essentially two types of SSL cert, DV and EV DV = domain validated. anyone can get one. this is the same idea for the $9 SSL certs and free letsencrypt. you only need to prove you control the domain/server it's issued for. EV = extended validation, you need to prove your corporate identity. should cost around $85/year. EV will result in the big green banner with company name in most modern web browsers. https://www.google.com/search?client=ubuntu&channel=fs&q=EV+SSL+certificate&ie=utf-8&oe=utf-8 On Mon, Apr 9, 2018 at 11:59 AM, Steve Jones wrote: > tbh, im not really looking for alternative sources, im asking advice on > what i need in a certificate > > On Mon, Apr 9, 2018 at 1:52 PM, Cameron Crum wrote: > >> ssls.com >> >> On Mon, Apr 9, 2018 at 1:02 PM, Steve Jones >> wrote: >> >>> Im no webdude is the main reason. I know alot of people use it, >>> phishermen love them. Theyre "trusted, but not verified" which, to no >>> webdude me, says "IT WILL BECOME UNTRUSTED". I hate godaddy, but theyre not >>> likely to become untrusted, so its not something id have to deal with with >>> little to no knowlege. plus I dont understand this 90 day thing >>> >>> >>> On Mon, Apr 9, 2018 at 12:08 PM, Mike Hammett wrote: >>> >>>> Can you use Let's Encrypt? >>>> >>>> >>>> >>>> - >>>> Mike Hammett >>>> Intelligent Computing Solutions <http://www.ics-il.com/> >>>> <https://www.facebook.com/ICSIL> >>>> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> >>>> <https://www.linkedin.com/company/intelligent-computing-solutions> >>>> <https://twitter.com/ICSIL> >>>> Midwest Internet Exchange <http://www.midwest-ix.com/> >>>> <https://www.facebook.com/mdwestix> >>>> <https://www.linkedin.com/company/midwest-internet-exchange> >>>> <https://twitter.com/mdwestix> >>>> The Brothers WISP <http://www.thebrotherswisp.com/> >>>> <https://www.facebook.com/thebrotherswisp> >>>> >>>> >>>> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> >>>> -- >>>> *From: *"Steve Jones" >>>> *To: *af@afmug.com >>>> *Sent: *Monday, April 9, 2018 12:07:04 PM >>>> *Subject: *[AFMUG] ssl certs >>>> >>>> Our current cert for our billing server (powercode) is about to expire. >>>> For some time web browsers have been throwing up the insecure flag, >>>> probably needed to update it. >>>> >>>> What does a guy need in a certificate these days? godaddy is where we >>>> have it from, they have all kinds of options like green bar guarantee cert, >>>> etc. >>>> >>>> I have thought about getting one thats good for more than one page, >>>> just to get rid of the annoying security screen on our managment port and >>>> mobile. but the wildcard cert seems more pricey than id prefer for >>>> something thats just convienient rather than needed >>>> >>>> >>> >> >
Re: [AFMUG] ssl certs
Good info, Eric. AFAIK, you cannot EV and wildcard...Just something to consider. I'm not a fan of wildcards anyway, but a few subject alt names can be handy. Plan ahead! --dan On 4/9/2018 3:03 PM, Eric Kuhnke wrote: these days there are essentially two types of SSL cert, DV and EV DV = domain validated. anyone can get one. this is the same idea for the $9 SSL certs and free letsencrypt. you only need to prove you control the domain/server it's issued for. EV = extended validation, you need to prove your corporate identity. should cost around $85/year. EV will result in the big green banner with company name in most modern web browsers. https://www.google.com/search?client=ubuntu&channel=fs&q=EV+SSL+certificate&ie=utf-8&oe=utf-8 On Mon, Apr 9, 2018 at 11:59 AM, Steve Jones mailto:thatoneguyst...@gmail.com>> wrote: tbh, im not really looking for alternative sources, im asking advice on what i need in a certificate On Mon, Apr 9, 2018 at 1:52 PM, Cameron Crum mailto:cc...@murcevilo.com>> wrote: ssls.com<http://ssls.com> On Mon, Apr 9, 2018 at 1:02 PM, Steve Jones mailto:thatoneguyst...@gmail.com>> wrote: Im no webdude is the main reason. I know alot of people use it, phishermen love them. Theyre "trusted, but not verified" which, to no webdude me, says "IT WILL BECOME UNTRUSTED". I hate godaddy, but theyre not likely to become untrusted, so its not something id have to deal with with little to no knowlege. plus I dont understand this 90 day thing On Mon, Apr 9, 2018 at 12:08 PM, Mike Hammett mailto:af...@ics-il.net>> wrote: Can you use Let's Encrypt? - Mike Hammett Intelligent Computing Solutions<http://www.ics-il.com/> [X]<https://www.facebook.com/ICSIL>[X]<https://plus.google.com/+IntelligentComputingSolutionsDeKalb>[X]<https://www.linkedin.com/company/intelligent-computing-solutions>[X]<https://twitter.com/ICSIL> Midwest Internet Exchange<http://www.midwest-ix.com/> [X]<https://www.facebook.com/mdwestix>[X]<https://www.linkedin.com/company/midwest-internet-exchange>[X]<https://twitter.com/mdwestix> The Brothers WISP<http://www.thebrotherswisp.com/> [X]<https://www.facebook.com/thebrotherswisp>[X] <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> ____ From: "Steve Jones" mailto:thatoneguyst...@gmail.com>> To: af@afmug.com<mailto:af@afmug.com> Sent: Monday, April 9, 2018 12:07:04 PM Subject: [AFMUG] ssl certs Our current cert for our billing server (powercode) is about to expire. For some time web browsers have been throwing up the insecure flag, probably needed to update it. What does a guy need in a certificate these days? godaddy is where we have it from, they have all kinds of options like green bar guarantee cert, etc. I have thought about getting one thats good for more than one page, just to get rid of the annoying security screen on our managment port and mobile. but the wildcard cert seems more pricey than id prefer for something thats just convienient rather than needed
Re: [AFMUG] ssl certs
In 99.9% of cases, EV is useless. If you are going to educate your customers religiously to look not only for the green padlock, but for your name in the address bar, maybe it's worthwhile. Most people don't look or care. Google doesn't have an EV cert. Neither does Microsoft or Facebook. My power company doesn't. Most insurance companies don't. The only place I've seen them used heavily is in the financial sector, and I'd guess that's more about CYA than technical value. -- Original Message -- From: "Eric Kuhnke" To: af@afmug.com Sent: 4/9/2018 3:03:38 PM Subject: Re: [AFMUG] ssl certs these days there are essentially two types of SSL cert, DV and EV DV = domain validated. anyone can get one. this is the same idea for the $9 SSL certs and free letsencrypt. you only need to prove you control the domain/server it's issued for. EV = extended validation, you need to prove your corporate identity. should cost around $85/year. EV will result in the big green banner with company name in most modern web browsers. https://www.google.com/search?client=ubuntu&channel=fs&q=EV+SSL+certificate&ie=utf-8&oe=utf-8 On Mon, Apr 9, 2018 at 11:59 AM, Steve Jones wrote: tbh, im not really looking for alternative sources, im asking advice on what i need in a certificate On Mon, Apr 9, 2018 at 1:52 PM, Cameron Crum wrote: ssls.com On Mon, Apr 9, 2018 at 1:02 PM, Steve Jones wrote: Im no webdude is the main reason. I know alot of people use it, phishermen love them. Theyre "trusted, but not verified" which, to no webdude me, says "IT WILL BECOME UNTRUSTED". I hate godaddy, but theyre not likely to become untrusted, so its not something id have to deal with with little to no knowlege. plus I dont understand this 90 day thing On Mon, Apr 9, 2018 at 12:08 PM, Mike Hammett wrote: Can you use Let's Encrypt? - Mike Hammett Intelligent Computing Solutions <http://www.ics-il.com/> <https://www.facebook.com/ICSIL> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> <https://www.linkedin.com/company/intelligent-computing-solutions> <https://twitter.com/ICSIL> Midwest Internet Exchange <http://www.midwest-ix.com/> <https://www.facebook.com/mdwestix> <https://www.linkedin.com/company/midwest-internet-exchange> <https://twitter.com/mdwestix> The Brothers WISP <http://www.thebrotherswisp.com/> <https://www.facebook.com/thebrotherswisp> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> ------------ From: "Steve Jones" To: af@afmug.com Sent: Monday, April 9, 2018 12:07:04 PM Subject: [AFMUG] ssl certs Our current cert for our billing server (powercode) is about to expire. For some time web browsers have been throwing up the insecure flag, probably needed to update it. What does a guy need in a certificate these days? godaddy is where we have it from, they have all kinds of options like green bar guarantee cert, etc. I have thought about getting one thats good for more than one page, just to get rid of the annoying security screen on our managment port and mobile. but the wildcard cert seems more pricey than id prefer for something thats just convienient rather than needed
Re: [AFMUG] ssl certs
I have seen studies showing that ecommerce checkout/cart servers do have lower "abandon order" rates when using EV SSL. If you're going to have one billing server hostname that you fully control (eg: https://billing.ispname.com) it might be worth it. Things like Paypal, online banking and other stuff do make extensive use of EV SSL. It used to cost $395/year, now it's $85/year and dropping in price further. The big change coming in both Chrome and Firefox is that any non-https page will soon be marked as "Insecure" in the URL/address bar. You should have https (TLS1.2) everywhere, on every sort of public facing httpd these days, with at least a letsencrypt certificate. On Mon, Apr 9, 2018 at 1:20 PM, Simon Westlake wrote: > In 99.9% of cases, EV is useless. If you are going to educate your > customers religiously to look not only for the green padlock, but for your > name in the address bar, maybe it's worthwhile. Most people don't look or > care. Google doesn't have an EV cert. Neither does Microsoft or Facebook. > My power company doesn't. Most insurance companies don't. > > The only place I've seen them used heavily is in the financial sector, and > I'd guess that's more about CYA than technical value. > > -- Original Message ------ > From: "Eric Kuhnke" > To: af@afmug.com > Sent: 4/9/2018 3:03:38 PM > Subject: Re: [AFMUG] ssl certs > > these days there are essentially two types of SSL cert, DV and EV > > DV = domain validated. anyone can get one. this is the same idea for the > $9 SSL certs and free letsencrypt. you only need to prove you control the > domain/server it's issued for. > > EV = extended validation, you need to prove your corporate identity. > should cost around $85/year. > > EV will result in the big green banner with company name in most modern > web browsers. > > https://www.google.com/search?client=ubuntu&channel=fs&q=EV+ > SSL+certificate&ie=utf-8&oe=utf-8 > > On Mon, Apr 9, 2018 at 11:59 AM, Steve Jones > wrote: > >> tbh, im not really looking for alternative sources, im asking advice on >> what i need in a certificate >> >> On Mon, Apr 9, 2018 at 1:52 PM, Cameron Crum wrote: >> >>> ssls.com >>> >>> On Mon, Apr 9, 2018 at 1:02 PM, Steve Jones >>> wrote: >>> >>>> Im no webdude is the main reason. I know alot of people use it, >>>> phishermen love them. Theyre "trusted, but not verified" which, to no >>>> webdude me, says "IT WILL BECOME UNTRUSTED". I hate godaddy, but theyre not >>>> likely to become untrusted, so its not something id have to deal with with >>>> little to no knowlege. plus I dont understand this 90 day thing >>>> >>>> >>>> On Mon, Apr 9, 2018 at 12:08 PM, Mike Hammett wrote: >>>> >>>>> Can you use Let's Encrypt? >>>>> >>>>> >>>>> >>>>> - >>>>> Mike Hammett >>>>> Intelligent Computing Solutions <http://www.ics-il.com/> >>>>> <https://www.facebook.com/ICSIL> >>>>> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> >>>>> <https://www.linkedin.com/company/intelligent-computing-solutions> >>>>> <https://twitter.com/ICSIL> >>>>> Midwest Internet Exchange <http://www.midwest-ix.com/> >>>>> <https://www.facebook.com/mdwestix> >>>>> <https://www.linkedin.com/company/midwest-internet-exchange> >>>>> <https://twitter.com/mdwestix> >>>>> The Brothers WISP <http://www.thebrotherswisp.com/> >>>>> <https://www.facebook.com/thebrotherswisp> >>>>> >>>>> >>>>> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> >>>>> -- >>>>> *From: *"Steve Jones" >>>>> *To: *af@afmug.com >>>>> *Sent: *Monday, April 9, 2018 12:07:04 PM >>>>> *Subject: *[AFMUG] ssl certs >>>>> >>>>> Our current cert for our billing server (powercode) is about to >>>>> expire. For some time web browsers have been throwing up the insecure >>>>> flag, >>>>> probably needed to update it. >>>>> >>>>> What does a guy need in a certificate these days? godaddy is where we >>>>> have it from, they have all kinds of options like green bar guarantee >>>>> cert, >>>>> etc. >>>>> >>>>> I have thought about getting one thats good for more than one page, >>>>> just to get rid of the annoying security screen on our managment port and >>>>> mobile. but the wildcard cert seems more pricey than id prefer for >>>>> something thats just convienient rather than needed >>>>> >>>>> >>>> >>> >> >
Re: [AFMUG] ssl certs
