| ▲ | Analemma_ 15 hours ago |
| I've seen people complain that Let's Encrypt is so easy that it's enabling the forced phaseout of long-lived certificates and unencrypted HTTP. I sort of understand this, although it does feel like going "bcrypt is so easy to use it's enabling standards agencies to force me to use something newer than MD5". Like, yeah, once the secure way is sufficiently easy to use, we can then push everyone off the insecure way; that's how it's supposed to work. |
|
| ▲ | mook 14 hours ago | parent | next [-] |
| Yeah, I hate how it made housing things locally without a proper domain name very difficult. My router _shouldn't_ have a globally recognized certificate, because it's not on a publicly visible host. There's certainly advantages to easily available certificates, but that has enabled browsers and others to push too far; to be sure, though, that's not really a fault of Let's Encrypt, just the people who assume it's somehow globally applicable. |
| |
| ▲ | crapple8430 11 hours ago | parent [-] | | A related issue is that most consumer devices (both iPhone and current Android) make it impossible or extremely difficult to trust your own root CA for signing such certs. | | |
| ▲ | ingenium 7 hours ago | parent | next [-] | | Android is pretty easy, you just add it to the keystore and that's it. I've had my own CA long before Let's Encrypt, but now mostly only use it for non-public devices that can't easily use Let's Encrypt (printers, switches, etc). | | |
| ▲ | crapple8430 6 hours ago | parent [-] | | You can add it to your user CA store, but no app will trust it since it's treated differently from the system CA store, which you can't modify without root or building your own ROM. In effect it is out of reach for most normal users, as well as people using security focused ROMs like Graphene, when ironically it can improve security in transit in many cases. | | |
| |
| ▲ | iso1631 an hour ago | parent | prev [-] | | I don't want to trust my own root CA as I don't trust myself to keep it secure. I want to important it only for a specific set of domains. "Allow this rootca to authenticate mydomain.com, addmanager.com, debuggingsite.com", which means even if compromised it won't be intercepting mybank.com |
|
|
|
| ▲ | rplnt 12 hours ago | parent | prev | next [-] |
| Random anecdote: I have a device in which the http client can't handle https. Runs out of memory and crashes. Wasn't able to find a free host with a public http to host a proxy. |
| |
|
| ▲ | mschuster91 15 hours ago | parent | prev | next [-] |
| > Like, yeah, once the secure way is sufficiently easy to use, we can then push everyone off the insecure way; that's how it's supposed to work. The problem is that this requires work and validation, which no beancounter ever plans for. And the underlings have to do the work, but don't get extra time, so it has to be crammed in, condensing the workday even more. For hobbyist projects it's even worse. That is why people are so pissed, there is absolutely zero control over what the large browser manufacturers decide on a whim. It's one thing if banks or Facebook or other truly large entities get to do work... but personal blogs and the likes? |
| |
| ▲ | crote 11 hours ago | parent | next [-] | | We've reached a point where securing your hobby projects essentially means setting the "use_letsencrypt = true" config option in your web server. I bet configuring it takes less time than you spent reading this HN thread. And with regards to the beancounters: that is exactly why the browsers are pushing for it. Most companies aren't willing time and effort into proper certificate handling procedures. The only way to get them to secure their shit is by forcing them: do it properly, or your website will go offline. And as it turns out, security magically gets a lot more attention when ignoring it has a clear and direct real-world impact. | |
| ▲ | bigstrat2003 10 hours ago | parent | prev | next [-] | | > That is why people are so pissed, there is absolutely zero control over what the large browser manufacturers decide on a whim. It's one thing if banks or Facebook or other truly large entities get to do work... but personal blogs and the likes? Yep. There are plenty of things on the Internet for which TLS provides zero value. It is absolutely nonsensical to try to force them into using it, but the browser community is hell bent on making that bad decision. It is what it is. | |
| ▲ | nottorp 14 hours ago | parent | prev [-] | | > but personal blogs and the likes? Yep, the result of the current security hysteria/theater is it makes it increasingly difficult to maintain an independent web presence. Yes, I know, you can just use Cloudflare and depend on it... | | |
| ▲ | Ferret7446 14 hours ago | parent | next [-] | | TLS only takes a few minutes to add to a self hosted solution, just plop caddy in front of your server | |
