It saves me from the implementation details, this way I don't need to wear another engineer/sysadmin hat. I think the website content is more important than the SSL implementation!
Indeed! It's how security should work, and should be the default dual-goal of any piece of security software: provide as much security as possible to as many people as possible.
Having people do things without understanding what exactly they are doing is a good way to create a website with a very good ssl certificate and their private key available on the website itself… or similar issues.
So for one, if you're looking for an actual answer, dial it down a few notches. Your post is 18 minutes old as of me writing and you're already boasting about a lack of replies.
Two, you're likely misunderstanding the purpose of SSL and Let's Encrypt. It's not to protect you against the site you're talking to, it's to prevent man in the middle attacks on the way. It ensures you can't walk into a starbucks for an hour and walk away with dozens of facebook logins.
Lastly, the big players don't use Let's Encrypt for reliability and customer service purposes. If you run a blog and your cert screws up, the 3 people visitng your site that week will have to click a few extra buttons to get in.
If you're a microsoft, that can mean thousands if not millions of users hitting this wall they expect not to have, leading to huge costs for customer support and occassionally deeper issues updating certificates. Exactly the same reason Bank of America doesn't use godaddy.com for their domain name.
Before Let's Encrypt, certs cost money from certificate authorities, so not many smaller companies would bother. Now it's streamlined enough that browsers throw scary warnings if you don't have it, which is a massive improvement for everyone using the web.
> Before Let's Encrypt, certs cost money from certificate authorities, so not many smaller companies would bother. Now it's streamlined enough that browsers throw scary warnings if you don't have it, which is a massive improvement for everyone using the web.
But should they? I never had any issues running an internet site before this was required. A blog doesn't need SSL. Why are ISP's not more scrutinized to ensure that MITM doesn't happen? Why is it put upon the admin? My blog from 2005 was never hit with MITM.
> If you're a microsoft, that can mean thousands if not millions of users hitting this wall they expect not to have, leading to huge costs for customer support and occassionally deeper issues updating certificates. Exactly the same reason Bank of America doesn't use godaddy.com for their domain name.
So your saying LE is only worth for small-class sites such as "blogs", which than I above said, Why does a blog need SSL? The only reasoning I had which was valid was that "ISP's inject" and if that's the case why are ISP's allowed to get away with injection?
> Your post is 18 minutes old as of me writing and you're already boasting about a lack of replies.
Folks like to down-vote and never reply. I'm sure I might be "flagged" soon too.
> Two, you're likely misunderstanding the purpose of SSL and Let's Encrypt.
Not at all, SSL is the communications protocol. A encrypted-tunnel example made by HTTPS. Verified by a Certificate if we apply laymans terms. LetsEncrypt issues that certification based on the trusted root installed on your computer and if all valid, the brower throws a green badge. I can easily remove the LE root certificate and any LE encrypted site would be invalid.
Putting a TLS cert on your blog also allows visitors to (mostly[0]) hide their traffic and activities from entities that might want to snoop on them, like their ISP. You as the blog owner might not care, but your visitors might. If you don't care about your visitors, that's fine, but some people do.
As for who uses LetsEncrypt, there are a lot of businesses and organizations in between the size of a Microsoft and a small blog that use it. If you read the article, you'll note that LE is celebrating 300M websites protected with their certs. So quite a lot of people find LE useful and want to protect connections to their sites with TLS. If you can't figure out why, perhaps that's more a lack of imagination on your part, than misplaced time and effort on theirs.
As an aside, can you lay off with all the aggressive nonsense? People are replying to you (despite your whining about downvotes). Chill out and maybe take some time away from the keyboard when you're all worked up like that.
[0] Unfortunately SNI will often still leak the domain name of the TLS-protected site being visited, but an encrypted version of SNI is being worked on to close that hole.
> That's not you winning. You made things worse for everyone.
I've made nothing worse for anyone. Those who made it worse for everyone are internet walled gardens and monopolies. If the internet wasn't as corrupted as it now and you deny, telling me Google isn't evil? We would be in a better place with enhancements without the the need for SSL. However not so, evil and mass greed ruined the internet for all since the 80's; heck the 70's.
No, not flame-baiting. Am I not allowed my own view based on my own thoughts? Or am I not allowed free-thought? I'm happy to read everyone's else and take that in. But your denying my own? There's no flame, those opinions are of my own and may not be correct in your eyes but I am still allowed to have.
> Those who made it worse for everyone are internet walled gardens and monopolies.
I'm just talking about this conversation being worse.
> you deny, telling me Google isn't evil?
I didn't say anything about Google.
> No, not flame-baiting. Am I not allowed my own view based on my own thoughts? Or am I not allowed free-thought? I'm happy to read everyone's else and take that in. But your denying my own? There's no flame, those opinions are of my own and may not be correct in your eyes but I am still allowed to have.
You posted "No answers for me? Just what I thought." with the specific intent of annoying people into replying.
> You posted "No answers for me? Just what I thought." with the specific intent of annoying people into replying.