"You should have https (TLS1.2) everywhere, on every sort of public facing httpd these days, with at least a letsencrypt certificate." We'll eventually have to because Google, etc. will make us, but it's extremely unnecessary. It's even foolish in many situations. - Mike Hammett Intelligent Computing Solutions Midwest Internet Exchange The Brothers WISP - Original Message - From: "Eric Kuhnke" To: af@afmug.com Sent: Monday, April 9, 2018 4:49:01 PM Subject: Re: [AFMUG] ssl certs I have seen studies showing that ecommerce checkout/cart servers do have lower "abandon order" rates when using EV SSL. If you're going to have one billing server hostname that you fully control (eg: https://billing.ispname.com ) it might be worth it. Things like Paypal, online banking and other stuff do make extensive use of EV SSL. It used to cost $395/year, now it's $85/year and dropping in price further. The big change coming in both Chrome and Firefox is that any non-https page will soon be marked as "Insecure" in the URL/address bar. You should have https (TLS1.2) everywhere, on every sort of public facing httpd these days, with at least a letsencrypt certificate. On Mon, Apr 9, 2018 at 1:20 PM, Simon Westlake < simon@sonar.software > wrote: In 99.9% of cases, EV is useless. If you are going to educate your customers religiously to look not only for the green padlock, but for your name in the address bar, maybe it's worthwhile. Most people don't look or care. Google doesn't have an EV cert. Neither does Microsoft or Facebook. My power company doesn't. Most insurance companies don't. The only place I've seen them used heavily is in the financial sector, and I'd guess that's more about CYA than technical value. -- Original Message ------ From: "Eric Kuhnke" < eric.kuh...@gmail.com > To: af@afmug.com Sent: 4/9/2018 3:03:38 PM Subject: Re: [AFMUG] ssl certs these days there are essentially two types of SSL cert, DV and EV DV = domain validated. anyone can get one. this is the same idea for the $9 SSL certs and free letsencrypt. you only need to prove you control the domain/server it's issued for. EV = extended validation, you need to prove your corporate identity. should cost around $85/year. EV will result in the big green banner with company name in most modern web browsers. https://www.google.com/search?client=ubuntu&channel=fs&q=EV+SSL+certificate&ie=utf-8&oe=utf-8 On Mon, Apr 9, 2018 at 11:59 AM, Steve Jones < thatoneguyst...@gmail.com > wrote: tbh, im not really looking for alternative sources, im asking advice on what i need in a certificate On Mon, Apr 9, 2018 at 1:52 PM, Cameron Crum < cc...@murcevilo.com > wrote: ssls.com On Mon, Apr 9, 2018 at 1:02 PM, Steve Jones < thatoneguyst...@gmail.com > wrote: Im no webdude is the main reason. I know alot of people use it, phishermen love them. Theyre "trusted, but not verified" which, to no webdude me, says "IT WILL BECOME UNTRUSTED". I hate godaddy, but theyre not likely to become untrusted, so its not something id have to deal with with little to no knowlege. plus I dont understand this 90 day thing On Mon, Apr 9, 2018 at 12:08 PM, Mike Hammett < af...@ics-il.net > wrote: Can you use Let's Encrypt? - Mike Hammett Intelligent Computing Solutions Midwest Internet Exchange The Brothers WISP From: "Steve Jones" < thatoneguyst...@gmail.com > To: af@afmug.com Sent: Monday, April 9, 2018 12:07:04 PM Subject: [AFMUG] ssl certs Our current cert for our billing server (powercode) is about to expire. For some time web browsers have been throwing up the insecure flag, probably needed to update it. What does a guy need in a certificate these days? godaddy is where we have it from, they have all kinds of options like green bar guarantee cert, etc. I have thought about getting one thats good for more than one page, just to get rid of the annoying security screen on our managment port and mobile. but the wildcard cert seems more pricey than id prefer for something thats just convienient rather than needed
Re: [AFMUG] ssl certs
Example of the user interface difference between regular DV SSL and EV SSL in the latest browsers. https://www.thesslstore.com/blog/google-chrome-changing-ssl-indicators/ https://scotthelme.co.uk/are-ev-certificates-worth-the-paper-theyre-written-on/ I recommend DV certificates for 99% of things *except* billing portals. IMHO worth it to have the full company name + green + padlock in the browser bar when people are entering their personal details. I know it's not actually any more secure, it's a placebo effect. On Mon, Apr 9, 2018 at 1:20 PM, Simon Westlake wrote: > In 99.9% of cases, EV is useless. If you are going to educate your > customers religiously to look not only for the green padlock, but for your > name in the address bar, maybe it's worthwhile. Most people don't look or > care. Google doesn't have an EV cert. Neither does Microsoft or Facebook. > My power company doesn't. Most insurance companies don't. > > The only place I've seen them used heavily is in the financial sector, and > I'd guess that's more about CYA than technical value. > > -- Original Message -- > From: "Eric Kuhnke" > To: af@afmug.com > Sent: 4/9/2018 3:03:38 PM > Subject: Re: [AFMUG] ssl certs > > these days there are essentially two types of SSL cert, DV and EV > > DV = domain validated. anyone can get one. this is the same idea for the > $9 SSL certs and free letsencrypt. you only need to prove you control the > domain/server it's issued for. > > EV = extended validation, you need to prove your corporate identity. > should cost around $85/year. > > EV will result in the big green banner with company name in most modern > web browsers. > > https://www.google.com/search?client=ubuntu&channel=fs&q=EV+ > SSL+certificate&ie=utf-8&oe=utf-8 > > On Mon, Apr 9, 2018 at 11:59 AM, Steve Jones > wrote: > >> tbh, im not really looking for alternative sources, im asking advice on >> what i need in a certificate >> >> On Mon, Apr 9, 2018 at 1:52 PM, Cameron Crum wrote: >> >>> ssls.com >>> >>> On Mon, Apr 9, 2018 at 1:02 PM, Steve Jones >>> wrote: >>> >>>> Im no webdude is the main reason. I know alot of people use it, >>>> phishermen love them. Theyre "trusted, but not verified" which, to no >>>> webdude me, says "IT WILL BECOME UNTRUSTED". I hate godaddy, but theyre not >>>> likely to become untrusted, so its not something id have to deal with with >>>> little to no knowlege. plus I dont understand this 90 day thing >>>> >>>> >>>> On Mon, Apr 9, 2018 at 12:08 PM, Mike Hammett wrote: >>>> >>>>> Can you use Let's Encrypt? >>>>> >>>>> >>>>> >>>>> - >>>>> Mike Hammett >>>>> Intelligent Computing Solutions <http://www.ics-il.com/> >>>>> <https://www.facebook.com/ICSIL> >>>>> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> >>>>> <https://www.linkedin.com/company/intelligent-computing-solutions> >>>>> <https://twitter.com/ICSIL> >>>>> Midwest Internet Exchange <http://www.midwest-ix.com/> >>>>> <https://www.facebook.com/mdwestix> >>>>> <https://www.linkedin.com/company/midwest-internet-exchange> >>>>> <https://twitter.com/mdwestix> >>>>> The Brothers WISP <http://www.thebrotherswisp.com/> >>>>> <https://www.facebook.com/thebrotherswisp> >>>>> >>>>> >>>>> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> >>>>> -- >>>>> *From: *"Steve Jones" >>>>> *To: *af@afmug.com >>>>> *Sent: *Monday, April 9, 2018 12:07:04 PM >>>>> *Subject: *[AFMUG] ssl certs >>>>> >>>>> Our current cert for our billing server (powercode) is about to >>>>> expire. For some time web browsers have been throwing up the insecure >>>>> flag, >>>>> probably needed to update it. >>>>> >>>>> What does a guy need in a certificate these days? godaddy is where we >>>>> have it from, they have all kinds of options like green bar guarantee >>>>> cert, >>>>> etc. >>>>> >>>>> I have thought about getting one thats good for more than one page, >>>>> just to get rid of the annoying security screen on our managment port and >>>>> mobile. but the wildcard cert seems more pricey than id prefer for >>>>> something thats just convienient rather than needed >>>>> >>>>> >>>> >>> >> >
Re: [AFMUG] ssl certs
What's hard about doing TLS1.2 everywhere? Every web browser shipped or updated from mid-2012 onwards supports 1.2. The population of browsers that only support TLS1.0 and 1.1 is less than 1% now by most measurements of useragent on a large scale. On Mon, Apr 9, 2018 at 2:51 PM, Mike Hammett wrote: > "You should have https (TLS1.2) everywhere, on every sort of public facing > httpd these days, with at least a letsencrypt certificate." > > We'll eventually have to because Google, etc. will make us, but it's > extremely unnecessary. It's even foolish in many situations. > > > > - > Mike Hammett > Intelligent Computing Solutions <http://www.ics-il.com/> > <https://www.facebook.com/ICSIL> > <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> > <https://www.linkedin.com/company/intelligent-computing-solutions> > <https://twitter.com/ICSIL> > Midwest Internet Exchange <http://www.midwest-ix.com/> > <https://www.facebook.com/mdwestix> > <https://www.linkedin.com/company/midwest-internet-exchange> > <https://twitter.com/mdwestix> > The Brothers WISP <http://www.thebrotherswisp.com/> > <https://www.facebook.com/thebrotherswisp> > > > <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> > -- > *From: *"Eric Kuhnke" > *To: *af@afmug.com > *Sent: *Monday, April 9, 2018 4:49:01 PM > *Subject: *Re: [AFMUG] ssl certs > > I have seen studies showing that ecommerce checkout/cart servers do have > lower "abandon order" rates when using EV SSL. If you're going to have one > billing server hostname that you fully control (eg: > https://billing.ispname.com) it might be worth it. > > Things like Paypal, online banking and other stuff do make extensive use > of EV SSL. > > It used to cost $395/year, now it's $85/year and dropping in price > further. > > The big change coming in both Chrome and Firefox is that any non-https > page will soon be marked as "Insecure" in the URL/address bar. You should > have https (TLS1.2) everywhere, on every sort of public facing httpd these > days, with at least a letsencrypt certificate. > > > > On Mon, Apr 9, 2018 at 1:20 PM, Simon Westlake > wrote: > >> In 99.9% of cases, EV is useless. If you are going to educate your >> customers religiously to look not only for the green padlock, but for your >> name in the address bar, maybe it's worthwhile. Most people don't look or >> care. Google doesn't have an EV cert. Neither does Microsoft or Facebook. >> My power company doesn't. Most insurance companies don't. >> >> The only place I've seen them used heavily is in the financial sector, >> and I'd guess that's more about CYA than technical value. >> >> -- Original Message -- >> From: "Eric Kuhnke" >> To: af@afmug.com >> Sent: 4/9/2018 3:03:38 PM >> Subject: Re: [AFMUG] ssl certs >> >> these days there are essentially two types of SSL cert, DV and EV >> >> DV = domain validated. anyone can get one. this is the same idea for the >> $9 SSL certs and free letsencrypt. you only need to prove you control the >> domain/server it's issued for. >> >> EV = extended validation, you need to prove your corporate identity. >> should cost around $85/year. >> >> EV will result in the big green banner with company name in most modern >> web browsers. >> >> https://www.google.com/search?client=ubuntu&channel=fs&q=EV+ >> SSL+certificate&ie=utf-8&oe=utf-8 >> >> On Mon, Apr 9, 2018 at 11:59 AM, Steve Jones >> wrote: >> >>> tbh, im not really looking for alternative sources, im asking advice on >>> what i need in a certificate >>> >>> On Mon, Apr 9, 2018 at 1:52 PM, Cameron Crum >>> wrote: >>> >>>> ssls.com >>>> >>>> On Mon, Apr 9, 2018 at 1:02 PM, Steve Jones >>>> wrote: >>>> >>>>> Im no webdude is the main reason. I know alot of people use it, >>>>> phishermen love them. Theyre "trusted, but not verified" which, to no >>>>> webdude me, says "IT WILL BECOME UNTRUSTED". I hate godaddy, but theyre >>>>> not >>>>> likely to become untrusted, so its not something id have to deal with with >>>>> little to no knowlege. plus I dont understand this 90 day thing >>>>> >>>>> >>>>> On Mon, Apr 9, 2018 at 12:08 PM, Mike Hammett >>
Re: [AFMUG] ssl certs
