←back to thread

512 points gslin | 2 comments | | HN request time: 0.419s | source
Show context
pests ◴[] No.42191619[source]
It feels like just yesterday I was paying for certs, or worst, just running without.

Can't believe its been ten years.

replies(1): >>42191666 #
ozim ◴[] No.42191666[source]
Can’t believe there are still anti TLS weirdos.
replies(7): >>42191688 #>>42191718 #>>42191893 #>>42192714 #>>42192733 #>>42193057 #>>42193614 #
dijit ◴[] No.42191688[source]
The digital equivalent of a local kebab shop menu does not need encryption.

The lack of understanding from us as technologists for people who would have had a working site and are now forced into either: an oligopoly of site hosting companies, or, for their site to break consistently as TLS standards rotate is one thing that brings me shame about our community.

You can come up with all kinds of reasons to gatekeep website hosting, “they have to update anyway” even when updating means reinstallion of an OS, “its not that hard to rotate” say people with deep knowledge of computers, “just get someone else to do it” say people who have a financial interest in it being that way.

Framing people with legitimate issues as weirdo’s is not as charming as you think it is.

replies(6): >>42191746 #>>42191752 #>>42191760 #>>42191778 #>>42191785 #>>42191894 #
serbuvlad ◴[] No.42191894[source]
I'm really curious as to what you see as the disadvantages of TLS. Sure, the advantages are minor for some services and critical for other services.

However, if you already have bought a domain name, the cost of setting up TLS is basically 0. You just run certbot and give it the domains you want to license. It will set up auto-renew and even edit your Apache/NGINX configs to enable TLS.

Sure, TLS standards rotate. But that just means you have to update Apache/NGINX every like 5 years. Hardly a barrier for most people imo.

replies(2): >>42191948 #>>42192097 #
dijit ◴[] No.42191948[source]
Its better than it was, but TLS has a lot more knobs to fail than even a basic http server does; theres a whole host of handoff thats happening and running multiple sites is fraught with minor issues.

certbot is a python program, better hope it keeps working- it’s definitely not kept working for me and I’m a seasoned sysadmin. a combination of my python environment becoming outdated (making updates impossible) and a deprecation of a critical API needed for it to work.

The #1 cause of issues with a hobby website: darkscience.net is that it refuses to negotiate on Chrome because the TLS suites are considered too old, yet in 2020 I was scoring A+ on Qualys SSL report.

Its just time, time and effort and its wasted mostly.

The letsencrypt tools are really wonderful, just pray they don’t break, and be ready to reinstall everything from scratch at some point.

replies(3): >>42192214 #>>42192993 #>>42195878 #
1. usr1106 ◴[] No.42192214[source]
> certbot is a python program, better hope it keeps working

There is also https://github.com/srvrco/getssl which is a bash script. I have lightly audited it years ago and it did not seem to upload your private keys anywhere... I've used it occasionally, but I don't let it run as root, so I need to copy the retrieved certs into the the server config manually.

replies(1): >>42192231 #
2. dijit ◴[] No.42192231[source]
Theres a bunch of alternative clients and I’ve tried many.

Larger point is regarding the fact that its required for what amounts to a poster on a wall: yes, someone can come along with a pen an alter the poster- but its not worth the effort to secure for most people and will degrade rapidly with such security too.

So, instead they turn to middlemen, or don’t bother.

Theres a myriad of other issues, but, its not as easy as we claim.