The point is, there's a lot of stuff that contains absolutely no confidential data, and there's no reason whatsoever why anyone would care if it was ever intercepted and nobody is going to ever want to modify it... but for some reason, the popular opinion seems to be that it's a good idea to try to force everyone to encrypt it anyway.
On Mon, Apr 9, 2018 at 5:09 PM, Mike Hammett <af...@ics-il.net> wrote: > Confidential date, sure. Billing portals, shopping carts, etc. sure. > > The marketing materials on my web site? Why? > > > The podcast I linked to goes into a lot of it. > > > > ----- > Mike Hammett > Intelligent Computing Solutions <http://www.ics-il.com/> > <https://www.facebook.com/ICSIL> > <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> > <https://www.linkedin.com/company/intelligent-computing-solutions> > <https://twitter.com/ICSIL> > Midwest Internet Exchange <http://www.midwest-ix.com/> > <https://www.facebook.com/mdwestix> > <https://www.linkedin.com/company/midwest-internet-exchange> > <https://twitter.com/mdwestix> > The Brothers WISP <http://www.thebrotherswisp.com/> > <https://www.facebook.com/thebrotherswisp> > > > <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> > ------------------------------ > *From: *"Simon Westlake" <simon@sonar.software> > *To: *af@afmug.com, af@afmug.com > *Sent: *Monday, April 9, 2018 5:06:26 PM > *Subject: *Re: [AFMUG] ssl certs > > Moving any kind of confidential data in the clear is irresponsible. > Moving HTTP traffic across the Internet leaves you open to having the data > modified, or having malicious Javascript injected. > > It's up to you whether or not you care about that, but it has been reduced > to pasting 3 lines into a terminal to get a valid, automatically renewing > certificate. It seems pointless not to when the benefits are tangible. > > ------ Original Message ------ > From: "Mike Hammett" <af...@ics-il.net> > To: af@afmug.com > Sent: 4/9/2018 5:02:29 PM > Subject: Re: [AFMUG] ssl certs > > Why? Why is any of that necessary? > > I have no intentions of inspecting anyone's traffic. I just don't find > HTTPS everywhere necessary. I have yet to hear a viable reason to do it. > > > OH NO! SOMEONE SAW MY WEB SITE!!! > > > https://www.youtube.com/watch?v=18PbwYdjsps > > > > ----- > Mike Hammett > Intelligent Computing Solutions <http://www.ics-il.com/> > <https://www.facebook.com/ICSIL> > <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> > <https://www.linkedin.com/company/intelligent-computing-solutions> > <https://twitter.com/ICSIL> > Midwest Internet Exchange <http://www.midwest-ix.com/> > <https://www.facebook.com/mdwestix> > <https://www.linkedin.com/company/midwest-internet-exchange> > <https://twitter.com/mdwestix> > The Brothers WISP <http://www.thebrotherswisp.com/> > <https://www.facebook.com/thebrotherswisp> > > > <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> > ------------------------------ > *From: *"Eric Kuhnke" <eric.kuh...@gmail.com> > *To: *af@afmug.com > *Sent: *Monday, April 9, 2018 4:59:23 PM > *Subject: *Re: [AFMUG] ssl certs > > I offer a directly contradicting opinion, that's it's foolish in the year > 2018 to not implement end to end TLS wherever possible. The number of > problems you can solve by avoiding things that maliciously MITM regular > http traffic are considerable. The crypto libraries to do it properly > (OpenSSL, etc for apache2 and nginx) and Letsencrypt are free. > > The Internet is moving towards things like DNS-over-TLS. Mail transport > between most properly configured smtpd now will use TLS1.2 (my Postfix > smtpd negotiates TLS successfully with >98% of big ISP/cloud providers' > smtpd clusters). If a WISP thinks that they "need" things to remain > unencrypted so that they can more easily manage their traffic or inspect > it, they'll be left behind in the dustbin of history. > > > On Mon, Apr 9, 2018 at 2:55 PM, Mike Hammett <af...