https://thenetworkcollective.com/2017/05/episode-4-the-impact-of-increasing-encrypted-traffic/ - Mike Hammett Intelligent Computing Solutions Midwest Internet Exchange The Brothers WISP - Original Message - From: "Mike Hammett" To: af@afmug.com Sent: Monday, April 9, 2018 4:51:04 PM Subject: Re: [AFMUG] ssl certs "You should have https (TLS1.2) everywhere, on every sort of public facing httpd these days, with at least a letsencrypt certificate." We'll eventually have to because Google, etc. will make us, but it's extremely unnecessary. It's even foolish in many situations. - Mike Hammett Intelligent Computing Solutions Midwest Internet Exchange The Brothers WISP - Original Message - From: "Eric Kuhnke" To: af@afmug.com Sent: Monday, April 9, 2018 4:49:01 PM Subject: Re: [AFMUG] ssl certs I have seen studies showing that ecommerce checkout/cart servers do have lower "abandon order" rates when using EV SSL. If you're going to have one billing server hostname that you fully control (eg: https://billing.ispname.com ) it might be worth it. Things like Paypal, online banking and other stuff do make extensive use of EV SSL. It used to cost $395/year, now it's $85/year and dropping in price further. The big change coming in both Chrome and Firefox is that any non-https page will soon be marked as "Insecure" in the URL/address bar. You should have https (TLS1.2) everywhere, on every sort of public facing httpd these days, with at least a letsencrypt certificate. On Mon, Apr 9, 2018 at 1:20 PM, Simon Westlake < simon@sonar.software > wrote: In 99.9% of cases, EV is useless. If you are going to educate your customers religiously to look not only for the green padlock, but for your name in the address bar, maybe it's worthwhile. Most people don't look or care. Google doesn't have an EV cert. Neither does Microsoft or Facebook. My power company doesn't. Most insurance companies don't. The only place I've seen them used heavily is in the financial sector, and I'd guess that's more about CYA than technical value. -- Original Message ------ From: "Eric Kuhnke" < eric.kuh...@gmail.com > To: af@afmug.com Sent: 4/9/2018 3:03:38 PM Subject: Re: [AFMUG] ssl certs these days there are essentially two types of SSL cert, DV and EV DV = domain validated. anyone can get one. this is the same idea for the $9 SSL certs and free letsencrypt. you only need to prove you control the domain/server it's issued for. EV = extended validation, you need to prove your corporate identity. should cost around $85/year. EV will result in the big green banner with company name in most modern web browsers. https://www.google.com/search?client=ubuntu&channel=fs&q=EV+SSL+certificate&ie=utf-8&oe=utf-8 On Mon, Apr 9, 2018 at 11:59 AM, Steve Jones < thatoneguyst...@gmail.com > wrote: tbh, im not really looking for alternative sources, im asking advice on what i need in a certificate On Mon, Apr 9, 2018 at 1:52 PM, Cameron Crum < cc...@murcevilo.com > wrote: ssls.com On Mon, Apr 9, 2018 at 1:02 PM, Steve Jones < thatoneguyst...@gmail.com > wrote: Im no webdude is the main reason. I know alot of people use it, phishermen love them. Theyre "trusted, but not verified" which, to no webdude me, says "IT WILL BECOME UNTRUSTED". I hate godaddy, but theyre not likely to become untrusted, so its not something id have to deal with with little to no knowlege. plus I dont understand this 90 day thing On Mon, Apr 9, 2018 at 12:08 PM, Mike Hammett < af...@ics-il.net > wrote: Can you use Let's Encrypt? - Mike Hammett Intelligent Computing Solutions Midwest Internet Exchange The Brothers WISP From: "Steve Jones" < thatoneguyst...@gmail.com > To: af@afmug.com Sent: Monday, April 9, 2018 12:07:04 PM Subject: [AFMUG] ssl certs Our current cert for our billing server (powercode) is about to expire. For some time web browsers have been throwing up the insecure flag, probably needed to update it. What does a guy need in a certificate these days? godaddy is where we have it from, they have all kinds of options like green bar guarantee cert, etc. I have thought about getting one thats good for more than one page, just to get rid of the annoying security screen on our managment port and mobile. but the wildcard cert seems more pricey than id prefer for something thats just convienient rather than needed
Re: [AFMUG] ssl certs
I didn't say it was hard. I said it was unnecessary, perhaps even foolish. - Mike Hammett Intelligent Computing Solutions Midwest Internet Exchange The Brothers WISP - Original Message - From: "Eric Kuhnke" To: af@afmug.com Sent: Monday, April 9, 2018 4:54:05 PM Subject: Re: [AFMUG] ssl certs What's hard about doing TLS1.2 everywhere? Every web browser shipped or updated from mid-2012 onwards supports 1.2. The population of browsers that only support TLS1.0 and 1.1 is less than 1% now by most measurements of useragent on a large scale. On Mon, Apr 9, 2018 at 2:51 PM, Mike Hammett < af...@ics-il.net > wrote: "You should have https (TLS1.2) everywhere, on every sort of public facing httpd these days, with at least a letsencrypt certificate." We'll eventually have to because Google, etc. will make us, but it's extremely unnecessary. It's even foolish in many situations. - Mike Hammett Intelligent Computing Solutions Midwest Internet Exchange The Brothers WISP From: "Eric Kuhnke" < eric.kuh...@gmail.com > To: af@afmug.com Sent: Monday, April 9, 2018 4:49:01 PM Subject: Re: [AFMUG] ssl certs I have seen studies showing that ecommerce checkout/cart servers do have lower "abandon order" rates when using EV SSL. If you're going to have one billing server hostname that you fully control (eg: https://billing.ispname.com ) it might be worth it. Things like Paypal, online banking and other stuff do make extensive use of EV SSL. It used to cost $395/year, now it's $85/year and dropping in price further. The big change coming in both Chrome and Firefox is that any non-https page will soon be marked as "Insecure" in the URL/address bar. You should have https (TLS1.2) everywhere, on every sort of public facing httpd these days, with at least a letsencrypt certificate. On Mon, Apr 9, 2018 at 1:20 PM, Simon Westlake < simon@sonar.software > wrote: In 99.9% of cases, EV is useless. If you are going to educate your customers religiously to look not only for the green padlock, but for your name in the address bar, maybe it's worthwhile. Most people don't look or care. Google doesn't have an EV cert. Neither does Microsoft or Facebook. My power company doesn't. Most insurance companies don't. The only place I've seen them used heavily is in the financial sector, and I'd guess that's more about CYA than technical value. ------ Original Message -- From: "Eric Kuhnke" < eric.kuh...@gmail.com > To: af@afmug.com Sent: 4/9/2018 3:03:38 PM Subject: Re: [AFMUG] ssl certs these days there are essentially two types of SSL cert, DV and EV DV = domain validated. anyone can get one. this is the same idea for the $9 SSL certs and free letsencrypt. you only need to prove you control the domain/server it's issued for. EV = extended validation, you need to prove your corporate identity. should cost around $85/year. EV will result in the big green banner with company name in most modern web browsers. https://www.google.com/search?client=ubuntu&channel=fs&q=EV+SSL+certificate&ie=utf-8&oe=utf-8 On Mon, Apr 9, 2018 at 11:59 AM, Steve Jones < thatoneguyst...@gmail.com > wrote: tbh, im not really looking for alternative sources, im asking advice on what i need in a certificate On Mon, Apr 9, 2018 at 1:52 PM, Cameron Crum < cc...@murcevilo.com > wrote: ssls.com On Mon, Apr 9, 2018 at 1:02 PM, Steve Jones < thatoneguyst...@gmail.com > wrote: Im no webdude is the main reason. I know alot of people use it, phishermen love them. Theyre "trusted, but not verified" which, to no webdude me, says "IT WILL BECOME UNTRUSTED". I hate godaddy, but theyre not likely to become untrusted, so its not something id have to deal with with little to no knowlege. plus I dont understand this 90 day thing On Mon, Apr 9, 2018 at 12:08 PM, Mike Hammett < af...@ics-il.net > wrote: Can you use Let's Encrypt? - Mike Hammett Intelligent Computing Solutions Midwest Internet Exchange The Brothers WISP From: "Steve Jones" < thatoneguyst...@gmail.com > To: af@afmug.com Sent: Monday, April 9, 2018 12:07:04 PM Subject: [AFMUG] ssl certs Our current cert for our billing server (powercode) is about to expire. For some time web browsers have been throwing up the insecure flag, probably needed to update it. What does a guy need in a certificate these days? godaddy is where we have it from, they have all kinds of options like green bar guarantee cert, etc. I have thought about getting one thats good for more than one page, just to get rid of the annoying security screen on our managment port and mobile. but the wildcard cert seems more pricey than id prefer for something thats just convienient rather than needed
Re: [AFMUG] ssl certs
I offer a directly contradicting opinion, that's it's foolish in the year 2018 to not implement end to end TLS wherever possible. The number of problems you can solve by avoiding things that maliciously MITM regular http traffic are considerable. The crypto libraries to do it properly (OpenSSL, etc for apache2 and nginx) and Letsencrypt are free. The Internet is moving towards things like DNS-over-TLS. Mail transport between most properly configured smtpd now will use TLS1.2 (my Postfix smtpd negotiates TLS successfully with >98% of big ISP/cloud providers' smtpd clusters). If a WISP thinks that they "need" things to remain unencrypted so that they can more easily manage their traffic or inspect it, they'll be left behind in the dustbin of history. On Mon, Apr 9, 2018 at 2:55 PM, Mike Hammett wrote: > I didn't say it was hard. I said it was unnecessary, perhaps even foolish. > > > > - > Mike Hammett > Intelligent Computing Solutions <http://www.ics-il.com/> > <https://www.facebook.com/ICSIL> > <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> > <https://www.linkedin.com/company/intelligent-computing-solutions> > <https://twitter.com/ICSIL> > Midwest Internet Exchange <http://www.midwest-ix.com/> > <https://www.facebook.com/mdwestix> > <https://www.linkedin.com/company/midwest-internet-exchange> > <https://twitter.com/mdwestix> > The Brothers WISP <http://www.thebrotherswisp.com/> > <https://www.facebook.com/thebrotherswisp> > > > <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> > -- > *From: *"Eric Kuhnke" > *To: *af@afmug.com > *Sent: *Monday, April 9, 2018 4:54:05 PM > *Subject: *Re: [AFMUG] ssl certs > > What's hard about doing TLS1.2 everywhere? Every web browser shipped or > updated from mid-2012 onwards supports 1.2. The population of browsers > that only support TLS1.0 and 1.1 is less than 1% now by most measurements > of useragent on a large scale. > > > > On Mon, Apr 9, 2018 at 2:51 PM, Mike Hammett wrote: > >> "You should have https (TLS1.2) everywhere, on every sort of public >> facing httpd these days, with at least a letsencrypt certificate." >> >> We'll eventually have to because Google, etc. will make us, but it's >> extremely unnecessary. It's even foolish in many situations. >> >> >> >> - >> Mike Hammett >> Intelligent Computing Solutions <http://www.ics-il.com/> >> <https://www.facebook.com/ICSIL> >> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> >> <https://www.linkedin.com/company/intelligent-computing-solutions> >> <https://twitter.com/ICSIL> >> Midwest Internet Exchange <http://www.midwest-ix.com/> >> <https://www.facebook.com/mdwestix> >> <https://www.linkedin.com/company/midwest-internet-exchange> >> <https://twitter.com/mdwestix> >> The Brothers WISP <http://www.thebrotherswisp.com/> >> <https://www.facebook.com/thebrotherswisp> >> >> >> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> >> -- >> *From: *"Eric Kuhnke" >> *To: *af@afmug.com >> *Sent: *Monday, April 9, 2018 4:49:01 PM >> *Subject: *Re: [AFMUG] ssl certs >> >> I have seen studies showing that ecommerce checkout/cart servers do have >> lower "abandon order" rates when using EV SSL. If you're going to have one >> billing server hostname that you fully control (eg: >> https://billing.ispname.com) it might be worth it. >> >> Things like Paypal, online banking and other stuff do make extensive use >> of EV SSL. >> >> It used to cost $395/year, now it's $85/year and dropping in price >> further. >> >> The big change coming in both Chrome and Firefox is that any non-https >> page will soon be marked as "Insecure" in the URL/address bar. You should >> have https (TLS1.2) everywhere, on every sort of public facing httpd these >> days, with at least a letsencrypt certificate. >> >> >> >> On Mon, Apr 9, 2018 at 1:20 PM, Simon Westlake >> wrote: >> >>> In 99.9% of cases, EV is useless. If you are going to educate your >>> customers religiously to look not only for the green padlock, but for your >>> name in the address bar, maybe it's worthwhile. Most people don't look or >>> care. Google doesn't have an EV cert. Neither does Microsoft or Facebook. >>> My power company doesn't. Mo
Re: [AFMUG] ssl certs