| ▲ | eastbound 14 hours ago | parent | prev [-] | | Cloudflare uses HTTP to connect to your website before caching the content. I’ve always found it highly insecure. You could have HTTPS with Letsencrypt, but you need to deactivate Cloudflare when you want to renew (or use the other validation that is complex enough that I didn’t succeed to do it). | | |
| ▲ | nottorp 13 hours ago | parent | next [-] | | Don't pick on this particular SSL requirement, pick on the deluge of requirements that only make sense for a site that sells something or handles personal data (i.e. has accounts). They get extended to $RANDOM_SITE that only serves static text and the occasional cat photo for no good reason except "your cats will be more secure!". | | |
| ▲ | ptsd_isv 11 hours ago | parent [-] | | GP: At least on business plans this is incorrect, it defaults to (last time I checked) accepting any SSL certificate including self signed from edge to origin and it’s a low friction option to enforce either valid or provided CA/PubKey certs for the same path. Parent: those innocuous cat photos are fine in the current political climate… “First they came for the cat pic viewers, but I did not speak up…” | | |
| ▲ | nottorp 4 hours ago | parent [-] | | Wrong metaphor though? How does SSL on a -ing public site protect you from being arrested by miniluv? It’s public, you want everyone to see the cat photos, that’s why you set up the site. On the contrary, SSL certs mean another party through which miniluv can track you. They prove or are supposed to prove identity not hide it. |
|
| |
| ▲ | AnonC 9 hours ago | parent | prev [-] | | The statement that Cloudflare uses HTTP to connect to your website can be false depending on how you configure it. For years, I have had personal websites with Cloudflare as the CDN and with Let’s Encrypt providing certificates on the web server. All I do is choose Full (Strict) in the TLS settings on Cloudflare. So the connection between the end user to Cloudflare and from Cloudflare to my web server are on HTTPS. No deactivation of Cloudflare required on my end during renewal (my web host, like many others, has the certificate generation automated and getting a TLS certificate just a toggle on my admin dashboard). |
|
|
|
|
| ▲ | foresto 14 hours ago | parent | prev [-] |
| I can understand this in in certain contexts, such as a site that exists solely to post public information of no value to an attacker. A local volunteer group that posts their event schedule to the web were compelled to take on the burden of https just to keep their site from being labeled as a potential threat. They don't have an IT department. They aren't tech people. The change multiplied the hassles of maintaining their site. To them, it is all additional cost with no practical benefit over what they had before. |
| |
| ▲ | cortesoft 12 hours ago | parent | next [-] | | The work and technical expertise to setup let's encrypt is less than the work to register a domain, set up a web server, and configure DNS to point to it. | | |
| ▲ | foresto 11 hours ago | parent [-] | | You seem to have missed what I wrote in the first place: They aren't tech people. It is additional work, and requires additional knowledge. It was also not available from most of the free web hosts that sites like these used before the https push. So investigating alternatives and migrating were required. In other words, still more work. |
| |
| ▲ | charcircuit 14 hours ago | parent | prev [-] | | This is why more and more organizations get away with only having social media pages where they don't have to worry about security or other technical issues. | | |
| ▲ | foresto 13 hours ago | parent [-] | | Unfortunately, placing the information on a social media page burdens the people seeking it with either submitting to the social media site's policies and practices, or else not having access to it. This is not a good substitute. It also contributes to the centralization of the web, placing more information under the control of large gatekeepers, and as a side effect, giving those gatekeepers even more influence. | | |
| ▲ | charcircuit 11 hours ago | parent [-] | | Most social media are free and easy to sign up for taking under a minute to do and have user bases that can be measured in the billions. Most people in the world are willing to follow the rules. Most people don't use social media via the web. They use it via dedicated apps. I think it's natural that people who don't want to deal with the tech side of things will outsource it to someone else. The idea that everyone will host their own tech is unrealistic. | | |
| ▲ | tialaramex 11 hours ago | parent [-] | | For now, in some jurisdictions, social media is "free" for your customers in the sense that it's supported by advertising. It's not free for you of course because advertising isn't free and from their point of view what you'd be getting is free advertising so they want you to pay them to put it in front of your customers. | | |
| ▲ | charcircuit 9 hours ago | parent [-] | | You don't have to advertise to have your company's posts gain traction on social media. |
|
|
|
|
|
