How Big Will the Impact of Lets Encrypt Be?

stacksofplates

@JaredBusch said:

@johnhooks said:

I still can't believe there aren't more people using the free StartSSL certificates. It is kind of a pain to get through the interface, but for the small amount of time it takes, it's a good trade off.

Start SSL is not easy compared to setting up Let's Encrypt. I use StartSSL in a number of places also. It is a solid choice, but Let's Encrypt will completely change things once they work out the kinks and get the automagic plugins for other systems besides Apache on Debian.

OH most definitely. I haven't used it yet but the how to made it look really simple. I guess I'm just more surprised there aren't more websites with ssl since it's available for free already.

This is awesome though, esp since it can be scripted or used with an orchestration tool.

coliver

They are also talking about an easy to use auto-renew tool. Although looking at some of the command flags you could easily do this now without much issue.

JaredBusch

@johnhooks said:

@JaredBusch said:

@johnhooks said:

I still can't believe there aren't more people using the free StartSSL certificates. It is kind of a pain to get through the interface, but for the small amount of time it takes, it's a good trade off.

Start SSL is not easy compared to setting up Let's Encrypt. I use StartSSL in a number of places also. It is a solid choice, but Let's Encrypt will completely change things once they work out the kinks and get the automagic plugins for other systems besides Apache on Debian.

OH most definitely. I haven't used it yet but the how to made it look really simple. I guess I'm just more surprised there aren't more websites with ssl since it's available for free already.

This is awesome though, esp since it can be scripted or used with an orchestration tool.

SSL is not easy yet. Once Let's Encrypt is solid, I highly suspect that Apache and NginX will eventually update to have SSL enabled by default. That is the kind of far reaching impact that I expect out of Let's Encrypt.

dafyre

@johnhooks Yepp! Just link /path/to/your/cert.crt to /etc/letsencrypt/live/your.domain.local/cert.pem and the same for the key / privkey.pem and set it to run every 30 to 60 days. And do your /happy dance.

I haven't see anything about this though... Is it available for Python on Windows or is it still strictly Linux only?

coliver

@dafyre said:

@johnhooks Yepp! Just link /path/to/your/cert.crt to /etc/letsencrypt/live/your.domain.local/cert.pem and the same for the key / privkey.pem and set it to run every 30 to 60 days. And do your /happy dance.

I haven't see anything about this though... Is it available for Python on Windows or is it still strictly Linux only?

You could make the keys in Linux and move them to a Windows box. They don't seem to support Windows yet though.

JaredBusch

@coliver said:

You could make the keys in Linux and move them to a Windows box. They don't seem to support Windows yet though.

I am going to be doing that sometime this week in fact.

coliver

@JaredBusch said:

@coliver said:

You could make the keys in Linux and move them to a Windows box. They don't seem to support Windows yet though.

I am going to be doing that sometime this week in fact.

Yep, I was looking at it earlier. The PEM keys look like they should be compatible with the Windows Certificate store.

dafyre

@coliver said:

@JaredBusch said:

@coliver said:

You could make the keys in Linux and move them to a Windows box. They don't seem to support Windows yet though.

I am going to be doing that sometime this week in fact.

Yep, I was looking at it earlier. The PEM keys look like they should be compatible with the Windows Certificate store.

Then the issue becomes scripting it in such a way that it can be automated on Windows too... Especially since the cert lifetime is only 90 days.

coliver

@dafyre said:

@coliver said:

@JaredBusch said:

@coliver said:

You could make the keys in Linux and move them to a Windows box. They don't seem to support Windows yet though.

I am going to be doing that sometime this week in fact.

Yep, I was looking at it earlier. The PEM keys look like they should be compatible with the Windows Certificate store.

Then the issue becomes scripting it in such a way that it can be automated on Windows too... Especially since the cert lifetime is only 90 days.

Yep, that is a concern. I can probably work up a short script on Linux to move the files to a Windows box. Then write a powershell script to replace a certificate file and private key. I'm not sure if you can interact with the certificate store with powershell though.

dafyre

@coliver said:

@dafyre said:

@coliver said:

@JaredBusch said:

@coliver said:

You could make the keys in Linux and move them to a Windows box. They don't seem to support Windows yet though.

I am going to be doing that sometime this week in fact.

Yep, I was looking at it earlier. The PEM keys look like they should be compatible with the Windows Certificate store.

Then the issue becomes scripting it in such a way that it can be automated on Windows too... Especially since the cert lifetime is only 90 days.

Yep, that is a concern. I can probably work up a short script on Linux to move the files to a Windows box. Then write a powershell script to replace a certificate file and private key. I'm not sure if you can interact with the certificate store with powershell though.

It looks like it is possible... http://blogs.technet.com/b/scotts-it-blog/archive/2014/12/30/working-with-certificates-in-powershell.aspx

Not sure what version of Powershell that is yet... I just glanced over the article and don't see any requirements... I would assume At least PS 3.0 (Article was written Dec 30, 2014)

JaredBusch

When is ML going to have SSL? There is really not any reason not to do it. Either StartSSL for a 1 year cert of Let's Encrypt.

