ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    How Big Will the Impact of Lets Encrypt Be?

    Scheduled Pinned Locked Moved News
    securitylets encryptlinux
    57 Posts 11 Posters 17.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • JaredBuschJ
      JaredBusch @coliver
      last edited by

      @coliver said:

      @JaredBusch said:

      When is ML going to have SSL? There is really not any reason not to do it. Either StartSSL for a 1 year cert of Let's Encrypt.

      Either way, @Minion-Queen , just (make your minions) do it.

      Out of curiosity what is the driver for ML to be encrypted? It isn't highly sensitive data and your password shouldn't be the same as anywhere else. I could understand from a reputation point-of-view but I don't, necessarily, see the technical one.

      Because it is entirely possible to tie me to something by dropping a logging mechanism on anything on the internet through which my traffic passes on the journey to and from my computer and ML.

      This is one of the core reasons that Let's Encrypt even exists. Secure everything as it flies around the internet.

      Yes, ML is a public forum and a lot of user information is public by that very nature. But that does not mean everything should be public to every device on the way.

      I am more public than most as I purport (muhaha, am I really Jared Busch?) to use my real name here and not a pseudonym.

      coliverC 1 Reply Last reply Reply Quote 1
      • dafyreD
        dafyre
        last edited by

        Case in point... I work for a BIG IT department, where I don't have control over the Firewall, etc, etc. Anything I say can be read by the IPS system at the edge of the campus network, unless it is SSL encrypted (they can do MITM attacks to decrypt that, but they aren't right now).

        scottalanmillerS 1 Reply Last reply Reply Quote 0
        • coliverC
          coliver @JaredBusch
          last edited by

          @JaredBusch said:

          @coliver said:

          @JaredBusch said:

          When is ML going to have SSL? There is really not any reason not to do it. Either StartSSL for a 1 year cert of Let's Encrypt.

          Either way, @Minion-Queen , just (make your minions) do it.

          Out of curiosity what is the driver for ML to be encrypted? It isn't highly sensitive data and your password shouldn't be the same as anywhere else. I could understand from a reputation point-of-view but I don't, necessarily, see the technical one.

          Because it is entirely possible to tie me to something by dropping a logging mechanism on anything on the internet through which my traffic passes on the journey to and from my computer and ML.

          This is one of the core reasons that Let's Encrypt even exists. Secure everything as it flies around the internet.

          Yes, ML is a public forum and a lot of user information is public by that very nature. But that does not mean everything should be public to every device on the way.

          I am more public than most as I purport (muhaha, am I really Jared Busch?) to use my real name here and not a pseudonym.

          I have no argument with encrypting everything (I am a supporter of it) but couldn't you be logged by a lower protocol even if the above traffic is encrypted?

          JaredBuschJ 1 Reply Last reply Reply Quote 0
          • scottalanmillerS
            scottalanmiller @dafyre
            last edited by

            @dafyre said:

            Case in point... I work for a BIG IT department, where I don't have control over the Firewall, etc, etc. Anything I say can be read by the IPS system at the edge of the campus network, unless it is SSL encrypted (they can do MITM attacks to decrypt that, but they aren't right now).

            Really big ones tend to end the SSL at the wall so that they can see what is inside.

            JaredBuschJ 1 Reply Last reply Reply Quote 1
            • JaredBuschJ
              JaredBusch @coliver
              last edited by

              @coliver said:

              @JaredBusch said:

              @coliver said:

              @JaredBusch said:

              When is ML going to have SSL? There is really not any reason not to do it. Either StartSSL for a 1 year cert of Let's Encrypt.

              Either way, @Minion-Queen , just (make your minions) do it.

              Out of curiosity what is the driver for ML to be encrypted? It isn't highly sensitive data and your password shouldn't be the same as anywhere else. I could understand from a reputation point-of-view but I don't, necessarily, see the technical one.

              Because it is entirely possible to tie me to something by dropping a logging mechanism on anything on the internet through which my traffic passes on the journey to and from my computer and ML.

              This is one of the core reasons that Let's Encrypt even exists. Secure everything as it flies around the internet.

              Yes, ML is a public forum and a lot of user information is public by that very nature. But that does not mean everything should be public to every device on the way.

              I am more public than most as I purport (muhaha, am I really Jared Busch?) to use my real name here and not a pseudonym.

              I have no argument with encrypting everything (I am a supporter of it) but couldn't you be logged by a lower protocol even if the above traffic is encrypted?

              If the traffic is encrypted, then nothing except my computer and the ML webserver or reverse proxy, if they use one, can know what is inside the packets.

              Because of that, say someone with an IPS will know that IP 10.2.1.36 on their network was talking to the IP for ML. But they will not be able to look at the logs and see any of my information to tie it to me.

              Obviously, in a corporate environment there are other ways to know who had what IP.

              But in a public environment, as long as your device is not using some identifiable hostname, you should have a solid expectation of basic privacy.

              1 Reply Last reply Reply Quote 0
              • JaredBuschJ
                JaredBusch @scottalanmiller
                last edited by

                @scottalanmiller said:

                Really big ones tend to end the SSL at the wall so that they can see what is inside.

                And if someone is worried about that, it is easily detectable.

                scottalanmillerS 1 Reply Last reply Reply Quote 2
                • scottalanmillerS
                  scottalanmiller @JaredBusch
                  last edited by

                  @JaredBusch said:

                  @scottalanmiller said:

                  Really big ones tend to end the SSL at the wall so that they can see what is inside.

                  And if someone is worried about that, it is easily detectable.

                  yes, if you control your desktop.