@ics-il.net> wrote: > >> I didn't say it was hard. I said it was unnecessary, perhaps even foolish. >> >> >> >> ----- >> Mike Hammett >> Intelligent Computing Solutions <http://www.ics-il.com/> >> <https://www.facebook.com/ICSIL> >> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> >> <https://www.linkedin.com/company/intelligent-computing-solutions> >> <https://twitter.com/ICSIL> >> Midwest Internet Exchange <http://www.midwest-ix.com/> >> <https://www.facebook.com/mdwestix> >> <https://www.linkedin.com/company/midwest-internet-exchange> >> <https://twitter.com/mdwestix> >> The Brothers WISP <http://www.thebrotherswisp.com/> >> <https://www.facebook.com/thebrotherswisp> >> >> >> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> >> ------------------------------ >> *From: *"Eric Kuhnke" <eric.kuh...@gmail.com> >> *To: *af@afmug.com >> *Sent: *Monday, April 9, 2018 4:54:05 PM >> *Subject: *Re: [AFMUG] ssl certs >> >> What's hard about doing TLS1.2 everywhere? Every web browser shipped or >> updated from mid-2012 onwards supports 1.2. The population of browsers >> that only support TLS1.0 and 1.1 is less than 1% now by most measurements >> of useragent on a large scale. >> >> >> >> On Mon, Apr 9, 2018 at 2:51 PM, Mike Hammett <af...@ics-il.net> wrote: >> >>> "You should have https (TLS1.2) everywhere, on every sort of public >>> facing httpd these days, with at least a letsencrypt certificate." >>> >>> We'll eventually have to because Google, etc. will make us, but it's >>> extremely unnecessary. It's even foolish in many situations. >>> >>> >>> >>> ----- >>> Mike Hammett >>> Intelligent Computing Solutions <http://www.ics-il.com/> >>> <https://www.facebook.com/ICSIL> >>> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> >>> <https://www.linkedin.com/company/intelligent-computing-solutions> >>> <https://twitter.com/ICSIL> >>> Midwest Internet Exchange <http://www.midwest-ix.com/> >>> <https://www.facebook.com/mdwestix> >>> <https://www.linkedin.com/company/midwest-internet-exchange> >>> <https://twitter.com/mdwestix> >>> The Brothers WISP <http://www.thebrotherswisp.com/> >>> <https://www.facebook.com/thebrotherswisp> >>> >>> >>> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> >>> ------------------------------ >>> *From: *"Eric Kuhnke" <eric.kuh...@gmail.com> >>> *To: *af@afmug.com >>> *Sent: *Monday, April 9, 2018 4:49:01 PM >>> *Subject: *Re: [AFMUG] ssl certs >>> >>> I have seen studies showing that ecommerce checkout/cart servers do have >>> lower "abandon order" rates when using EV SSL. If you're going to have one >>> billing server hostname that you fully control (eg: >>> https://billing.ispname.com) it might be worth it. >>> >>> Things like Paypal, online banking and other stuff do make extensive use >>> of EV SSL. >>> >>> It used to cost $395/year, now it's $85/year and dropping in price >>> further. >>> >>> The big change coming in both Chrome and Firefox is that any non-https >>> page will soon be marked as "Insecure" in the URL/address bar. You should >>> have https (TLS1.2) everywhere, on every sort of public facing httpd these >>> days, with at least a letsencrypt certificate. >>> >>> >>> >>> On Mon, Apr 9, 2018 at 1:20 PM, Simon Westlake <simon@sonar.software> >>> wrote: >>> >>>> In 99.9% of cases, EV is useless. If you are going to educate your >>>> customers religiously to look not only for the green padlock, but for your >>>> name in the address bar, maybe it's worthwhile. Most people don't look or >>>> care. Google doesn't have an EV cert. Neither does Microsoft or Facebook. >>>> My power company doesn't. Most insurance companies don't. >>>> >>>> The only place I've seen them used heavily is in the financial sector, >>>> and I'd guess that's more about CYA than technical value. >>>> >>>> ------ Original Message ------ >>>> From: "Eric Kuhnke" <eric.kuh...