Why? Why is any of that necessary? I have no intentions of inspecting anyone's traffic. I just don't find HTTPS everywhere necessary. I have yet to hear a viable reason to do it. OH NO! SOMEONE SAW MY WEB SITE!!! https://www.youtube.com/watch?v=18PbwYdjsps - Mike Hammett Intelligent Computing Solutions Midwest Internet Exchange The Brothers WISP - Original Message - From: "Eric Kuhnke" To: af@afmug.com Sent: Monday, April 9, 2018 4:59:23 PM Subject: Re: [AFMUG] ssl certs I offer a directly contradicting opinion, that's it's foolish in the year 2018 to not implement end to end TLS wherever possible. The number of problems you can solve by avoiding things that maliciously MITM regular http traffic are considerable. The crypto libraries to do it properly (OpenSSL, etc for apache2 and nginx) and Letsencrypt are free. The Internet is moving towards things like DNS-over-TLS. Mail transport between most properly configured smtpd now will use TLS1.2 (my Postfix smtpd negotiates TLS successfully with >98% of big ISP/cloud providers' smtpd clusters). If a WISP thinks that they "need" things to remain unencrypted so that they can more easily manage their traffic or inspect it, they'll be left behind in the dustbin of history. On Mon, Apr 9, 2018 at 2:55 PM, Mike Hammett < af...@ics-il.net > wrote: I didn't say it was hard. I said it was unnecessary, perhaps even foolish. - Mike Hammett Intelligent Computing Solutions Midwest Internet Exchange The Brothers WISP From: "Eric Kuhnke" < eric.kuh...@gmail.com > To: af@afmug.com Sent: Monday, April 9, 2018 4:54:05 PM Subject: Re: [AFMUG] ssl certs What's hard about doing TLS1.2 everywhere? Every web browser shipped or updated from mid-2012 onwards supports 1.2. The population of browsers that only support TLS1.0 and 1.1 is less than 1% now by most measurements of useragent on a large scale. On Mon, Apr 9, 2018 at 2:51 PM, Mike Hammett < af...@ics-il.net > wrote: "You should have https (TLS1.2) everywhere, on every sort of public facing httpd these days, with at least a letsencrypt certificate." We'll eventually have to because Google, etc. will make us, but it's extremely unnecessary. It's even foolish in many situations. - Mike Hammett Intelligent Computing Solutions Midwest Internet Exchange The Brothers WISP From: "Eric Kuhnke" < eric.kuh...@gmail.com > To: af@afmug.com Sent: Monday, April 9, 2018 4:49:01 PM Subject: Re: [AFMUG] ssl certs I have seen studies showing that ecommerce checkout/cart servers do have lower "abandon order" rates when using EV SSL. If you're going to have one billing server hostname that you fully control (eg: https://billing.ispname.com ) it might be worth it. Things like Paypal, online banking and other stuff do make extensive use of EV SSL. It used to cost $395/year, now it's $85/year and dropping in price further. The big change coming in both Chrome and Firefox is that any non-https page will soon be marked as "Insecure" in the URL/address bar. You should have https (TLS1.2) everywhere, on every sort of public facing httpd these days, with at least a letsencrypt certificate. On Mon, Apr 9, 2018 at 1:20 PM, Simon Westlake < simon@sonar.software > wrote: In 99.9% of cases, EV is useless. If you are going to educate your customers religiously to look not only for the green padlock, but for your name in the address bar, maybe it's worthwhile. Most people don't look or care. Google doesn't have an EV cert. Neither does Microsoft or Facebook. My power company doesn't. Most insurance companies don't. The only place I've seen them used heavily is in the financial sector, and I'd guess that's more about CYA than technical value. -- Original Message -- From: "Eric Kuhnke" < eric.kuh...@gmail.com > To: af@afmug.com Sent: 4/9/2018 3:03:38 PM Subject: Re: [AFMUG] ssl certs these days there are essentially two types of SSL cert, DV and EV DV = domain validated. anyone can get one. this is the same idea for the $9 SSL certs and free letsencrypt. you only need to prove you control the domain/server it's issued for. EV = extended validation, you need to prove your corporate identity. should cost around $85/year. EV will result in the big green banner with company name in most modern web browsers. https://www.google.com/search?client=ubuntu&channel=fs&q=EV+SSL+certificate&ie=utf-8&oe=utf-8 On Mon, Apr 9, 2018 at 11:59 AM, Steve Jones < thatoneguyst...@gmail.com > wrote: tbh, im not really looking for alternative sources, im asking advice on what i need in a certificate On Mon, Apr
Re: [AFMUG] ssl certs
Moving any kind of confidential data in the clear is irresponsible. Moving HTTP traffic across the Internet leaves you open to having the data modified, or having malicious Javascript injected. It's up to you whether or not you care about that, but it has been reduced to pasting 3 lines into a terminal to get a valid, automatically renewing certificate. It seems pointless not to when the benefits are tangible. -- Original Message -- From: "Mike Hammett" To: af@afmug.com Sent: 4/9/2018 5:02:29 PM Subject: Re: [AFMUG] ssl certs Why? Why is any of that necessary? I have no intentions of inspecting anyone's traffic. I just don't find HTTPS everywhere necessary. I have yet to hear a viable reason to do it. OH NO! SOMEONE SAW MY WEB SITE!!! https://www.youtube.com/watch?v=18PbwYdjsps - Mike Hammett Intelligent Computing Solutions <http://www.ics-il.com/> <https://www.facebook.com/ICSIL> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> <https://www.linkedin.com/company/intelligent-computing-solutions> <https://twitter.com/ICSIL> Midwest Internet Exchange <http://www.midwest-ix.com/> <https://www.facebook.com/mdwestix> <https://www.linkedin.com/company/midwest-internet-exchange> <https://twitter.com/mdwestix> The Brothers WISP <http://www.thebrotherswisp.com/> <https://www.facebook.com/thebrotherswisp> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> ---- From: "Eric Kuhnke" To: af@afmug.com Sent: Monday, April 9, 2018 4:59:23 PM Subject: Re: [AFMUG] ssl certs I offer a directly contradicting opinion, that's it's foolish in the year 2018 to not implement end to end TLS wherever possible. The number of problems you can solve by avoiding things that maliciously MITM regular http traffic are considerable. The crypto libraries to do it properly (OpenSSL, etc for apache2 and nginx) and Letsencrypt are free. The Internet is moving towards things like DNS-over-TLS. Mail transport between most properly configured smtpd now will use TLS1.2 (my Postfix smtpd negotiates TLS successfully with >98% of big ISP/cloud providers' smtpd clusters). If a WISP thinks that they "need" things to remain unencrypted so that they can more easily manage their traffic or inspect it, they'll be left behind in the dustbin of history. On Mon, Apr 9, 2018 at 2:55 PM, Mike Hammett wrote: I didn't say it was hard. I said it was unnecessary, perhaps even foolish. - Mike Hammett Intelligent Computing Solutions <http://www.ics-il.com/> <https://www.facebook.com/ICSIL> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> <https://www.linkedin.com/company/intelligent-computing-solutions> <https://twitter.com/ICSIL> Midwest Internet Exchange <http://www.midwest-ix.com/> <https://www.facebook.com/mdwestix> <https://www.linkedin.com/company/midwest-internet-exchange> <https://twitter.com/mdwestix> The Brothers WISP <http://www.thebrotherswisp.com/> <https://www.facebook.com/thebrotherswisp> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> From: "Eric Kuhnke" To: af@afmug.com Sent: Monday, April 9, 2018 4:54:05 PM Subject: Re: [AFMUG] ssl certs What's hard about doing TLS1.2 everywhere? Every web browser shipped or updated from mid-2012 onwards supports 1.2. The population of browsers that only support TLS1.0 and 1.1 is less than 1% now by most measurements of useragent on a large scale. On Mon, Apr 9, 2018 at 2:51 PM, Mike Hammett wrote: "You should have https (TLS1.2) everywhere, on every sort of public facing httpd these days, with at least a letsencrypt certificate." We'll eventually have to because Google, etc. will make us, but it's extremely unnecessary. It's even foolish in many situations. - Mike Hammett Intelligent Computing Solutions <http://www.ics-il.com/> <https://www.facebook.com/ICSIL> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> <https://www.linkedin.com/company/intelligent-computing-solutions> <https://twitter.com/ICSIL> Midwest Internet Exchange <http://www.midwest-ix.com/> <https://www.facebook.com/mdwestix> <https://www.linkedin.com/company/midwest-internet-exchange> <https://twitter.com/mdwestix> The Brothers WISP <http://www.thebrotherswisp.com/> <https://www.facebook.com/thebrotherswisp> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> From: "Eric Kuhnke" To: af@afmug.com Sent:
Re: [AFMUG] ssl certs
Try this: Go to an IETF, NANOG or ARIN meeting and ask the attendees if they would endorse end-user applications/protocols remaining unencrypted at L4-L7, versus implementing free TLS1.2 end to end wherever possible. I already know what 99% of the answers will be. I don't think they will match with the people in the video you posted earlier. If you don't believe in crypto I encourage you to go to a network security conference, pull out a laptop on the public wifi, and synchronize all your email wtih a non-TLS session to your IMAP server... The threat model is global. On Mon, Apr 9, 2018 at 3:02 PM, Mike Hammett wrote: > Why? Why is any of that necessary? > > I have no intentions of inspecting anyone's traffic. I just don't find > HTTPS everywhere necessary. I have yet to hear a viable reason to do it. > > > OH NO! SOMEONE SAW MY WEB SITE!!! > > > https://www.youtube.com/watch?v=18PbwYdjsps > > > > - > Mike Hammett > Intelligent Computing Solutions <http://www.ics-il.com/> > <https://www.facebook.com/ICSIL> > <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> > <https://www.linkedin.com/company/intelligent-computing-solutions> > <https://twitter.com/ICSIL> > Midwest Internet Exchange <http://www.midwest-ix.com/> > <https://www.facebook.com/mdwestix> > <https://www.linkedin.com/company/midwest-internet-exchange> > <https://twitter.com/mdwestix> > The Brothers WISP <http://www.thebrotherswisp.com/> > <https://www.facebook.com/thebrotherswisp> > > > <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> > -- > *From: *"Eric Kuhnke" > *To: *af@afmug.com > *Sent: *Monday, April 9, 2018 4:59:23 PM > *Subject: *Re: [AFMUG] ssl certs > > I offer a directly contradicting opinion, that's it's foolish in the year > 2018 to not implement end to end TLS wherever possible. The number of > problems you can solve by avoiding things that maliciously MITM regular > http traffic are considerable. The crypto libraries to do it properly > (OpenSSL, etc for apache2 and nginx) and Letsencrypt are free. > > The Internet is moving towards things like DNS-over-TLS. Mail transport > between most properly configured smtpd now will use TLS1.2 (my Postfix > smtpd negotiates TLS successfully with >98% of big ISP/cloud providers' > smtpd clusters). If a WISP thinks that they "need" things to remain > unencrypted so that they can more easily manage their traffic or inspect > it, they'll be left behind in the dustbin of history. > > > On Mon, Apr 9, 2018 at 2:55 PM, Mike Hammett wrote: > >> I didn't say it was hard. I said it was unnecessary, perhaps even foolish. >> >> >> >> - >> Mike Hammett >> Intelligent Computing Solutions <http://www.ics-il.com/> >> <https://www.facebook.com/ICSIL> >> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> >> <https://www.linkedin.com/company/intelligent-computing-solutions> >> <https://twitter.com/ICSIL> >> Midwest Internet Exchange <http://www.midwest-ix.com/> >> <https://www.facebook.com/mdwestix> >> <https://www.linkedin.com/company/midwest-internet-exchange> >> <https://twitter.com/mdwestix> >> The Brothers WISP <http://www.thebrotherswisp.com/> >> <https://www.facebook.com/thebrotherswisp> >> >> >> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> >> -- >> *From: *"Eric Kuhnke" >> *To: *af@afmug.com >> *Sent: *Monday, April 9, 2018 4:54:05 PM >> *Subject: *Re: [AFMUG] ssl certs >> >> What's hard about doing TLS1.2 everywhere? Every web browser shipped or >> updated from mid-2012 onwards supports 1.2. The population of browsers >> that only support TLS1.0 and 1.1 is less than 1% now by most measurements >> of useragent on a large scale. >> >> >> >> On Mon, Apr 9, 2018 at 2:51 PM, Mike Hammett wrote: >> >>> "You should have https (TLS1.2) everywhere, on every sort of public >>> facing httpd these days, with at least a letsencrypt certificate." >>> >>> We'll eventually have to because Google, etc. will make us, but it's >>> extremely unnecessary. It's even foolish in many situations. >>> >>> >>> >>> - >>> Mike Hammett >>> Intelligent Computing Solutions <http://www.ics-il.com/> >>> <https://www.facebook.com/ICSIL> >>> <https://plus.google.com/+Intellig
Re: [AFMUG] ssl certs