I'll agree to disagree on that, the reason is that folk blindly down-vote. It's infuriating. If I hold opinion A which is incorrect, when opinion B could be correct, I then wouldn't get possibly a corrected perspective. At least it sparks a reaction and sights conversation, regardless if annoyance. It allows myself to express how I feel and why I feel. Rather than the hive-mind mentality that if everyone is doing it, its the right think.
> I'm just talking about this conversation being worse.
How? I expressed my opinion. It may not be right, it may be controversial, you may disagree. Yet your post came off as you should have supreme control, you do have many karma points but that still doesn't dictate. I don't doubt your intelligence, nor interactions, myself I am only 33, still learning the world. For all I know you could be god if you believe in such a thing.
> you deny, telling me Google isn't evil?
I'm was laying my beliefs based on the misunderstanding of your post. I misunderstood how "conversation being worse" it happens. However that again is another controversial opinion that the internet is within a very crippled state, for such pointed out above. Again, you may disagree.
Your entitled to such opinion you believe, I'm disappointed that if you did flag me, or that such a feature blocks because what I laid out wasn't out to be argumentative but as free-thought opinion. Maybe more emotional and cynical of than what it should of been but still. Words are tricky and no one person is an expert.
I should hope HN hashes our passwords, instead of encrypting them. And for encrypted data I would expect them to use symmetric key encryption, rather than certificates with RSA or another form of public key cryptography.
Your post contains some very basic misconceptions. This is going to sound harsh, but I would recommend not putting too much stock in your own opinions on security, and instead to trust the experts.
Not harsh at all. I understand I am no security expert, bores the heck out of me. Sadly, you shouldn't trust the "experts" to be if that's LetsEncrypt. No one can be trusted apart from yourself when implementing security.
If LE is ran with the following companies, "Electronic Frontier Foundation; Mozilla Foundation; University of Michigan; Akamai Technologies; Cisco Systems"
What makes them all trade worthy, especially when they're all American? Especially after the whole Richard Stallman. Mozilla, maybe because they were netscape. I have more than enough experience working within security to know that.
I've seen SysOps leak DB's, Passwords in plaintext.. and I've seen it from the age of where such didn't exist to where companies are now installing X security appliances to safe guard there networks. I'm not newb, from 2004 to now, counted 15 years of System and Network engineer experience. Fair from experienced but well seasoned.
Why isn't HackerNews using LetsEncrypt, Google, Netflix, Amazon, if promoted as a great thing. Is what I want to know.
HN: Pretty sure their relationship with DigiCert predates LE, why change if the current relationship is functional.
Google: Browser Maintainer that runs entire TLDs, doesn't need a third party, it could just decide to trust itself and 60+% of the market follows.
Amazon: Runs a massive chunk of the internet, it's already MitM'd itself and most other things, doesn't really need a third party for Certs but still uses DigiCert which predates LE and they clearly have a working relationship.
Netflix: See Amazon, HN.
You: Barely exist to the infrastructure of the web as people experience it. Maybe you have a static site you don't care to protect from MitM (could add some malicious scripts or whatever but who cares). Maybe you're a tiny service that offers some 50 users something, their plaintext auth probably shouldn't be readable to just anyone along the network path, but they're not paying you for services so you might not wanna spend much money on that service. Use LE.
Also, if you think LE as a company has the ability to take sites with it if it goes down, you don't really understand Web PKI. At most likely within a year to 3 months you'd need to find a new place if their signatures expire. At worst someone could pretend to be you, but still not read that traffic protected by the old cert.
Why so salty about LE? Especially from a "seasoned" SysEng? Didn't it just make your job easier and safer for those with slightly less experience?
> Why so salty about LE? Especially from a "seasoned" SysEng? Didn't it just make your job easier and safer for those with slightly less experience?
Because it's required, I don't know the companies, I can't trust the companies. I just not happy that four companies run the worlds SSL. There should be another technology that caters to such without having to put all the keys in one basket.
> Didn't it just make your job easier and safer for those with slightly less experience?
No. It makes it harder, because your not teaching someone anyone thing you tell them "click here, click that, done"
> Why so salty about LE? Especially from a "seasoned" SysEng? Didn't it just make your job easier and safer for those with slightly less experience?
Because it's required, I don't know the companies, I can't trust the companies. I just not happy that four companies run the worlds SSL. There should be another technology that caters to such without having to put all the keys in one basket.
I believe you get downvotes because you think by analogy rather than by reasoning. Not having that big corporation example doesn't negate Let's Encrypt's value proposition (and the improvement they brought compared with the way things were done before).
Also you're mixing security on data transportation with security of data at rest. Both are important but there are different solutions to each.
Downside existed before Let's Encrypt, it just got amplified with it.
General public does not differentiate between the SSL certificate validation level.
Let's Encrypt provides domain validation certificates, which only validates that one owns the domain in question.
There is another level - Organization Validation SSL certificates, which involves manual checking that this is the legal entity it claims to be. I would expect the financial institutions to use this kind of certificates to avoid phishing, but sadly I've seen some of them use Let's Encrypt.
Browsers don't differentiate between the SSL certificate validation level. Because it has been shown that the higher validation levels aren't actually significantly more secure, so the distinction is pointless.
