undefined | Better HN

0 pointssuixo8y ago0 comments

Thanks for the detailed post. The rogue word seems to be a bit too strong, as I totally understand how GitHub generated the cert thanks to Let's Encrypt. The surprising bit is that when granting them the right to handle all internet traffic for the given domain (back in 2014), I wasn't expecting them to use it to generate certificates.

Then Let's Encrypt was released to the public (yeah), and today I am happy that GitHub generated this cert. However, I was surprised to see it was generated "in my back", without any kind of notice and no public documentation of the feature.

0 comments

BuildTheRobots8y ago

> The surprising bit is that when granting them the right to handle all internet traffic for the given domain (back in 2014), I wasn't expecting them to use it to generate certificates.

I hate to flog a dead horse, but considering you were specifically pointing the domain at them for them to host HTTP, them then securing that really shouldn't be surprising. If they'd started running other services on it (eg email) then I'd start being surprised. HTTP host hosting HTTPs though...

More granular DNS records would be interesting for the future. The ability to say "this host resolves to that IP but ONLY for web traffic and nothing else" (an "ahttp" record) idea intrigues me.

synotna8y ago

This already exists: SRV records

BuildTheRobots8y ago

Of course it does; I'm an idiot. Though it does seem like very few applications (I can't find a single mainstream browser) that actually support using them. I do wonder why not.

jimktrains28y ago

Kerberos and AFS use it! There a few others that can, but it's client dependent. It would be nice if more things supported it out of the box.

j / k navigate · click thread line to collapse

0 comments

BuildTheRobots8y ago

> The surprising bit is that when granting them the right to handle all internet traffic for the given domain (back in 2014), I wasn't expecting them to use it to generate certificates.

More granular DNS records would be interesting for the future. The ability to say "this host resolves to that IP but ONLY for web traffic and nothing else" (an "ahttp" record) idea intrigues me.

synotna8y ago

This already exists: SRV records

BuildTheRobots8y ago

Of course it does; I'm an idiot. Though it does seem like very few applications (I can't find a single mainstream browser) that actually support using them. I do wonder why not.

jimktrains28y ago

Kerberos and AFS use it! There a few others that can, but it's client dependent. It would be nice if more things supported it out of the box.

j / k navigate · click thread line to collapse