Confidential date, sure. Billing portals, shopping carts, etc. sure. The marketing materials on my web site? Why? The podcast I linked to goes into a lot of it. - Mike Hammett Intelligent Computing Solutions Midwest Internet Exchange The Brothers WISP - Original Message - From: "Simon Westlake" To: af@afmug.com, af@afmug.com Sent: Monday, April 9, 2018 5:06:26 PM Subject: Re: [AFMUG] ssl certs Moving any kind of confidential data in the clear is irresponsible. Moving HTTP traffic across the Internet leaves you open to having the data modified, or having malicious Javascript injected. It's up to you whether or not you care about that, but it has been reduced to pasting 3 lines into a terminal to get a valid, automatically renewing certificate. It seems pointless not to when the benefits are tangible. -- Original Message -- From: "Mike Hammett" < af...@ics-il.net > To: af@afmug.com Sent: 4/9/2018 5:02:29 PM Subject: Re: [AFMUG] ssl certs Why? Why is any of that necessary? I have no intentions of inspecting anyone's traffic. I just don't find HTTPS everywhere necessary. I have yet to hear a viable reason to do it. OH NO! SOMEONE SAW MY WEB SITE!!! https://www.youtube.com/watch?v=18PbwYdjsps - Mike Hammett Intelligent Computing Solutions Midwest Internet Exchange The Brothers WISP - Original Message - From: "Eric Kuhnke" < eric.kuh...@gmail.com > To: af@afmug.com Sent: Monday, April 9, 2018 4:59:23 PM Subject: Re: [AFMUG] ssl certs I offer a directly contradicting opinion, that's it's foolish in the year 2018 to not implement end to end TLS wherever possible. The number of problems you can solve by avoiding things that maliciously MITM regular http traffic are considerable. The crypto libraries to do it properly (OpenSSL, etc for apache2 and nginx) and Letsencrypt are free. The Internet is moving towards things like DNS-over-TLS. Mail transport between most properly configured smtpd now will use TLS1.2 (my Postfix smtpd negotiates TLS successfully with >98% of big ISP/cloud providers' smtpd clusters). If a WISP thinks that they "need" things to remain unencrypted so that they can more easily manage their traffic or inspect it, they'll be left behind in the dustbin of history. On Mon, Apr 9, 2018 at 2:55 PM, Mike Hammett < af...@ics-il.net > wrote: I didn't say it was hard. I said it was unnecessary, perhaps even foolish. - Mike Hammett Intelligent Computing Solutions Midwest Internet Exchange The Brothers WISP From: "Eric Kuhnke" < eric.kuh...@gmail.com > To: af@afmug.com Sent: Monday, April 9, 2018 4:54:05 PM Subject: Re: [AFMUG] ssl certs What's hard about doing TLS1.2 everywhere? Every web browser shipped or updated from mid-2012 onwards supports 1.2. The population of browsers that only support TLS1.0 and 1.1 is less than 1% now by most measurements of useragent on a large scale. On Mon, Apr 9, 2018 at 2:51 PM, Mike Hammett < af...@ics-il.net > wrote: "You should have https (TLS1.2) everywhere, on every sort of public facing httpd these days, with at least a letsencrypt certificate." We'll eventually have to because Google, etc. will make us, but it's extremely unnecessary. It's even foolish in many situations. - Mike Hammett Intelligent Computing Solutions Midwest Internet Exchange The Brothers WISP From: "Eric Kuhnke" < eric.kuh...@gmail.com > To: af@afmug.com Sent: Monday, April 9, 2018 4:49:01 PM Subject: Re: [AFMUG] ssl certs I have seen studies showing that ecommerce checkout/cart servers do have lower "abandon order" rates when using EV SSL. If you're going to have one billing server hostname that you fully control (eg: https://billing.ispname.com ) it might be worth it. Things like Paypal, online banking and other stuff do make extensive use of EV SSL. It used to cost $395/year, now it's $85/year and dropping in price further. The big change coming in both Chrome and Firefox is that any non-https page will soon be marked as "Insecure" in the URL/address bar. You should have https (TLS1.2) everywhere, on every sort of public facing httpd these days, with at least a letsencrypt certificate. On Mon, Apr 9, 2018 at 1:20 PM, Simon Westlake < simon@sonar.software > wrote: In 99.9% of cases, EV is useless. If you are going to educate your customers religiously to look not only for the green padlock, but for your name in the address bar, maybe it's worthwhile. Most people don't look or care. Google doesn't have an EV cert. Neither does Microsoft or Facebook. My power company doesn't. Most insurance companies don't. The only place I'
Re: [AFMUG] ssl certs
Groupthink isn't a reason. - Mike Hammett Intelligent Computing Solutions Midwest Internet Exchange The Brothers WISP - Original Message - From: "Eric Kuhnke" To: af@afmug.com Sent: Monday, April 9, 2018 5:08:08 PM Subject: Re: [AFMUG] ssl certs Try this: Go to an IETF, NANOG or ARIN meeting and ask the attendees if they would endorse end-user applications/protocols remaining unencrypted at L4-L7, versus implementing free TLS1.2 end to end wherever possible. I already know what 99% of the answers will be. I don't think they will match with the people in the video you posted earlier. If you don't believe in crypto I encourage you to go to a network security conference, pull out a laptop on the public wifi, and synchronize all your email wtih a non-TLS session to your IMAP server... The threat model is global. On Mon, Apr 9, 2018 at 3:02 PM, Mike Hammett < af...@ics-il.net > wrote: Why? Why is any of that necessary? I have no intentions of inspecting anyone's traffic. I just don't find HTTPS everywhere necessary. I have yet to hear a viable reason to do it. OH NO! SOMEONE SAW MY WEB SITE!!! https://www.youtube.com/watch?v=18PbwYdjsps - Mike Hammett Intelligent Computing Solutions Midwest Internet Exchange The Brothers WISP From: "Eric Kuhnke" < eric.kuh...@gmail.com > To: af@afmug.com Sent: Monday, April 9, 2018 4:59:23 PM Subject: Re: [AFMUG] ssl certs I offer a directly contradicting opinion, that's it's foolish in the year 2018 to not implement end to end TLS wherever possible. The number of problems you can solve by avoiding things that maliciously MITM regular http traffic are considerable. The crypto libraries to do it properly (OpenSSL, etc for apache2 and nginx) and Letsencrypt are free. The Internet is moving towards things like DNS-over-TLS. Mail transport between most properly configured smtpd now will use TLS1.2 (my Postfix smtpd negotiates TLS successfully with >98% of big ISP/cloud providers' smtpd clusters). If a WISP thinks that they "need" things to remain unencrypted so that they can more easily manage their traffic or inspect it, they'll be left behind in the dustbin of history. On Mon, Apr 9, 2018 at 2:55 PM, Mike Hammett < af...@ics-il.net > wrote: I didn't say it was hard. I said it was unnecessary, perhaps even foolish. - Mike Hammett Intelligent Computing Solutions Midwest Internet Exchange The Brothers WISP From: "Eric Kuhnke" < eric.kuh...@gmail.com > To: af@afmug.com Sent: Monday, April 9, 2018 4:54:05 PM Subject: Re: [AFMUG] ssl certs What's hard about doing TLS1.2 everywhere? Every web browser shipped or updated from mid-2012 onwards supports 1.2. The population of browsers that only support TLS1.0 and 1.1 is less than 1% now by most measurements of useragent on a large scale. On Mon, Apr 9, 2018 at 2:51 PM, Mike Hammett < af...@ics-il.net > wrote: "You should have https (TLS1.2) everywhere, on every sort of public facing httpd these days, with at least a letsencrypt certificate." We'll eventually have to because Google, etc. will make us, but it's extremely unnecessary. It's even foolish in many situations. - Mike Hammett Intelligent Computing Solutions Midwest Internet Exchange The Brothers WISP From: "Eric Kuhnke" < eric.kuh...@gmail.com > To: af@afmug.com Sent: Monday, April 9, 2018 4:49:01 PM Subject: Re: [AFMUG] ssl certs I have seen studies showing that ecommerce checkout/cart servers do have lower "abandon order" rates when using EV SSL. If you're going to have one billing server hostname that you fully control (eg: https://billing.ispname.com ) it might be worth it. Things like Paypal, online banking and other stuff do make extensive use of EV SSL. It used to cost $395/year, now it's $85/year and dropping in price further. The big change coming in both Chrome and Firefox is that any non-https page will soon be marked as "Insecure" in the URL/address bar. You should have https (TLS1.2) everywhere, on every sort of public facing httpd these days, with at least a letsencrypt certificate. On Mon, Apr 9, 2018 at 1:20 PM, Simon Westlake < simon@sonar.software > wrote: In 99.9% of cases, EV is useless. If you are going to educate your customers religiously to look not only for the green padlock, but for your name in the address bar, maybe it's worthwhile. Most people don't look or care. Google doesn't have an EV cert. Neither does Microsoft or Facebook. My power company doesn't. Most insurance companies don't. The only place I've seen them used heavily is in the financial sector, and I'd guess that's more abo
Re: [AFMUG] ssl certs
The point is, there's a lot of stuff that contains absolutely no confidential data, and there's no reason whatsoever why anyone would care if it was ever intercepted and nobody is going to ever want to modify it... but for some reason, the popular opinion seems to be that it's a good idea to try to force everyone to encrypt it anyway. On Mon, Apr 9, 2018 at 5:09 PM, Mike Hammett wrote: > Confidential date, sure. Billing portals, shopping carts, etc. sure. > > The marketing materials on my web site? Why? > > > The podcast I linked to goes into a lot of it. > > > > - > Mike Hammett > Intelligent Computing Solutions <http://www.ics-il.com/> > <https://www.facebook.com/ICSIL> > <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> > <https://www.linkedin.com/company/intelligent-computing-solutions> > <https://twitter.com/ICSIL> > Midwest Internet Exchange <http://www.midwest-ix.com/> > <https://www.facebook.com/mdwestix> > <https://www.linkedin.com/company/midwest-internet-exchange> > <https://twitter.com/mdwestix> > The Brothers WISP <http://www.thebrotherswisp.com/> > <https://www.facebook.com/thebrotherswisp> > > > <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> > -- > *From: *"Simon Westlake" > *To: *af@afmug.com, af@afmug.com > *Sent: *Monday, April 9, 2018 5:06:26 PM > *Subject: *Re: [AFMUG] ssl certs > > Moving any kind of confidential data in the clear is irresponsible. > Moving HTTP traffic across the Internet leaves you open to having the data > modified, or having malicious Javascript injected. > > It's up to you whether or not you care about that, but it has been reduced > to pasting 3 lines into a terminal to get a valid, automatically renewing > certificate. It seems pointless not to when the benefits are tangible. > > -- Original Message -- > From: "Mike Hammett" > To: af@afmug.com > Sent: 4/9/2018 5:02:29 PM > Subject: Re: [AFMUG] ssl certs > > Why? Why is any of that necessary? > > I have no intentions of inspecting anyone's traffic. I just don't find > HTTPS everywhere necessary. I have yet to hear a viable reason to do it. > > > OH NO! SOMEONE SAW MY WEB SITE!!! > > > https://www.youtube.com/watch?v=18PbwYdjsps > > > > - > Mike Hammett > Intelligent Computing Solutions <http://www.ics-il.com/> > <https://www.facebook.com/ICSIL> > <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> > <https://www.linkedin.com/company/intelligent-computing-solutions> > <https://twitter.com/ICSIL> > Midwest Internet Exchange <http://www.midwest-ix.com/> > <https://www.facebook.com/mdwestix> > <https://www.linkedin.com/company/midwest-internet-exchange> > <https://twitter.com/mdwestix> > The Brothers WISP <http://www.thebrotherswisp.com/> > <https://www.facebook.com/thebrotherswisp> > > > <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> > -- > *From: *"Eric Kuhnke" > *To: *af@afmug.com > *Sent: *Monday, April 9, 2018 4:59:23 PM > *Subject: *Re: [AFMUG] ssl certs > > I offer a directly contradicting opinion, that's it's foolish in the year > 2018 to not implement end to end TLS wherever possible. The number of > problems you can solve by avoiding things that maliciously MITM regular > http traffic are considerable. The crypto libraries to do it properly > (OpenSSL, etc for apache2 and nginx) and Letsencrypt are free. > > The Internet is moving towards things like DNS-over-TLS. Mail transport > between most properly configured smtpd now will use TLS1.2 (my Postfix > smtpd negotiates TLS successfully with >98% of big ISP/cloud providers' > smtpd clusters). If a WISP thinks that they "need" things to remain > unencrypted so that they can more easily manage their traffic or inspect > it, they'll be left behind in the dustbin of history. > > > On Mon, Apr 9, 2018 at 2:55 PM, Mike Hammett wrote: > >> I didn't say it was hard. I said it was unnecessary, perhaps even foolish. >> >> >> >> - >> Mike Hammett >> Intelligent Computing Solutions <http://www.ics-il.com/> >> <https://www.facebook.com/ICSIL> >> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> >> <https://www.linkedin.com/company/intelligent-computing-solutions> >> <https://twitter.com/ICSIL> >> Midwest Internet Exchange <http://www.midwest-ix.com/> >> <https://www.facebook.com/mdwestix&
Re: [AFMUG] ssl certs
On 4/9/18 15:09, Mike Hammett wrote: Confidential date, sure. Billing portals, shopping carts, etc. sure. The marketing materials on my web site? Why? Because one day at home after I moved, I tried to go to my own website and Charter intercepted the HTTP request to present me with their content instead of what I requested. Later that day I completed deploying Let's Encrypt on my sites because fuck them for thinking they can arbitrarily hijack an HTTP request for any reason. ~Seth
Re: [AFMUG] ssl certs
