One of the paradoxes I struggle with in my work, is the conflict between crypto and reliability.
Crypto is important. But it is very binary in nature - either the stars align and you can decrypt, or it fails and there's no recovery. With that kind of binary, reliability suffers. This is inevitable.
As an example, most of the Mastodon downtime I've experienced has been related to minor SSL certificate blunders.
I feel like most of the #InfoSec community wilfully ignores this dynamic.
I think it's really interesting to follow Dave Winer (inventor of RSS) on Twitter - he's very concerned about the current push towards HTTPS.
He's afraid raising the secrity bar will make the web less open and less accessible. And he's right; adding technical requirements favours the entrenched big players with big budgets.
Dave also fears for the historic web, in the (unlikely?) event that browser vendors actually deprecate HTTP.
I don't agree with everything he says, but the POV has value.
@HerraBRE My web hosting doesn't reasonably support cheap SSL. Thankfully I have little reason to deploy it, since I don't give a half a crud how Google ranks my websites.
@ocdtrekkie @HerraBRE you should change your webhosting provider. in times of letsencrypt it's more than bad to not support "easy ssl".
@ninjafoss @HerraBRE You'd be surprised how many web hosts don't. Shared hosting is pretty darn common.
In my case, I haven't found a suitable replacement: I won't buy either domains or hosting from a company that doesn't have 24/7 US-based phone support, which is a rapidly decreasing commodity these days.
@edavies @ninjafoss @HerraBRE No, but since you don't have root or often even shell access on shared hosting, you're at the whims of your host's offerings.
You can't run something like a Let's Encrypt certbot, for instance, unless the host sets it up for you.
@ocdtrekkie @ninjafoss @HerraBRE Yes, need to pick your host carefully, which can indeed be difficult.
Had my domain registered with my current hosting provider while my hosting was elsewhere until previous hosting provider became untenable at which point current one was really the only acceptable option - annoying as I'd prefer to keep the domain and hosting separate.
But the point: SSL hosting isn't intrinsically difficult or expensive, just a matter of what the market provides.
@edavies @ocdtrekkie @ninjafoss I wouldn't be at all surprised if a bunch of hosting providers were still pretending Lets Encrypt doesn't exist and using SSL as a differentiator for "premium" hosting plans.
That'll slow down adoption at the lower end of the hosting market.
@HerraBRE @edavies @ninjafoss I think in my host's case, they just provide a fairly dated version of cPanel/WHM which isn't yet EOL. I believe newer cPanels support Let's Encrypt out of the box, so presumably once they have to upgrade, it'll support it.
@edavies @ninjafoss @HerraBRE Keeping domain and web hosting separate is an absolute must. Same for email service as well. Three different companies control this aspect of my online presence, which makes losing any one of them at a time fairly recoverable as a condition.
@ocdtrekkie @ninjafoss @HerraBRE Shared hosting doesn't preclude SSL.
http://edavies.me.uk/2016/04/https/