#dev | Logs for 2016-06-28

« return
[05:11:46] <Subsentient> I'd like to weigh in on the use of Let's Encrypt for SoylentNews.
[05:11:51] <Subsentient> I think it's a bad idea.
[05:12:21] <Subsentient> I use Let's Encrypt myself, but my personal view is that sites that use it are less 'trustworthy' than sites signed with VeriSign etc.
[05:14:09] <Subsentient> The reason is, Let's Encrypt is free, and I imagine is much looser with its signings.
[05:14:28] <Subsentient> So it's much easier for a fradulent site to get signed with Let's Encrypt than something else.
[05:15:01] <Subsentient> I would not be surprised if browsers eventually either dropped recognition for Let's Encrypt or showed sites that use it in yellow or something.
[05:15:28] <Subsentient> I've already heard a lot of reports about Let's Encrypt being used in spam/scam/malware sites.
[05:15:56] * Subsentient sprays chunky vomit all over TheMightyBuzzard's feathers
[06:49:13] -!- GungnirSniper has quit [Ping timeout: 268 seconds]
[10:47:52] -!- Tachyon has quit [Ping timeout: 268 seconds]
[11:40:07] <Bytram> Subsentient: good points re: LetsEncrypt... OTOH, we are on a shoestring budget and certs from other registrars do have a price ($).
[11:45:23] <Subsentient> Bytram: the idea is that literally any other signature is better.
[11:45:31] <Subsentient> As long as it's not let's encrypt.
[11:45:53] <Subsentient> I actually check the signer of certificates when I'm on a strange https site.
[11:46:03] <Subsentient> If I see let's encrypt, I'll think it's a scam.
[11:46:09] <Bytram> yes, I got your point. ... and I check them, too.
[11:46:27] <Bytram> atm, IIUC, only dev.soylentnews.org uses LE
[11:46:39] <Bytram> the main site uses a cert from Gandhi
[11:46:42] <Subsentient> Gandi for the current signer seems reasonable.
[11:46:43] <Bytram> (spelling?)
[11:48:11] <Bytram> it's been a while, but ISTR that we have a number of self-signed certs in use, too.
[11:48:23] <Bytram> for the lowdown, prolly best to ask TheMightyBuzzard
[11:48:34] <Subsentient> Bytram: So, you also are suspicious of Let's Encrypt sites enough to check the signer on random sites? Did I read that right?
[11:48:49] <Bytram> not quite
[11:49:11] <Bytram> when I get a warning that certs don't match, I check the cert -- authority, etc.
[11:49:54] <Bytram> I'm not generally in the habit of checking the certs on all of the sites that I visit
[11:50:10] <Bytram> I prolly should be more attentive to that
[12:01:03] <Subsentient> http://i.imgur.com
[12:03:17] -!- x [x!~x@709-27-2-01.cust.aussiebb.net] has joined #dev
[12:03:24] <Bytram> http://i.imgur.com
[14:07:10] -!- GungnirSniper [GungnirSniper!~GungnirSn@arbs-718-80-998-378.bstnma.fios.verizon.net] has joined #dev
[15:08:45] <TheMightyBuzzard> i'm not worried about LE certs in the slightest. you have to have access to the machine you're registering the cert for or you have to compromise the dns of the CA if you want a fake cert. and we're not exactly a high security establishment anyway.
[15:30:44] <Subsentient> TheMightyBuzzard: No, that wasn't the problem. I trust LE certs to do the job just fine and safely, what I was getting at is that people trust a site signed with LE less than one signed with Verisign or Gandi
[15:31:04] <Subsentient> Lots of spam sites get perfectly valid LE certs
[15:31:10] <Subsentient> I've seen it
[15:31:32] <Subsentient> Unless that domain was reported as spam before, the automated software will gladly grant them a Let's Encrypt certificate
[15:59:09] * Subsentient vomits down TheMightyBuzzard's beak
[21:19:28] -!- GungnirSniper has quit [Quit: Nettalk6 - www.ntalk.de]
[23:09:40] -!- GungnirSniper [GungnirSniper!~GungnirSn@arbs-718-80-998-378.bstnma.fios.verizon.net] has joined #dev
[23:37:14] -!- Tachyon [Tachyon!Tachyon@hollhb.kolej.mff.cuni.cz] has joined #dev