The score: Podcast with six people I've never heard of: 0 Every network security expert currently active in the field: 1 Confidential information aside, having 100% confidence that the content served up by your httpd will appear exactly as you intend it on the end user's browser is useful. There are too many shitty/unethical ISPs that do MITM and javascript injection on plaintext http now. On Mon, Apr 9, 2018 at 3:09 PM, Mike Hammett wrote: > Confidential date, sure. Billing portals, shopping carts, etc. sure. > > The marketing materials on my web site? Why? > > > The podcast I linked to goes into a lot of it. > > > > - > Mike Hammett > Intelligent Computing Solutions <http://www.ics-il.com/> > <https://www.facebook.com/ICSIL> > <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> > <https://www.linkedin.com/company/intelligent-computing-solutions> > <https://twitter.com/ICSIL> > Midwest Internet Exchange <http://www.midwest-ix.com/> > <https://www.facebook.com/mdwestix> > <https://www.linkedin.com/company/midwest-internet-exchange> > <https://twitter.com/mdwestix> > The Brothers WISP <http://www.thebrotherswisp.com/> > <https://www.facebook.com/thebrotherswisp> > > > <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> > ---------- > *From: *"Simon Westlake" > *To: *af@afmug.com, af@afmug.com > *Sent: *Monday, April 9, 2018 5:06:26 PM > *Subject: *Re: [AFMUG] ssl certs > > Moving any kind of confidential data in the clear is irresponsible. > Moving HTTP traffic across the Internet leaves you open to having the data > modified, or having malicious Javascript injected. > > It's up to you whether or not you care about that, but it has been reduced > to pasting 3 lines into a terminal to get a valid, automatically renewing > certificate. It seems pointless not to when the benefits are tangible. > > -- Original Message -- > From: "Mike Hammett" > To: af@afmug.com > Sent: 4/9/2018 5:02:29 PM > Subject: Re: [AFMUG] ssl certs > > Why? Why is any of that necessary? > > I have no intentions of inspecting anyone's traffic. I just don't find > HTTPS everywhere necessary. I have yet to hear a viable reason to do it. > > > OH NO! SOMEONE SAW MY WEB SITE!!! > > > https://www.youtube.com/watch?v=18PbwYdjsps > > > > - > Mike Hammett > Intelligent Computing Solutions <http://www.ics-il.com/> > <https://www.facebook.com/ICSIL> > <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> > <https://www.linkedin.com/company/intelligent-computing-solutions> > <https://twitter.com/ICSIL> > Midwest Internet Exchange <http://www.midwest-ix.com/> > <https://www.facebook.com/mdwestix> > <https://www.linkedin.com/company/midwest-internet-exchange> > <https://twitter.com/mdwestix> > The Brothers WISP <http://www.thebrotherswisp.com/> > <https://www.facebook.com/thebrotherswisp> > > > <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> > -- > *From: *"Eric Kuhnke" > *To: *af@afmug.com > *Sent: *Monday, April 9, 2018 4:59:23 PM > *Subject: *Re: [AFMUG] ssl certs > > I offer a directly contradicting opinion, that's it's foolish in the year > 2018 to not implement end to end TLS wherever possible. The number of > problems you can solve by avoiding things that maliciously MITM regular > http traffic are considerable. The crypto libraries to do it properly > (OpenSSL, etc for apache2 and nginx) and Letsencrypt are free. > > The Internet is moving towards things like DNS-over-TLS. Mail transport > between most properly configured smtpd now will use TLS1.2 (my Postfix > smtpd negotiates TLS successfully with >98% of big ISP/cloud providers' > smtpd clusters). If a WISP thinks that they "need" things to remain > unencrypted so that they can more easily manage their traffic or inspect > it, they'll be left behind in the dustbin of history. > > > On Mon, Apr 9, 2018 at 2:55 PM, Mike Hammett wrote: > >> I didn't say it was hard. I said it was unnecessary, perhaps even foolish. >> >> >> >> - >> Mike Hammett >> Intelligent Computing Solutions <http://www.ics-il.com/> >> <https://www.facebook.com/ICSIL> >> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> >> <https://www.linkedin.com/company/intelligent-computing-solutions> >> <https://twitter.com/ICSIL> >> Midwest Internet Exchange <http://www.midwest-
Re: [AFMUG] ssl certs
While perhaps not that episode, Russ White has quite an extensive resume. If Russ is on that many episodes, they can't be buffoons. https://thenetworkcollective.com/russ-white/ Most people don't care, nor should they. - Mike Hammett Intelligent Computing Solutions Midwest Internet Exchange The Brothers WISP - Original Message - From: "Eric Kuhnke" To: af@afmug.com Sent: Monday, April 9, 2018 5:14:32 PM Subject: Re: [AFMUG] ssl certs The score: Podcast with six people I've never heard of: 0 Every network security expert currently active in the field: 1 Confidential information aside, having 100% confidence that the content served up by your httpd will appear exactly as you intend it on the end user's browser is useful. There are too many shitty/unethical ISPs that do MITM and javascript injection on plaintext http now. On Mon, Apr 9, 2018 at 3:09 PM, Mike Hammett < af...@ics-il.net > wrote: Confidential date, sure. Billing portals, shopping carts, etc. sure. The marketing materials on my web site? Why? The podcast I linked to goes into a lot of it. - Mike Hammett Intelligent Computing Solutions Midwest Internet Exchange The Brothers WISP From: "Simon Westlake" To: af@afmug.com , af@afmug.com Sent: Monday, April 9, 2018 5:06:26 PM Subject: Re: [AFMUG] ssl certs Moving any kind of confidential data in the clear is irresponsible. Moving HTTP traffic across the Internet leaves you open to having the data modified, or having malicious Javascript injected. It's up to you whether or not you care about that, but it has been reduced to pasting 3 lines into a terminal to get a valid, automatically renewing certificate. It seems pointless not to when the benefits are tangible. -- Original Message -- From: "Mike Hammett" < af...@ics-il.net > To: af@afmug.com Sent: 4/9/2018 5:02:29 PM Subject: Re: [AFMUG] ssl certs Why? Why is any of that necessary? I have no intentions of inspecting anyone's traffic. I just don't find HTTPS everywhere necessary. I have yet to hear a viable reason to do it. OH NO! SOMEONE SAW MY WEB SITE!!! https://www.youtube.com/watch?v=18PbwYdjsps - Mike Hammett Intelligent Computing Solutions Midwest Internet Exchange The Brothers WISP From: "Eric Kuhnke" < eric.kuh...@gmail.com > To: af@afmug.com Sent: Monday, April 9, 2018 4:59:23 PM Subject: Re: [AFMUG] ssl certs I offer a directly contradicting opinion, that's it's foolish in the year 2018 to not implement end to end TLS wherever possible. The number of problems you can solve by avoiding things that maliciously MITM regular http traffic are considerable. The crypto libraries to do it properly (OpenSSL, etc for apache2 and nginx) and Letsencrypt are free. The Internet is moving towards things like DNS-over-TLS. Mail transport between most properly configured smtpd now will use TLS1.2 (my Postfix smtpd negotiates TLS successfully with >98% of big ISP/cloud providers' smtpd clusters). If a WISP thinks that they "need" things to remain unencrypted so that they can more easily manage their traffic or inspect it, they'll be left behind in the dustbin of history. On Mon, Apr 9, 2018 at 2:55 PM, Mike Hammett < af...@ics-il.net > wrote: I didn't say it was hard. I said it was unnecessary, perhaps even foolish. - Mike Hammett Intelligent Computing Solutions Midwest Internet Exchange The Brothers WISP From: "Eric Kuhnke" < eric.kuh...@gmail.com > To: af@afmug.com Sent: Monday, April 9, 2018 4:54:05 PM Subject: Re: [AFMUG] ssl certs What's hard about doing TLS1.2 everywhere? Every web browser shipped or updated from mid-2012 onwards supports 1.2. The population of browsers that only support TLS1.0 and 1.1 is less than 1% now by most measurements of useragent on a large scale. On Mon, Apr 9, 2018 at 2:51 PM, Mike Hammett < af...@ics-il.net > wrote: "You should have https (TLS1.2) everywhere, on every sort of public facing httpd these days, with at least a letsencrypt certificate." We'll eventually have to because Google, etc. will make us, but it's extremely unnecessary. It's even foolish in many situations. - Mike Hammett Intelligent Computing Solutions Midwest Internet Exchange The Brothers WISP From: "Eric Kuhnke" < eric.kuh...@gmail.com > To: af@afmug.com Sent: Monday, April 9, 2018 4:49:01 PM Subject: Re: [AFMUG] ssl certs I have seen studies showing that ecommerce checkout/cart servers do have lower "abandon order" rates when using EV SSL. If you're going to have one billing server hostname that you fully control (eg: https://billing.ispname.com ) it might be worth
Re: [AFMUG] ssl certs
Also, listen to the cast. Well, or don't. It might make you think for yourself. - Mike Hammett Intelligent Computing Solutions Midwest Internet Exchange The Brothers WISP - Original Message - From: "Eric Kuhnke" To: af@afmug.com Sent: Monday, April 9, 2018 5:14:32 PM Subject: Re: [AFMUG] ssl certs The score: Podcast with six people I've never heard of: 0 Every network security expert currently active in the field: 1 Confidential information aside, having 100% confidence that the content served up by your httpd will appear exactly as you intend it on the end user's browser is useful. There are too many shitty/unethical ISPs that do MITM and javascript injection on plaintext http now. On Mon, Apr 9, 2018 at 3:09 PM, Mike Hammett < af...@ics-il.net > wrote: Confidential date, sure. Billing portals, shopping carts, etc. sure. The marketing materials on my web site? Why? The podcast I linked to goes into a lot of it. - Mike Hammett Intelligent Computing Solutions Midwest Internet Exchange The Brothers WISP From: "Simon Westlake" To: af@afmug.com , af@afmug.com Sent: Monday, April 9, 2018 5:06:26 PM Subject: Re: [AFMUG] ssl certs Moving any kind of confidential data in the clear is irresponsible. Moving HTTP traffic across the Internet leaves you open to having the data modified, or having malicious Javascript injected. It's up to you whether or not you care about that, but it has been reduced to pasting 3 lines into a terminal to get a valid, automatically renewing certificate. It seems pointless not to when the benefits are tangible. -- Original Message -- From: "Mike Hammett" < af...@ics-il.net > To: af@afmug.com Sent: 4/9/2018 5:02:29 PM Subject: Re: [AFMUG] ssl certs Why? Why is any of that necessary? I have no intentions of inspecting anyone's traffic. I just don't find HTTPS everywhere necessary. I have yet to hear a viable reason to do it. OH NO! SOMEONE SAW MY WEB SITE!!! https://www.youtube.com/watch?v=18PbwYdjsps - Mike Hammett Intelligent Computing Solutions Midwest Internet Exchange The Brothers WISP From: "Eric Kuhnke" < eric.kuh...@gmail.com > To: af@afmug.com Sent: Monday, April 9, 2018 4:59:23 PM Subject: Re: [AFMUG] ssl certs I offer a directly contradicting opinion, that's it's foolish in the year 2018 to not implement end to end TLS wherever possible. The number of problems you can solve by avoiding things that maliciously MITM regular http traffic are considerable. The crypto libraries to do it properly (OpenSSL, etc for apache2 and nginx) and Letsencrypt are free. The Internet is moving towards things like DNS-over-TLS. Mail transport between most properly configured smtpd now will use TLS1.2 (my Postfix smtpd negotiates TLS successfully with >98% of big ISP/cloud providers' smtpd clusters). If a WISP thinks that they "need" things to remain unencrypted so that they can more easily manage their traffic or inspect it, they'll be left behind in the dustbin of history. On Mon, Apr 9, 2018 at 2:55 PM, Mike Hammett < af...@ics-il.net > wrote: I didn't say it was hard. I said it was unnecessary, perhaps even foolish. - Mike Hammett Intelligent Computing Solutions Midwest Internet Exchange The Brothers WISP From: "Eric Kuhnke" < eric.kuh...@gmail.com > To: af@afmug.com Sent: Monday, April 9, 2018 4:54:05 PM Subject: Re: [AFMUG] ssl certs What's hard about doing TLS1.2 everywhere? Every web browser shipped or updated from mid-2012 onwards supports 1.2. The population of browsers that only support TLS1.0 and 1.1 is less than 1% now by most measurements of useragent on a large scale. On Mon, Apr 9, 2018 at 2:51 PM, Mike Hammett < af...@ics-il.net > wrote: "You should have https (TLS1.2) everywhere, on every sort of public facing httpd these days, with at least a letsencrypt certificate." We'll eventually have to because Google, etc. will make us, but it's extremely unnecessary. It's even foolish in many situations. - Mike Hammett Intelligent Computing Solutions Midwest Internet Exchange The Brothers WISP From: "Eric Kuhnke" < eric.kuh...@gmail.com > To: af@afmug.com Sent: Monday, April 9, 2018 4:49:01 PM Subject: Re: [AFMUG] ssl certs I have seen studies showing that ecommerce checkout/cart servers do have lower "abandon order" rates when using EV SSL. If you're going to have one billing server hostname that you fully control (eg: https://billing.ispname.com ) it might be worth it. Things like Paypal, online banking and other stuff do make extensive use of EV SSL. It used to cost $395/year, now it's $85/year
Re: [AFMUG] ssl certs
Sounds like a great anti-trust case. - Mike Hammett Intelligent Computing Solutions Midwest Internet Exchange The Brothers WISP - Original Message - From: "Seth Mattinen" To: af@afmug.com Sent: Monday, April 9, 2018 5:12:36 PM Subject: Re: [AFMUG] ssl certs On 4/9/18 15:09, Mike Hammett wrote: > Confidential date, sure. Billing portals, shopping carts, etc. sure. > > The marketing materials on my web site? Why? > Because one day at home after I moved, I tried to go to my own website and Charter intercepted the HTTP request to present me with their content instead of what I requested. Later that day I completed deploying Let's Encrypt on my sites because fuck them for thinking they can arbitrarily hijack an HTTP request for any reason. ~Seth
