Follow

Fancy, finally an alternative to Let's encrypt!

scotthelme.co.uk/introducing-a

It's always good to have alternatives around. ZeroSSL appears to be a European company that now provides free TLS certificates using the ACME protocol.

@sheogorath I'm super glad there are more options now. However I'm an old curmudgeon and am still bitter that I'm being forced to use SSL even for static content projects where I feel it has no place :)

@feoh Unless you use a protocol underneath that does integrity checks for the content, it is very advisable to use TLS.

Troy Hunt wrote a little article and even made a fun little video about why you want TLS for static content:

troyhunt.com/heres-why-your-st

@feoh

The primary function of TLS in.today's web apps is server authenticity, which is required for even totally public content like CSS, JS etc. This helps avoid content injection attacks, but has also unfortunately killed all proxy caching. I guess what we are after is HTTP cleartext content signing protocols but there is not much interest in that for a number of reasons.

@sheogorath

@rugk @kravietz @sheogorath Respectfully I think some of these assertions are horse-pucky. I believe that http was originally designed primarily to be a delivery mechanism for publicly visible static data. In that context, I see https as adding exactly zero value. Sorry. Unpopular opinion I know.

@feoh @kravietz @sheogorath HTTP was designed s that? Well… in the old days, people submitted private data on Facebook, WhatsApp and their searches on Google through that. It certainly failed being that…

And as mass surveillance and data mitigation (DDOS attacks etc.) have shown, security is now considered a baseline thing.

See whynohttps.com/ (see links at the bottom) developers.google.com/web/fund and scotthelme.co.uk/still-think-y

@rugk @kravietz @sheogorath Respectfully, as I said in my previous toot I withdraw my assertions about http's design because they're bogus, BUT none of this has anything to do with my pining for the days when the internet was simpler and vastly more composable. I stand by that feeling 'cause it's mine. I'm not saying https shouldn't be a thing, I'm saying that thare are use cases where I feel it's ill suited, and no amount of Orwellian imagery is going to change that :)

@feoh Looking at the RFC for HTTP/1.0 I can't agree with you, it talks explicitly about dynamic content for example to provide "more functionality […] including search, front-end update, and annotation".

tools.ietf.org/html/rfc1945#se

I also want to bring the "Security Considerations" section of this document to your focus, which doesn't consider MITM attacks.

tools.ietf.org/html/rfc1945#se

Anyway, you are of course free to follow your believes.

/cc @rugk @kravietz

@sheogorath @rugk @kravietz A fine point. I withdraw my assertions about the design of http. I still reserve the right to be a grumpy old man and miss the days when services were simply building blocks you could build with shell scripts or tiny blobs of code in a REPL. Those days are gone, and I get that, but that doesn't mean I need to like it :)

@sheogorath @rugk @kravietz Also thank you for inspiring me to re-read that RFC. It's an oldie but goodie :)

@feoh Back then, when "search" was still a feature :D

We take so much for granted these days.

By the way, sorry that I get this started again, but "no amount of Orwellian imagery" especially the latter is sadly not the case for quite a while now. From crypto miners, to ads, to censorship, we see pretty much everything happening to HTTP connections in some countries or commercial ISPs/Wifis and independent of static or dynamic content.

The web is a mess :blobfoxnotamused:

@rugk @kravietz

@sheogorath @rugk @kravietz Absolutely. My point was, again, NOT to discount the necessity of https at all, because I totally agree it's SUPER important to encrypt people's web traffic for 99.9% of what most users are looking to do with the web. It was merely that *I* personally miss the days when building services was a vastly simpler process, and I can't help but resent the layer upon layer of complexity we're requiring. It's all there FOR GOOD REASON, but again that doesn't mean I need to like it. When http/2 becomes the norm, I will also miss being able to debug a web server by running netcat and connecting to its port and typing "HTTP/1.1 GET /" or whatever. I like simple machines I can observe and debug using simple tools. I'm a simple creature :)

@feoh

Well, you can actually still build a webserver using bash, you just have to replace some nc calls with openssl 😉

For HTTP/2, yes, I feel you there. It's a bit over the top in some places.

@rugk @kravietz

@feoh @sheogorath @kravietz I'D already say HTTP/2 is the norm hehe… seems you have not debugged these a lot 😉

But yeah, get your point. It's more high-level now. But with a proper web server you can get automatic certificates etc., so the setup thing should get easier…
Everything else is nostalgia, it seems… 😉

@sheogorath @feoh lol yerah, nobody thought about that in 1996

Time has changed.

SO if you are keen on RFCs let's look at the current version: HTTP/2

tools.ietf.org/html/rfc7540

And security you said?
Here we go: tools.ietf.org/html/rfc7540#se

CTrl+F "TLS" oh sooo sad… >300 matches.

😆

@rugk @sheogorath Do I ... HAVE TO? I'm not sure I have enough beer in the house to drown my sorrows sufficiently to handle those specs.

@sheogorath Great news! Lets Encrypt is great. They triggered a seismic shift in the marketplace. I'm glad there are more options, too. Having so many certificates in one CA is a danger.

@sheogorath интересно. а ECDSA дают? а wildcard'ы? надо посмотреть.
@iron_bug @sheogorath sorry for wrong language. just wondering if they provide ECDSA and wildcards. but sounds interesting.

@iron_bug I'm not sure about ECDSA, haven't looked into that yet, but they definitely support wildcard certificates.

@sheogorath Hey cool! And even uses my favorite client, Neil's acme.sh :awesome:

Yes, the more the merrier! And the "stabler". Full ack: always good to have alternatives. And wow, they're using the same protocol – that's almost a Certiverse then, heh?

@sheogorath Their free tier offers way less than Let's Encrypt.

Sign in to participate in the conversation
Sheogorath's Microblog

This is my personal microblog. It's filled with my fun, joy and silliness.