One of the paradoxes I struggle with in my work, is the conflict between crypto and reliability.
Crypto is important. But it is very binary in nature - either the stars align and you can decrypt, or it fails and there's no recovery. With that kind of binary, reliability suffers. This is inevitable.
As an example, most of the Mastodon downtime I've experienced has been related to minor SSL certificate blunders.
I feel like most of the #InfoSec community wilfully ignores this dynamic.
I think it's really interesting to follow Dave Winer (inventor of RSS) on Twitter - he's very concerned about the current push towards HTTPS.
He's afraid raising the secrity bar will make the web less open and less accessible. And he's right; adding technical requirements favours the entrenched big players with big budgets.
Dave also fears for the historic web, in the (unlikely?) event that browser vendors actually deprecate HTTP.
I don't agree with everything he says, but the POV has value.
@HerraBRE My web hosting doesn't reasonably support cheap SSL. Thankfully I have little reason to deploy it, since I don't give a half a crud how Google ranks my websites.
@ocdtrekkie You're missing a threat which is actually common in the wild: MITMing to inject crapware.
ISPs do this, this isn't hypothetical.
Also, if you believe people should be able to surf anonymously and want Tor users to have access, consider that it's super easy to spin up a malicious exit node that corrupts traffic.
Securing your sites with TLS protects your visitors' from that sort of thing, which makes it worth doing almost no matter what sort of content your provide.
@HerraBRE I try to avoid ISPs when inject junk. Arguably, if the ability to inject junk is part of your agreement with them (and one would hope it is factored into the price/value equation), they should be able to in nonsecure contexts.
I'd be happy to jump on the encryption bandwagon, that being said, if CAs weren't involved. They've been proven untrustworthy over and over again. The fact that we have people trying to push a *mandate* that we deal with them is borderline insane.
@HerraBRE (Re: ISPs that inject junk, NetZero was an amazing thing to exist back i nthe day.)
@ocdtrekkie Again, it's not about you. It's about your users.
People don't know about these terms and they don't know the implications. And they may have no choice, not all areas have competing ISPs.
Anyway, such EULAs are problematic for a bajillion reasons, I'm surprised you'd use them as justification for anything!
You can shrug and say their ISP is not your problem. I tend to err on the side of saying we have a duty of care towards our users, but people can disagree with me on that. ๐
@HerraBRE @ocdtrekkie Also, people on such ISPs (including many national mobile providers, I understand) maybe won't be sophisticated enough to distinguish between what's actually on your site and what the ISP has injected. They'll just see that your site has silly ads or whatever.
I can confirm, my ISP is known for browser hijacking
@ocdtrekkie @HerraBRE you should change your webhosting provider. in times of letsencrypt it's more than bad to not support "easy ssl".
@ninjafoss @HerraBRE You'd be surprised how many web hosts don't. Shared hosting is pretty darn common.
In my case, I haven't found a suitable replacement: I won't buy either domains or hosting from a company that doesn't have 24/7 US-based phone support, which is a rapidly decreasing commodity these days.
@ocdtrekkie @ninjafoss @HerraBRE Shared hosting doesn't preclude SSL.
@edavies @ninjafoss @HerraBRE No, but since you don't have root or often even shell access on shared hosting, you're at the whims of your host's offerings.
You can't run something like a Let's Encrypt certbot, for instance, unless the host sets it up for you.
@ocdtrekkie @ninjafoss @HerraBRE Yes, need to pick your host carefully, which can indeed be difficult.
Had my domain registered with my current hosting provider while my hosting was elsewhere until previous hosting provider became untenable at which point current one was really the only acceptable option - annoying as I'd prefer to keep the domain and hosting separate.
But the point: SSL hosting isn't intrinsically difficult or expensive, just a matter of what the market provides.
@edavies @ocdtrekkie @ninjafoss I wouldn't be at all surprised if a bunch of hosting providers were still pretending Lets Encrypt doesn't exist and using SSL as a differentiator for "premium" hosting plans.
That'll slow down adoption at the lower end of the hosting market.
@HerraBRE @edavies @ninjafoss I think in my host's case, they just provide a fairly dated version of cPanel/WHM which isn't yet EOL. I believe newer cPanels support Let's Encrypt out of the box, so presumably once they have to upgrade, it'll support it.
@edavies @ninjafoss @HerraBRE Keeping domain and web hosting separate is an absolute must. Same for email service as well. Three different companies control this aspect of my online presence, which makes losing any one of them at a time fairly recoverable as a condition.
@HerraBRE MITMing most web traffic is pretty uninteresting, encrypting it is good, sure, but the cost is high, especially since you're now dependent on a centralized list of CAs.
Whoever thought requiring a CA for encrypting traffic was cool should be publicly shamed for all eternity.