Re: [AFMUG] ssl certs
Yeah I think I'll skip a 45 minute podcast that seems to have an anti-crypto agenda, and continue reading the IETF mailing lists instead. Standardization and implementation of TLS1.3 will continue onwards even if the techno-luddites ignore its existence. On Mon, Apr 9, 2018 at 3:19 PM, Mike Hammett wrote: > Also, listen to the cast. > > Well, or don't. It might make you think for yourself. > > > > - > Mike Hammett > Intelligent Computing Solutions <http://www.ics-il.com/> > <https://www.facebook.com/ICSIL> > <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> > <https://www.linkedin.com/company/intelligent-computing-solutions> > <https://twitter.com/ICSIL> > Midwest Internet Exchange <http://www.midwest-ix.com/> > <https://www.facebook.com/mdwestix> > <https://www.linkedin.com/company/midwest-internet-exchange> > <https://twitter.com/mdwestix> > The Brothers WISP <http://www.thebrotherswisp.com/> > <https://www.facebook.com/thebrotherswisp> > > > <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> > ------ > *From: *"Eric Kuhnke" > *To: *af@afmug.com > *Sent: *Monday, April 9, 2018 5:14:32 PM > *Subject: *Re: [AFMUG] ssl certs > > The score: > > Podcast with six people I've never heard of: 0 > > Every network security expert currently active in the field: 1 > > Confidential information aside, having 100% confidence that the content > served up by your httpd will appear exactly as you intend it on the end > user's browser is useful. There are too many shitty/unethical ISPs that do > MITM and javascript injection on plaintext http now. > > > > > On Mon, Apr 9, 2018 at 3:09 PM, Mike Hammett wrote: > >> Confidential date, sure. Billing portals, shopping carts, etc. sure. >> >> The marketing materials on my web site? Why? >> >> >> The podcast I linked to goes into a lot of it. >> >> >> >> - >> Mike Hammett >> Intelligent Computing Solutions <http://www.ics-il.com/> >> <https://www.facebook.com/ICSIL> >> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> >> <https://www.linkedin.com/company/intelligent-computing-solutions> >> <https://twitter.com/ICSIL> >> Midwest Internet Exchange <http://www.midwest-ix.com/> >> <https://www.facebook.com/mdwestix> >> <https://www.linkedin.com/company/midwest-internet-exchange> >> <https://twitter.com/mdwestix> >> The Brothers WISP <http://www.thebrotherswisp.com/> >> <https://www.facebook.com/thebrotherswisp> >> >> >> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> >> -- >> *From: *"Simon Westlake" >> *To: *af@afmug.com, af@afmug.com >> *Sent: *Monday, April 9, 2018 5:06:26 PM >> *Subject: *Re: [AFMUG] ssl certs >> >> Moving any kind of confidential data in the clear is irresponsible. >> Moving HTTP traffic across the Internet leaves you open to having the >> data modified, or having malicious Javascript injected. >> >> It's up to you whether or not you care about that, but it has been >> reduced to pasting 3 lines into a terminal to get a valid, automatically >> renewing certificate. It seems pointless not to when the benefits are >> tangible. >> >> -- Original Message -- >> From: "Mike Hammett" >> To: af@afmug.com >> Sent: 4/9/2018 5:02:29 PM >> Subject: Re: [AFMUG] ssl certs >> >> Why? Why is any of that necessary? >> >> I have no intentions of inspecting anyone's traffic. I just don't find >> HTTPS everywhere necessary. I have yet to hear a viable reason to do it. >> >> >> OH NO! SOMEONE SAW MY WEB SITE!!! >> >> >> https://www.youtube.com/watch?v=18PbwYdjsps >> >> >> >> - >> Mike Hammett >> Intelligent Computing Solutions <http://www.ics-il.com/> >> <https://www.facebook.com/ICSIL> >> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> >> <https://www.linkedin.com/company/intelligent-computing-solutions> >> <https://twitter.com/ICSIL> >> Midwest Internet Exchange <http://www.midwest-ix.com/> >> <https://www.facebook.com/mdwestix> >> <https://www.linkedin.com/company/midwest-internet-exchange> >> <https://twitter.com/mdwestix> >> The Brothers WISP <http://www.thebrotherswisp.com/> >> <https://www.facebook.com/thebrotherswi
Re: [AFMUG] ssl certs
A position so weak, it can't stand up to a discussion? How sad. - Mike Hammett Intelligent Computing Solutions Midwest Internet Exchange The Brothers WISP - Original Message - From: "Eric Kuhnke" To: af@afmug.com Sent: Monday, April 9, 2018 5:22:40 PM Subject: Re: [AFMUG] ssl certs Yeah I think I'll skip a 45 minute podcast that seems to have an anti-crypto agenda, and continue reading the IETF mailing lists instead. Standardization and implementation of TLS1.3 will continue onwards even if the techno-luddites ignore its existence. On Mon, Apr 9, 2018 at 3:19 PM, Mike Hammett < af...@ics-il.net > wrote: Also, listen to the cast. Well, or don't. It might make you think for yourself. - Mike Hammett Intelligent Computing Solutions Midwest Internet Exchange The Brothers WISP From: "Eric Kuhnke" < eric.kuh...@gmail.com > To: af@afmug.com Sent: Monday, April 9, 2018 5:14:32 PM Subject: Re: [AFMUG] ssl certs The score: Podcast with six people I've never heard of: 0 Every network security expert currently active in the field: 1 Confidential information aside, having 100% confidence that the content served up by your httpd will appear exactly as you intend it on the end user's browser is useful. There are too many shitty/unethical ISPs that do MITM and javascript injection on plaintext http now. On Mon, Apr 9, 2018 at 3:09 PM, Mike Hammett < af...@ics-il.net > wrote: Confidential date, sure. Billing portals, shopping carts, etc. sure. The marketing materials on my web site? Why? The podcast I linked to goes into a lot of it. - Mike Hammett Intelligent Computing Solutions Midwest Internet Exchange The Brothers WISP From: "Simon Westlake" To: af@afmug.com , af@afmug.com Sent: Monday, April 9, 2018 5:06:26 PM Subject: Re: [AFMUG] ssl certs Moving any kind of confidential data in the clear is irresponsible. Moving HTTP traffic across the Internet leaves you open to having the data modified, or having malicious Javascript injected. It's up to you whether or not you care about that, but it has been reduced to pasting 3 lines into a terminal to get a valid, automatically renewing certificate. It seems pointless not to when the benefits are tangible. -- Original Message -- From: "Mike Hammett" < af...@ics-il.net > To: af@afmug.com Sent: 4/9/2018 5:02:29 PM Subject: Re: [AFMUG] ssl certs Why? Why is any of that necessary? I have no intentions of inspecting anyone's traffic. I just don't find HTTPS everywhere necessary. I have yet to hear a viable reason to do it. OH NO! SOMEONE SAW MY WEB SITE!!! https://www.youtube.com/watch?v=18PbwYdjsps - Mike Hammett Intelligent Computing Solutions Midwest Internet Exchange The Brothers WISP From: "Eric Kuhnke" < eric.kuh...@gmail.com > To: af@afmug.com Sent: Monday, April 9, 2018 4:59:23 PM Subject: Re: [AFMUG] ssl certs I offer a directly contradicting opinion, that's it's foolish in the year 2018 to not implement end to end TLS wherever possible. The number of problems you can solve by avoiding things that maliciously MITM regular http traffic are considerable. The crypto libraries to do it properly (OpenSSL, etc for apache2 and nginx) and Letsencrypt are free. The Internet is moving towards things like DNS-over-TLS. Mail transport between most properly configured smtpd now will use TLS1.2 (my Postfix smtpd negotiates TLS successfully with >98% of big ISP/cloud providers' smtpd clusters). If a WISP thinks that they "need" things to remain unencrypted so that they can more easily manage their traffic or inspect it, they'll be left behind in the dustbin of history. On Mon, Apr 9, 2018 at 2:55 PM, Mike Hammett < af...@ics-il.net > wrote: I didn't say it was hard. I said it was unnecessary, perhaps even foolish. - Mike Hammett Intelligent Computing Solutions Midwest Internet Exchange The Brothers WISP From: "Eric Kuhnke" < eric.kuh...@gmail.com > To: af@afmug.com Sent: Monday, April 9, 2018 4:54:05 PM Subject: Re: [AFMUG] ssl certs What's hard about doing TLS1.2 everywhere? Every web browser shipped or updated from mid-2012 onwards supports 1.2. The population of browsers that only support TLS1.0 and 1.1 is less than 1% now by most measurements of useragent on a large scale. On Mon, Apr 9, 2018 at 2:51 PM, Mike Hammett < af...@ics-il.net > wrote: "You should have https (TLS1.2) everywhere, on every sort of public facing httpd these days, with at least a letsencrypt certificate." We'll eventually have to because Google, etc. will make us, but it's extremely unnecessary. It's even foolish in many sit
Re: [AFMUG] ssl certs
The discussion has been hashed out quite thoroughly by people who are far more knowledgeable about cryptography than you or I will ever be - about twenty years ago, when SSL was first popularized. It's been continually developed since then. The really funny thing if that you linked to an https website for your URL promoting the credentials of that one specific dude, in defense of your argument. Why isn't it plain http? On Mon, Apr 9, 2018 at 3:24 PM, Mike Hammett wrote: > A position so weak, it can't stand up to a discussion? How sad. > > > > - > Mike Hammett > Intelligent Computing Solutions <http://www.ics-il.com/> > <https://www.facebook.com/ICSIL> > <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> > <https://www.linkedin.com/company/intelligent-computing-solutions> > <https://twitter.com/ICSIL> > Midwest Internet Exchange <http://www.midwest-ix.com/> > <https://www.facebook.com/mdwestix> > <https://www.linkedin.com/company/midwest-internet-exchange> > <https://twitter.com/mdwestix> > The Brothers WISP <http://www.thebrotherswisp.com/> > <https://www.facebook.com/thebrotherswisp> > > > <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> > -- > *From: *"Eric Kuhnke" > *To: *af@afmug.com > *Sent: *Monday, April 9, 2018 5:22:40 PM > *Subject: *Re: [AFMUG] ssl certs > > Yeah I think I'll skip a 45 minute podcast that seems to have an > anti-crypto agenda, and continue reading the IETF mailing lists instead. > Standardization and implementation of TLS1.3 will continue onwards even if > the techno-luddites ignore its existence. > > > On Mon, Apr 9, 2018 at 3:19 PM, Mike Hammett wrote: > >> Also, listen to the cast. >> >> Well, or don't. It might make you think for yourself. >> >> >> >> - >> Mike Hammett >> Intelligent Computing Solutions <http://www.ics-il.com/> >> <https://www.facebook.com/ICSIL> >> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> >> <https://www.linkedin.com/company/intelligent-computing-solutions> >> <https://twitter.com/ICSIL> >> Midwest Internet Exchange <http://www.midwest-ix.com/> >> <https://www.facebook.com/mdwestix> >> <https://www.linkedin.com/company/midwest-internet-exchange> >> <https://twitter.com/mdwestix> >> The Brothers WISP <http://www.thebrotherswisp.com/> >> <https://www.facebook.com/thebrotherswisp> >> >> >> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> >> -- >> *From: *"Eric Kuhnke" >> *To: *af@afmug.com >> *Sent: *Monday, April 9, 2018 5:14:32 PM >> *Subject: *Re: [AFMUG] ssl certs >> >> The score: >> >> Podcast with six people I've never heard of: 0 >> >> Every network security expert currently active in the field: 1 >> >> Confidential information aside, having 100% confidence that the content >> served up by your httpd will appear exactly as you intend it on the end >> user's browser is useful. There are too many shitty/unethical ISPs that do >> MITM and javascript injection on plaintext http now. >> >> >> >> >> On Mon, Apr 9, 2018 at 3:09 PM, Mike Hammett wrote: >> >>> Confidential date, sure. Billing portals, shopping carts, etc. sure. >>> >>> The marketing materials on my web site? Why? >>> >>> >>> The podcast I linked to goes into a lot of it. >>> >>> >>> >>> - >>> Mike Hammett >>> Intelligent Computing Solutions <http://www.ics-il.com/> >>> <https://www.facebook.com/ICSIL> >>> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> >>> <https://www.linkedin.com/company/intelligent-computing-solutions> >>> <https://twitter.com/ICSIL> >>> Midwest Internet Exchange <http://www.midwest-ix.com/> >>> <https://www.facebook.com/mdwestix> >>> <https://www.linkedin.com/company/midwest-internet-exchange> >>> <https://twitter.com/mdwestix> >>> The Brothers WISP <http://www.thebrotherswisp.com/> >>> <https://www.facebook.com/thebrotherswisp> >>> >>> >>> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> >>> -- >>> *From: *"Simon Westlake" >>> *To: *af@afmug.com, af@afmug.com >>> *Sent: *Monday, April 9, 2018 5:06
Re: [AFMUG] ssl certs
On 4/9/18 15:19, Mike Hammett wrote: Sounds like a great anti-trust case. Sure, but that's not something I can control and it's probably buried in their terms that you agree to it or whatever and it would take a lot of time and money to try and fight that legally. Or I can turn on HTTPS and go back to life and let someone else fight it.
