[nmglug] lets encrypt

Sam Noble s at mnoble.net
Mon Feb 15 11:09:29 PST 2016


On Mon, Feb 15, 2016 at 10:36:36AM -0700, Sam Noble wrote:
> On Sat, Feb 13, 2016 at 12:02:11PM -0700, Jason Schaefer wrote:
> This is super-cool. I didn't think this would work on dreamhost
> shared-hosting anytime soon. and it totally does.
> 
> Thanks mozilla, eff, dreamhost etc!

Somebody do the pondering for me, I have questions about general use of
lets' encrypt (or any automated TLS cert renewal setup.) regarding best
practice for ensuring I'm getting as much out of the TLS encryption
model as I can. And additional questions in the case of $WEBHOST (or any
service provider) managing certs for their users.

I love that I can have encrypted connections without paying or forcing
visitors to be clicking on "Yeah I know that the cert is unsigned" in
browsers (or worse not being able to use an https api with android
programs.) 

But what's due diligence for my part of this transaction? I run a script
on my webserver or click a button on dreamhost's page and suddenly I get
free TLS? Great if that's all it takes but I'm skeptical.

So for any LE user there are a few issues, the letsencrypt model has
short duration certs, so they'll be changing often. How am I supposed to
keep track of when they've changed? Do I need to?  Should I keep track
of some identifier of LE's Certificate Authority and verify that's the
one being used to sign my LE certs?

And then the much bigger leap comes with the setup I'm actually using.
Obviously using a cheap shared web-hosting account like the one I have
has plenty of risks with respect to how much I can trust the software I
run there, I have to trust their admins in lots of cases, as one does on
any machine where someone else has root. (And physical access, and legal
ownership, etc.)
Great, but I don't have access to the private TLS key, I don't know who
else has access to the private key on my sites.

I'm thinking this is still a huge improvement over plaintext HTTP right?
Weren't there a bunch of nasty tricks that we learned about from that
guy Edward, that are thwarted just by HTTPS regardless of the quality of
the TLS used?

Plus even in a hotel full of staff that all carry master keys, locking
your door is often still a good idea right? 

But has anyone been trolling LE or Dreamhost forums and mailinglists and
have quick answers to all my concerns?

-- 
sam


More information about the nmglug mailing list