On 02/15/2016 12:09 PM, Sam Noble wrote:
On Mon, Feb 15, 2016 at 10:36:36AM -0700, Sam Noble wrote:
On Sat, Feb 13, 2016 at 12:02:11PM -0700, Jason Schaefer wrote: This is super-cool. I didn't think this would work on dreamhost shared-hosting anytime soon. and it totally does.
Thanks mozilla, eff, dreamhost etc! Somebody do the pondering for me, I have questions about general use of lets' encrypt (or any automated TLS cert renewal setup.) regarding best practice for ensuring I'm getting as much out of the TLS encryption model as I can. And additional questions in the case of $WEBHOST (or any service provider) managing certs for their users.
I love that I can have encrypted connections without paying or forcing visitors to be clicking on "Yeah I know that the cert is unsigned" in browsers (or worse not being able to use an https api with android programs.)
But what's due diligence for my part of this transaction? I run a script on my webserver or click a button on dreamhost's page and suddenly I get free TLS? Great if that's all it takes but I'm skeptical.
So for any LE user there are a few issues, the letsencrypt model has short duration certs, so they'll be changing often. How am I supposed to keep track of when they've changed? Do I need to? Should I keep track of some identifier of LE's Certificate Authority and verify that's the one being used to sign my LE certs?
And then the much bigger leap comes with the setup I'm actually using. Obviously using a cheap shared web-hosting account like the one I have has plenty of risks with respect to how much I can trust the software I run there, I have to trust their admins in lots of cases, as one does on any machine where someone else has root. (And physical access, and legal ownership, etc.) Great, but I don't have access to the private TLS key, I don't know who else has access to the private key on my sites.
I'm thinking this is still a huge improvement over plaintext HTTP right? Weren't there a bunch of nasty tricks that we learned about from that guy Edward, that are thwarted just by HTTPS regardless of the quality of the TLS used?
Plus even in a hotel full of staff that all carry master keys, locking your door is often still a good idea right?
But has anyone been trolling LE or Dreamhost forums and mailinglists and have quick answers to all my concerns?
we are using let's encrypt in some of our commercial sites, and the setup was very straight forward, we use nginx, this is a step by step guide, a cronjob will re-requests certs every 90 days https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-le...