Re: [AFMUG] ssl certs
Being really smart at cryptography has nothing to do with whether it needs to be encrypted or not in the first place. I'm not against encryption. Many things certainly require it. That URL is indicative of groupthink, not the case for HTTPS everywhere. https://en.wikipedia.org/wiki/Groupthink Why might Wikipedia want to HTTPS everything? Their mission is the dissemination of information to everywhere, including countries that have content filters. Of course that doesn't actually stop anyone from actually doing a MITM, it just increases the amount of resources required to do the job. - Mike Hammett Intelligent Computing Solutions Midwest Internet Exchange The Brothers WISP - Original Message - From: "Eric Kuhnke" To: af@afmug.com Sent: Monday, April 9, 2018 5:27:25 PM Subject: Re: [AFMUG] ssl certs The discussion has been hashed out quite thoroughly by people who are far more knowledgeable about cryptography than you or I will ever be - about twenty years ago, when SSL was first popularized. It's been continually developed since then. The really funny thing if that you linked to an https website for your URL promoting the credentials of that one specific dude, in defense of your argument. Why isn't it plain http? On Mon, Apr 9, 2018 at 3:24 PM, Mike Hammett < af...@ics-il.net > wrote: A position so weak, it can't stand up to a discussion? How sad. - Mike Hammett Intelligent Computing Solutions Midwest Internet Exchange The Brothers WISP From: "Eric Kuhnke" < eric.kuh...@gmail.com > To: af@afmug.com Sent: Monday, April 9, 2018 5:22:40 PM Subject: Re: [AFMUG] ssl certs Yeah I think I'll skip a 45 minute podcast that seems to have an anti-crypto agenda, and continue reading the IETF mailing lists instead. Standardization and implementation of TLS1.3 will continue onwards even if the techno-luddites ignore its existence. On Mon, Apr 9, 2018 at 3:19 PM, Mike Hammett < af...@ics-il.net > wrote: Also, listen to the cast. Well, or don't. It might make you think for yourself. - Mike Hammett Intelligent Computing Solutions Midwest Internet Exchange The Brothers WISP From: "Eric Kuhnke" < eric.kuh...@gmail.com > To: af@afmug.com Sent: Monday, April 9, 2018 5:14:32 PM Subject: Re: [AFMUG] ssl certs The score: Podcast with six people I've never heard of: 0 Every network security expert currently active in the field: 1 Confidential information aside, having 100% confidence that the content served up by your httpd will appear exactly as you intend it on the end user's browser is useful. There are too many shitty/unethical ISPs that do MITM and javascript injection on plaintext http now. On Mon, Apr 9, 2018 at 3:09 PM, Mike Hammett < af...@ics-il.net > wrote: Confidential date, sure. Billing portals, shopping carts, etc. sure. The marketing materials on my web site? Why? The podcast I linked to goes into a lot of it. - Mike Hammett Intelligent Computing Solutions Midwest Internet Exchange The Brothers WISP From: "Simon Westlake" To: af@afmug.com , af@afmug.com Sent: Monday, April 9, 2018 5:06:26 PM Subject: Re: [AFMUG] ssl certs Moving any kind of confidential data in the clear is irresponsible. Moving HTTP traffic across the Internet leaves you open to having the data modified, or having malicious Javascript injected. It's up to you whether or not you care about that, but it has been reduced to pasting 3 lines into a terminal to get a valid, automatically renewing certificate. It seems pointless not to when the benefits are tangible. -- Original Message -- From: "Mike Hammett" < af...@ics-il.net > To: af@afmug.com Sent: 4/9/2018 5:02:29 PM Subject: Re: [AFMUG] ssl certs Why? Why is any of that necessary? I have no intentions of inspecting anyone's traffic. I just don't find HTTPS everywhere necessary. I have yet to hear a viable reason to do it. OH NO! SOMEONE SAW MY WEB SITE!!! https://www.youtube.com/watch?v=18PbwYdjsps - Mike Hammett Intelligent Computing Solutions Midwest Internet Exchange The Brothers WISP From: "Eric Kuhnke" < eric.kuh...@gmail.com > To: af@afmug.com Sent: Monday, April 9, 2018 4:59:23 PM Subject: Re: [AFMUG] ssl certs I offer a directly contradicting opinion, that's it's foolish in the year 2018 to not implement end to end TLS wherever possible. The number of problems you can solve by avoiding things that maliciously MITM regular http traffic are considerable. The crypto libraries to do it properly (OpenSSL, etc for apache2 and nginx) and Letsencrypt are free. The Internet is moving towards things like DNS-over-TLS. Mail transport between most properly
Re: [AFMUG] ssl certs
Im not going to lie, i forgot that https is encrypted. On Mon, Apr 9, 2018, 5:32 PM Mike Hammett wrote: > Being really smart at cryptography has nothing to do with whether it needs > to be encrypted or not in the first place. > > I'm not against encryption. Many things certainly require it. > > That URL is indicative of groupthink, not the case for HTTPS everywhere. > > https://en.wikipedia.org/wiki/Groupthink > > Why might Wikipedia want to HTTPS everything? Their mission is the > dissemination of information to everywhere, including countries that have > content filters. Of course that doesn't actually stop anyone from actually > doing a MITM, it just increases the amount of resources required to do the > job. > > > > - > Mike Hammett > Intelligent Computing Solutions <http://www.ics-il.com/> > <https://www.facebook.com/ICSIL> > <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> > <https://www.linkedin.com/company/intelligent-computing-solutions> > <https://twitter.com/ICSIL> > Midwest Internet Exchange <http://www.midwest-ix.com/> > <https://www.facebook.com/mdwestix> > <https://www.linkedin.com/company/midwest-internet-exchange> > <https://twitter.com/mdwestix> > The Brothers WISP <http://www.thebrotherswisp.com/> > <https://www.facebook.com/thebrotherswisp> > > > <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> > -- > *From: *"Eric Kuhnke" > *To: *af@afmug.com > *Sent: *Monday, April 9, 2018 5:27:25 PM > *Subject: *Re: [AFMUG] ssl certs > > The discussion has been hashed out quite thoroughly by people who are far > more knowledgeable about cryptography than you or I will ever be - about > twenty years ago, when SSL was first popularized. It's been continually > developed since then. The really funny thing if that you linked to an https > website for your URL promoting the credentials of that one specific dude, > in defense of your argument. Why isn't it plain http? > > > On Mon, Apr 9, 2018 at 3:24 PM, Mike Hammett wrote: > >> A position so weak, it can't stand up to a discussion? How sad. >> >> >> >> - >> Mike Hammett >> Intelligent Computing Solutions <http://www.ics-il.com/> >> <https://www.facebook.com/ICSIL> >> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> >> <https://www.linkedin.com/company/intelligent-computing-solutions> >> <https://twitter.com/ICSIL> >> Midwest Internet Exchange <http://www.midwest-ix.com/> >> <https://www.facebook.com/mdwestix> >> <https://www.linkedin.com/company/midwest-internet-exchange> >> <https://twitter.com/mdwestix> >> The Brothers WISP <http://www.thebrotherswisp.com/> >> <https://www.facebook.com/thebrotherswisp> >> >> >> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> >> -- >> *From: *"Eric Kuhnke" >> *To: *af@afmug.com >> *Sent: *Monday, April 9, 2018 5:22:40 PM >> *Subject: *Re: [AFMUG] ssl certs >> >> Yeah I think I'll skip a 45 minute podcast that seems to have an >> anti-crypto agenda, and continue reading the IETF mailing lists instead. >> Standardization and implementation of TLS1.3 will continue onwards even if >> the techno-luddites ignore its existence. >> >> >> On Mon, Apr 9, 2018 at 3:19 PM, Mike Hammett wrote: >> >>> Also, listen to the cast. >>> >>> Well, or don't. It might make you think for yourself. >>> >>> >>> >>> - >>> Mike Hammett >>> Intelligent Computing Solutions <http://www.ics-il.com/> >>> <https://www.facebook.com/ICSIL> >>> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> >>> <https://www.linkedin.com/company/intelligent-computing-solutions> >>> <https://twitter.com/ICSIL> >>> Midwest Internet Exchange <http://www.midwest-ix.com/> >>> <https://www.facebook.com/mdwestix> >>> <https://www.linkedin.com/company/midwest-internet-exchange> >>> <https://twitter.com/mdwestix> >>> The Brothers WISP <http://www.thebrotherswisp.com/> >>> <https://www.facebook.com/thebrotherswisp> >>> >>> >>> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> >>> -- >>> *From: *"Eric Kuhnke" >>> *To: *af@afmug.com >>> *Sent: *Monday, Apri
Re: [AFMUG] ssl certs
If you are looking to make your site SSL enabled so google doesn’t mark it as untrusted by June/July here is the quick and dirty to make life easy. 1.Spin up a machine and install Webmin and Virtualmin on it. This is very very easy for simple web-sites. Lots of tutorials. 2.Once you have your sites as domains in virtualmin, you go to the SSL options of each site, click a few buttons and you are done. It goes out and requests a certificate from LetsEncrypt, installs it in your webserver, and gives you the option to install it in postfix,ftp, etc. Very easy. Justin Wilson j...@mtin.net www.mtin.net www.midwest-ix.com > On Apr 9, 2018, at 9:19 PM, Steve Jones wrote: > > Im not going to lie, i forgot that https is encrypted. > > On Mon, Apr 9, 2018, 5:32 PM Mike Hammett <mailto:af...@ics-il.net>> wrote: > Being really smart at cryptography has nothing to do with whether it needs to > be encrypted or not in the first place. > > I'm not against encryption. Many things certainly require it. > > That URL is indicative of groupthink, not the case for HTTPS everywhere. > > https://en.wikipedia.org/wiki/Groupthink > <https://en.wikipedia.org/wiki/Groupthink> > > Why might Wikipedia want to HTTPS everything? Their mission is the > dissemination of information to everywhere, including countries that have > content filters. Of course that doesn't actually stop anyone from actually > doing a MITM, it just increases the amount of resources required to do the > job. > > > > - > Mike Hammett > Intelligent Computing Solutions <http://www.ics-il.com/> > <https://www.facebook.com/ICSIL> > <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> > <https://www.linkedin.com/company/intelligent-computing-solutions> > <https://twitter.com/ICSIL> > Midwest Internet Exchange <http://www.midwest-ix.com/> > <https://www.facebook.com/mdwestix> > <https://www.linkedin.com/company/midwest-internet-exchange> > <https://twitter.com/mdwestix> > The Brothers WISP <http://www.thebrotherswisp.com/> > <https://www.facebook.com/thebrotherswisp> > > > <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> > From: "Eric Kuhnke" mailto:eric.kuh...@gmail.com>> > To: af@afmug.com <mailto:af@afmug.com> > Sent: Monday, April 9, 2018 5:27:25 PM > Subject: Re: [AFMUG] ssl certs > > The discussion has been hashed out quite thoroughly by people who are far > more knowledgeable about cryptography than you or I will ever be - about > twenty years ago, when SSL was first popularized. It's been continually > developed since then. The really funny thing if that you linked to an https > website for your URL promoting the credentials of that one specific dude, in > defense of your argument. Why isn't it plain http? > > > On Mon, Apr 9, 2018 at 3:24 PM, Mike Hammett <mailto:af...@ics-il.net>> wrote: > A position so weak, it can't stand up to a discussion? How sad. > > > > - > Mike Hammett > Intelligent Computing Solutions <http://www.ics-il.com/> > <https://www.facebook.com/ICSIL> > <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> > <https://www.linkedin.com/company/intelligent-computing-solutions> > <https://twitter.com/ICSIL> > Midwest Internet Exchange <http://www.midwest-ix.com/> > <https://www.facebook.com/mdwestix> > <https://www.linkedin.com/company/midwest-internet-exchange> > <https://twitter.com/mdwestix> > The Brothers WISP <http://www.thebrotherswisp.com/> > <https://www.facebook.com/thebrotherswisp> > > > <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> > From: "Eric Kuhnke" mailto:eric.kuh...@gmail.com>> > To: af@afmug.com <mailto:af@afmug.com> > Sent: Monday, April 9, 2018 5:22:40 PM > Subject: Re: [AFMUG] ssl certs > > Yeah I think I'll skip a 45 minute podcast that seems to have an anti-crypto > agenda, and continue reading the IETF mailing lists instead. Standardization > and implementation of TLS1.3 will continue onwards even if the > techno-luddites ignore its existence. > > > On Mon, Apr 9, 2018 at 3:19 PM, Mike Hammett <mailto:af...@ics-il.net>> wrote: > Also, listen to the cast. > > Well, or don't. It might make you think for yourself. > > > > - > Mike Hammett > Intelligent Computing Solutions <http://www.ics-il.com/> > <https://www.facebook.com/ICSIL> > <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> > <https://www.linkedin.com/company/intell