I don't think this is an issue with LE or the implementation. Maybe we need different policies for such organizations, but this is for sure not a LE issue
As someone that supports Let's Encrypt's efforts and playing devil's advocate, I imagine a downside is that the bar is lowered and nefarious websites can easily get SSL-equipped channels compared to the high paywall of prior.
Commercial CAs verify exactly two things: Administrative control over a domain name and a working credit card number.
Let’s Encrypt only gets rid of the latter, and given that fraudsters able to spoof the former can probably spare the $10 for the latter, I‘d argue that this is a good thing.
Before Let's Encrypt there were all kinds of bullshit CAs that would distribute secure sites "seals", and lie all over the internet on how those meant anything.
All of that noise is gone now. That makes the internet much safer.
My guess is a misunderstanding of how easy it is to get a credit card to make a payment. This hasn't gotten any easier, so there truly is no downside at this point, unless people automatically think a SSL means a site is trustworthy. I think that's just education, and is likely to come into public consciousness the longer secure sites are pushed as the default.
It meant a paper trail via CC payments (though fraudsters were likely to use stolen CCs, and they probably needed a CC to buy the domain name in the first place). But yeah it's basically not fundamentally different.
Ok I get not wanting to pick on the guy, but is that really reasonable? Engineering is about solving problems by designing/implementing systems. The more you know about the system(s) you're working with, the better the solutions you can build. Even if you're "just" working at a high level and maximally specialized to a single niche, not knowing how the underlying parts work will really limit you.
Pick the brain of any accomplished engineer, and you'll quickly see that the technical knowledge they use to write code on a day to day basis is only the tip of the iceberg.
It's not reasonable to expect everyone to know everything all the time, but I don't agree people should be aspiring to just know the bare minimum either. Mediocrity is like gravity: if you don't (at least occasionally) aim higher, your trajectory will be lower than you want.
Or maybe we should just avoid judging people based on what they do and don't think is worth their time learning, especially when all we know about them is a previous job title and a short message on an internet message board?
I mean, c'mon, it takes quite a bit of arrogance to condemn someone for some little facet of their life when you know next to nothing about them.
Right obviously very few people will be deep experts on the nitty gritty details of any particular thing, but it's weird to work with computers and not have a broad high-level understanding of something as crucial as TLS and PKI.
You don't know why they haven't taken the time to learn. At least they know enough to know they need an SSL cert. Should I not buckle up in a car if I don't understand the mechanics of how the buckle snaps together?
I don't understand why you're harping on this person for this.
I take issue with that statement not the person. The statement was honest and matter of fact.
Few know how SSLs work, few have time or opportunity or even desire to learn it. Not 'wanting' to understand the details goes against what I would expect. A programmer tries to/needs to understand how the world works. Not wanting to understand the entire stack is a new concept to me.
> Not wanting to understand the entire stack is a new concept to me.
Then I'd suggest that your experience about the world, and about people in general, is severely lacking.
There aren't enough hours in a day or years in a life to learn everything, so we have to be selective.
Do you know how CPUs work, down to the various functional units and pipeline stages and how they work together? Can you explain to me how transistors work on an electrochemical level? Can you explain how silicon wafers are fabricated? Hell, I took those classes in college as a part of my EE degree, and I can't really remember it well enough to explain without cheating and looking at Wikipedia. (And even then...)
And guess what? That's just fine. I have no need or desire to dive that deeply back into that stuff.
Why should the minutiae around TLS certs be any different? I do know how TLS cert provisioning works, and to be honest, it's boring and tedious. And I do it so infrequently that I have to look up a tutorial every time I do it. It's just not worth keeping in my head. If I could use LE for everything, and never try to remember the right `openssl req` command ever again, that would be great.
> A programmer tries to/needs to understand how the world works.
No, a programmer is someone who solves problems with code. How they do it, and what types of knowledge they pursue, runs the entire gamut of possibilities.
Bottom line: knowing technical minutiae doesn't make you cool or special or better than other people. It just makes you someone who's interested in that stuff, or someone who needs to understand it as a part of work they do. Let's not elevate it to something it's not.
Are programmers losing that childhood curiosity for how things work? Do programmers even value that anymore? Should that be the filter employers use to select candidates vs leetcode?
People may think they are Cool or special for millions of reasons (like not knowing what ssl is for example).
Who says they've lost the curiosity? What if all of their programming effort and energy is put into whatever the website is for? Why should they shift their focus over to learning all about SSL when that's not the point of whatever the project is and it will suck up too much time?
I could absolutely be wrong about that reasoning, though, but that's my point - we don't know why, so why assume a negative and then lean into that?
I think there are a lot of perfectly good programmers who work at the level of the web stack, but couldn't set up a web server with TLS to save their life. There's nothing wrong with that, and suggesting that there is, is just a form of technology elitism and gatekeeping.
This isn't about being able to. I've love to setup machine learning but lack the understanding. It's about taking pride in not having to learn.. taking pride in not having to understand how things work.
Technology shouldn't be a blackbox and shouldn't be celebrated as such.