Either way, @Minion-Queen , just (make your minions) do it.

coliver

@JaredBusch said:

When is ML going to have SSL? There is really not any reason not to do it. Either StartSSL for a 1 year cert of Let's Encrypt.

Either way, @Minion-Queen , just (make your minions) do it.

Out of curiosity what is the driver for ML to be encrypted? It isn't highly sensitive data and your password shouldn't be the same as anywhere else. I could understand from a reputation point-of-view but I don't, necessarily, see the technical one.

Alex Sage

@coliver To protect our login information

coliver

@anonymous said:

@coliver To protect our login information

Right, but why? Do you use your login information for other more secure websites? That is a bad practice even when both websites are using encryption.

JaredBusch

@coliver said:

@JaredBusch said:

When is ML going to have SSL? There is really not any reason not to do it. Either StartSSL for a 1 year cert of Let's Encrypt.

Either way, @Minion-Queen , just (make your minions) do it.

Out of curiosity what is the driver for ML to be encrypted? It isn't highly sensitive data and your password shouldn't be the same as anywhere else. I could understand from a reputation point-of-view but I don't, necessarily, see the technical one.

Because it is entirely possible to tie me to something by dropping a logging mechanism on anything on the internet through which my traffic passes on the journey to and from my computer and ML.

This is one of the core reasons that Let's Encrypt even exists. Secure everything as it flies around the internet.

Yes, ML is a public forum and a lot of user information is public by that very nature. But that does not mean everything should be public to every device on the way.

I am more public than most as I purport (muhaha, am I really Jared Busch?) to use my real name here and not a pseudonym.

dafyre

Case in point... I work for a BIG IT department, where I don't have control over the Firewall, etc, etc. Anything I say can be read by the IPS system at the edge of the campus network, unless it is SSL encrypted (they can do MITM attacks to decrypt that, but they aren't right now).

coliver

@JaredBusch said:

@coliver said:

@JaredBusch said:

When is ML going to have SSL? There is really not any reason not to do it. Either StartSSL for a 1 year cert of Let's Encrypt.

Either way, @Minion-Queen , just (make your minions) do it.

Out of curiosity what is the driver for ML to be encrypted? It isn't highly sensitive data and your password shouldn't be the same as anywhere else. I could understand from a reputation point-of-view but I don't, necessarily, see the technical one.

Because it is entirely possible to tie me to something by dropping a logging mechanism on anything on the internet through which my traffic passes on the journey to and from my computer and ML.

This is one of the core reasons that Let's Encrypt even exists. Secure everything as it flies around the internet.

Yes, ML is a public forum and a lot of user information is public by that very nature. But that does not mean everything should be public to every device on the way.

I am more public than most as I purport (muhaha, am I really Jared Busch?) to use my real name here and not a pseudonym.

I have no argument with encrypting everything (I am a supporter of it) but couldn't you be logged by a lower protocol even if the above traffic is encrypted?

scottalanmiller

@dafyre said:

Case in point... I work for a BIG IT department, where I don't have control over the Firewall, etc, etc. Anything I say can be read by the IPS system at the edge of the campus network, unless it is SSL encrypted (they can do MITM attacks to decrypt that, but they aren't right now).

Really big ones tend to end the SSL at the wall so that they can see what is inside.

JaredBusch

@coliver said:

@JaredBusch said:

@coliver said:

@JaredBusch said:

When is ML going to have SSL? There is really not any reason not to do it. Either StartSSL for a 1 year cert of Let's Encrypt.

Either way, @Minion-Queen , just (make your minions) do it.

Out of curiosity what is the driver for ML to be encrypted? It isn't highly sensitive data and your password shouldn't be the same as anywhere else. I could understand from a reputation point-of-view but I don't, necessarily, see the technical one.

Because it is entirely possible to tie me to something by dropping a logging mechanism on anything on the internet through which my traffic passes on the journey to and from my computer and ML.

This is one of the core reasons that Let's Encrypt even exists. Secure everything as it flies around the internet.

Yes, ML is a public forum and a lot of user information is public by that very nature. But that does not mean everything should be public to every device on the way.

I am more public than most as I purport (muhaha, am I really Jared Busch?) to use my real name here and not a pseudonym.

I have no argument with encrypting everything (I am a supporter of it) but couldn't you be logged by a lower protocol even if the above traffic is encrypted?

If the traffic is encrypted, then nothing except my computer and the ML webserver or reverse proxy, if they use one, can know what is inside the packets.

Because of that, say someone with an IPS will know that IP 10.2.1.36 on their network was talking to the IP for ML. But they will not be able to look at the logs and see any of my information to tie it to me.

Obviously, in a corporate environment there are other ways to know who had what IP.

But in a public environment, as long as your device is not using some identifiable hostname, you should have a solid expectation of basic privacy.

JaredBusch

@scottalanmiller said:

Really big ones tend to end the SSL at the wall so that they can see what is inside.

And if someone is worried about that, it is easily detectable.