undefined | Better HN

0 pointsonion-soup6y ago0 comments

While I appreciate the efforts of certbot to make it as user-friendly as possible I still find this state of things unforgivable. I don't know where it went wrong so that today a developer must spend time learning and tweaking a low-level encryption tools. I'm just saying https will never be 100% unless it becomes a baked-in feature of any hosting.

0 comments

thenewnewguy6y ago

Developers don't need to, unless they're the ones hosting your website. In which case, yes, I expect them to be able to configure web hosting software.

hrktb6y ago

This is sadly not the case yet in many not so edge cases.

For instance Heroku still doesn't provide straightforward support for wildcard domains under SSL: https://devcenter.heroku.com/articles/understanding-ssl-on-h...

There is myriad of other cases, basically every time you diverge a bit from the 80% path, you're in for a treat and will deal with all the intricacies of SSL management.

regecks6y ago

Certbot, and most other standalone ACME clients, are just stop-gaps.

The end game is first-party support for automatic HTTPS in all web (and other) servers. It is happening (e.g. mod_md), it's just going to take time. For example, to get it packaged for all distributions.

For shared hosting, if you ignore the few providers at the top who are either CAs (e.g. GoDaddy) or are in contracts with CAs (e.g. Namecheap), the overwhelming majority of them are already providing free and automatic SSL for all hosted domains.

majewsky6y ago

> The end game is first-party support for automatic HTTPS in all web (and other) servers.

There's still a need for certbot et al when you have multiple services (e.g. web and mail and XMPP) running on a single domain name. In fact, I actively avoid servers that insist on doing ACME themselves because it breaks my unified ACME process.

kbr20006y ago

A management fad called dev-ops is what went wrong, before you could count on your sysadmin to take care of that :) Apart from that, not everything always makes sense to use in production without a good level of understanding --- and might otherwise lead to, for example, a false sense of security.

cm21876y ago

Starting with baking ACMEv2 in the major webservers (apache, IIS, etc).

Jaruzel6y ago

If Microsoft baked in Auto-cert-install in to IIS that allowed you to cherry pick a provider, and/or just select their own free CA, that'd really solve the problem for Windows based web servers. In my experience CertBot/ACME type renewal doesn't work reliably for Windows/IIS.

AnIdiotOnTheNet6y ago

What is the value in HTTPS being 100%? That seems silly to me. Many many things do not have any need for encryption.

tialaramex6y ago

Most things would benefit from encryption. Even if you don't need integrity protection, and you don't have any need of privacy, and you don't care about authenticating your peers you still want encryption because otherwise middleboxes ossify everything.

If the middlebox can't see inside your flow because it's encrypted it can't object to whatever new thing it's scared of this time whether that's HD video or a new HTML tag.

AnIdiotOnTheNet6y ago

Not a significant issue in practice as far as I can tell. I deliver text over the internet, and sometimes binaries over the internet, and it happens very fast because there is no useless cruft in the process to satisfy some security twonk's paranoid delusions.

jbverschoor6y ago

It’s for ops. Not dev

j / k navigate · click thread line to collapse

0 comments

thenewnewguy6y ago

Developers don't need to, unless they're the ones hosting your website. In which case, yes, I expect them to be able to configure web hosting software.

hrktb6y ago

This is sadly not the case yet in many not so edge cases.

For instance Heroku still doesn't provide straightforward support for wildcard domains under SSL: https://devcenter.heroku.com/articles/understanding-ssl-on-h...

There is myriad of other cases, basically every time you diverge a bit from the 80% path, you're in for a treat and will deal with all the intricacies of SSL management.

regecks6y ago

Certbot, and most other standalone ACME clients, are just stop-gaps.

majewsky6y ago

> The end game is first-party support for automatic HTTPS in all web (and other) servers.

kbr20006y ago

cm21876y ago

Starting with baking ACMEv2 in the major webservers (apache, IIS, etc).

Jaruzel6y ago

AnIdiotOnTheNet6y ago

What is the value in HTTPS being 100%? That seems silly to me. Many many things do not have any need for encryption.

tialaramex6y ago

If the middlebox can't see inside your flow because it's encrypted it can't object to whatever new thing it's scared of this time whether that's HD video or a new HTML tag.

AnIdiotOnTheNet6y ago

jbverschoor6y ago

It’s for ops. Not dev

j / k navigate · click thread line to collapse