                  JaredBuschJ 1 Reply Last reply Reply Quote 0
                  • A
                    Alex Sage
                    last edited by

                    http://searchengineland.com/google-starts-giving-ranking-boost-secure-httpsssl-sites-199446

                    1 Reply Last reply Reply Quote 0
                    • A
                      Alex Sage
                      last edited by Alex Sage

                      Do you think shared hosting company's will adopt this for there customers or will they want to keep trying to get them to buy certs from them?

                      JaredBuschJ 1 Reply Last reply Reply Quote 0
                      • A
                        Alex Sage
                        last edited by

                        Will major company's start to adopt it? Banks? Microsoft? Google?

                        1 Reply Last reply Reply Quote 0
                        • JaredBuschJ
                          JaredBusch @scottalanmiller
                          last edited by

                          @scottalanmiller said:

                          @JaredBusch said:

                          @scottalanmiller said:

                          Really big ones tend to end the SSL at the wall so that they can see what is inside.

                          And if someone is worried about that, it is easily detectable.

                          yes, if you control your desktop.

                          If you do not control your desktop, then there is not point in any expectation of privacy of any kind, so that is not even a concern.

                          dafyreD 1 Reply Last reply Reply Quote 1
                          • JaredBuschJ
                            JaredBusch @Alex Sage
                            last edited by

                            @anonymous said:

                            Do you think shared hosting company's will adopt this for there customers or will they want to keep trying to get them to buy certs from them?

                            I think if the existing shared hosts do not start to offer it, you will find new shared hosts becoming popular. I fully believe that more than one of the existing shared hosts will go under when people abandon them for not doing so when their existing competitors do.

                            1 Reply Last reply Reply Quote 1
                            • dafyreD
                              dafyre @JaredBusch
                              last edited by

                              @JaredBusch said:

                              @scottalanmiller said:

                              @JaredBusch said:

                              @scottalanmiller said:

                              Really big ones tend to end the SSL at the wall so that they can see what is inside.

                              And if someone is worried about that, it is easily detectable.

                              yes, if you control your desktop.

                              If you do not control your desktop, then there is not point in any expectation of privacy of any kind, so that is not even a concern.

                              Quite right. I was shocked when I got here. First day boss said "What OS?"

                              I said Server 2012. "Join it to the domain?"

                              He said "Nope."

                              So I have complete and total control over my machine. Plus thanks to new security restrictions, I have to encrypt all of my drives with bitlocker. If I walk away from this machine, nobody can access it but me... Unless they want to format it, lol.

                              A 1 Reply Last reply Reply Quote 2
                              • A
                                Alex Sage @dafyre
                                last edited by

                                @dafyre What happens if you lose your password? I hope you have the recovery key?

                                dafyreD 1 Reply Last reply Reply Quote 0
                                • dafyreD
                                  dafyre @Alex Sage
                                  last edited by

                                  @anonymous Saved on a jump drive. However, I have that password and know it well... It is not likely that I'll lose it. 🙂 ... but I am also not perfect, so I have a plan B available!

                                  1 Reply Last reply Reply Quote 1
                                  • DashrenderD
                                    Dashrender @coliver
                                    last edited by

                                    @coliver said:

                                    @JaredBusch said:

                                    When is ML going to have SSL? There is really not any reason not to do it. Either StartSSL for a 1 year cert of Let's Encrypt.

                                    Either way, @Minion-Queen , just (make your minions) do it.

                                    Out of curiosity what is the driver for ML to be encrypted? It isn't highly sensitive data and your password shouldn't be the same as anywhere else. I could understand from a reputation point-of-view but I don't, necessarily, see the technical one.

                                    The driver for me is to encrypt everything on the internet. Due to the load on something like Netflix.... I give them a pass.... But the rest, just do it.

                                    1 Reply Last reply Reply Quote 1
                                    • JaredBuschJ
                                      JaredBusch
                                      last edited by

                                      Windows client in the works here
                                      https://github.com/ebekker/ACMESharp/releases

                                      1 Reply Last reply Reply Quote 2
                                      • A
                                        Alex Sage
                                        last edited by

                                        https://gethttpsforfree.com/

                                        JaredBuschJ 1 Reply Last reply Reply Quote 1
                                        • JaredBuschJ
                                          JaredBusch @Alex Sage
                                          last edited by

                                          @anonymous said:

                                          https://gethttpsforfree.com/

                                          I don't understand why anyone would use a site like that. Let's Encrypt certificates have to be renewed every 90 days (and the recommend that you do it every 60 in case of errors).

                                          1 Reply Last reply Reply Quote 0
                                          • jospoortvlietJ
                                            jospoortvliet Vendor
                                            last edited by

                                            A big benefit of Letsencrypt is the automation. The automation on a server box was already mentioned, but it goes further than that: you can create a VM or a liveCD or a docker container etc to distribute your server application and use Letsencrypt. Unlike today, you won't have to use a self-signed certificate or let the receiver of the VM add one by hand, you can generate one with Letsencrypt on the fly! That is a game changer for ISV's who want to simplify deployment for small business customers, really.

                                            We intend to use it in our official ownCloud VM's (for home users and SMB) and it is also super interesting for our collaboration with Western Digital on creating a self hosting device based on a Raspberry Pi 2. And I'm looking forward to getting it on my server - right now, openSUSE isn't supported, I hope they take care of that soon.

                                            JaredBuschJ 1 Reply Last reply Reply Quote 5
                                            • 1
                                            • 2
                                            • 3
                                            • 3 / 3
                                            • First post
                                              Last post