@gmail.com> >>>> To: af@afmug.com >>>> Sent: 4/9/2018 3:03:38 PM >>>> Subject: Re: [AFMUG] ssl certs >>>> >>>> these days there are essentially two types of SSL cert, DV and EV >>>> >>>> DV = domain validated. anyone can get one. this is the same idea for >>>> the $9 SSL certs and free letsencrypt. you only need to prove you control >>>> the domain/server it's issued for. >>>> >>>> EV = extended validation, you need to prove your corporate identity. >>>> should cost around $85/year. >>>> >>>> EV will result in the big green banner with company name in most modern >>>> web browsers. >>>> >>>> https://www.google.com/search?client=ubuntu&channel=fs&q=EV+ >>>> SSL+certificate&ie=utf-8&oe=utf-8 >>>> >>>> On Mon, Apr 9, 2018 at 11:59 AM, Steve Jones <thatoneguyst...@gmail.com >>>> > wrote: >>>> >>>>> tbh, im not really looking for alternative sources, im asking advice >>>>> on what i need in a certificate >>>>> >>>>> On Mon, Apr 9, 2018 at 1:52 PM, Cameron Crum <cc...@murcevilo.com> >>>>> wrote: >>>>> >>>>>> ssls.com >>>>>> >>>>>> On Mon, Apr 9, 2018 at 1:02 PM, Steve Jones < >>>>>> thatoneguyst...@gmail.com> wrote: >>>>>> >>>>>>> Im no webdude is the main reason. I know alot of people use it, >>>>>>> phishermen love them. Theyre "trusted, but not verified" which, to no >>>>>>> webdude me, says "IT WILL BECOME UNTRUSTED". I hate godaddy, but theyre >>>>>>> not >>>>>>> likely to become untrusted, so its not something id have to deal with >>>>>>> with >>>>>>> little to no knowlege. plus I dont understand this 90 day thing >>>>>>> >>>>>>> >>>>>>> On Mon, Apr 9, 2018 at 12:08 PM, Mike Hammett <af...@ics-il.net> >>>>>>> wrote: >>>>>>> >>>>>>>> Can you use Let's Encrypt? >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> ----- >>>>>>>> Mike Hammett >>>>>>>> Intelligent Computing Solutions <http://www.ics-il.com/> >>>>>>>> <https://www.facebook.com/ICSIL> >>>>>>>> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> >>>>>>>> <https://www.linkedin.com/company/intelligent-computing-solutions> >>>>>>>> <https://twitter.com/ICSIL> >>>>>>>> Midwest Internet Exchange <http://www.midwest-ix.com/> >>>>>>>> <https://www.facebook.com/mdwestix> >>>>>>>> <https://www.linkedin.com/company/midwest-internet-exchange> >>>>>>>> <https://twitter.com/mdwestix> >>>>>>>> The Brothers WISP <http://www.thebrotherswisp.com/> >>>>>>>> <https://www.facebook.com/thebrotherswisp> >>>>>>>> >>>>>>>> >>>>>>>> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> >>>>>>>> ------------------------------ >>>>>>>> *From: *"Steve Jones" <thatoneguyst...@gmail.com> >>>>>>>> *To: *af@afmug.com >>>>>>>> *Sent: *Monday, April 9, 2018 12:07:04 PM >>>>>>>> *Subject: *[AFMUG] ssl certs >>>>>>>> >>>>>>>> Our current cert for our billing server (powercode) is about to >>>>>>>> expire. For some time web browsers have been throwing up the insecure >>>>>>>> flag, >>>>>>>> probably needed to update it. >>>>>>>> >>>>>>>> What does a guy need in a certificate these days? godaddy is where >>>>>>>> we have it from, they have all kinds of options like green bar >>>>>>>> guarantee >>>>>>>> cert, etc. >>>>>>>> >>>>>>>> I have thought about getting one thats good for more than one page, >>>>>>>> just to get rid of the annoying security screen on our managment port >>>>>>>> and >>>>>>>> mobile. but the wildcard cert seems more pricey than id prefer for >>>>>>>> something thats just convienient rather than needed >>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >>> >> >> > > >
