119
linuxxx
7y

Started talking with someone about general IT stuff. At some point we came to the subject of SSL certificates and he mentioned that 'that stuff is expensive' and so on.

Kindly told him about Let's Encrypt and also that it's free and he reacted: "Then I'd rather have no SSL, free certificates make you look like you're a cheap ass".

So I told him the principle of login/registration thingies and said that they really need SSL, whether it's free or not.

"Nahhh, then I'd still rather don't use SSL, it just looks so cheap when you're using a free certificate".

Hey you know what, what about you write that sentence on a whole fucking pack of paper, dip it into some sambal, maybe add some firecrackers and shove it up your ass? Hopefully that will bring some sense into your very empty head.

Not putting a secure connection on a website, (at all) especially when it has a FUCKING LOGIN/REGISTRATION FUNCTION (!?!?!?!!?!) is simply not fucking done in the year of TWO THOUSAND FUCKING SEVENTEEN.

'Ohh but the NSA etc won't do anything with that data'.

Has it, for one tiny motherfucking second, come to mind that there's also a thing called hackers? Malicious hackers? If your users are on hacked networks, it's easy as fuck to steal their credentials, inject shit and even deliver fucking EXPLOIT KITS.
Oh and you bet your ass the NSA will save that data, they have a whole motherfucking database of passwords they can search through with XKeyScore (snowden leaks).

Motherfucker.

Comments
  • 29
    Not using SSL certificates while authentication is one of the major signs of a fake site. Hope you are able to put some sense into him and make him realize it's importance.
  • 6
    Haven't seen him anymore and probably won't at all either but if I see him again, yes. Definitely.
  • 8
    @luminousnine I don't think it looks cheap at all actually haha. It shows that someone actually took a second to think about their security, which is a big plus for me.
  • 12
    Dude even my homepage has got an free SSL cert. I'm 100% sure that nobody uses my site but I mean. It is my first site and SSL was like the most important thing for me lol
    Also the "the connection is not secure" popups in my browser below the textboxes annoyed me on the login/register screen
  • 6
    @b3b3 Same here! I've got multiple random sites/domain names but before I do anything, I make sure SSL/TLS is working!
  • 4
    When I see a site without SSL I pretty much instantly quit coz it just shows that the owners don't care about their customers (in my opinion)
  • 2
    @b3b3 Same, although I still sometimes rely on those sites, whether it's a personal website or a huge business site, if you don't have SSL, I don't think you care about your users indeed.
  • 2
    @luminousnine If you'd need any help, let me know!
  • 2
    Whenever I can, I use SSL.
  • 2
    SSL isn't expensive... I got a decent one for $5 a year.
  • 2
    You can say SSL helps with google, because google ranks SSL-sites up.
  • 8
    Just tell him that it looks even cheaper, when browsers are putting nicely visible "insecure" warnings on his login page. Or with chromes next release on every unencrypted page with input fields.

    Hopefully he wont end like the guy, who repoted this as a bug to mozilla๐Ÿ˜‚
  • 0
    funny that if he instead posted that here he'd have a dual monitor profile pic within a week
  • 0
    @unfuckers-inc What do ya mean?
  • 3
    I love it when other people don't put SSL on their sites. MitM all day long
  • 0
    @linuxxx hmm fuck wrong thread. this was for the post about the dude who went who went ballistic on vs' vcs deleting 3 months of his work.
  • 1
    Ugh, lets encrypt is propably the worst thing when it comes to SSL/TLS certificates. It makes me wanna smash something
  • 0
    @Linux Why? You also into MitM attacks?
  • 0
    @200OK
    PositiveSSL from Comodo right?
  • 2
    @Linux Agree to disagree. It enables people with less amounts of money to setup secure connections. I use it for like +- 10-15 domains/subdomains. I'd be able to do this for about 3-4 domains with paid ones. But hey, everyone their opinions.
  • 0
    @linuxxx @froot
    It enabled phishing sites to look secure, the only argument that is needed.
    Lets encrypt need to cease to exist
  • 2
    @Linux True, but without it I, and many devs I know, wouldn't be able to secure their sites/logins.
  • 2
    @Linux The thing is, nearly everything can be abused. Look at end to end encrypted messaging services, yes, terrorists use them, but that doesn't mean they shouldn't exist because they still protect a lot of people from surveillance and hackers. (my opinion)
  • 1
    @linuxxx
    I think $5/year is cheap enough for everyone. No excuses
    And if they want secure login to their private sites, they can just create a self signed one
  • 1
    @Linux up until roughly march it was actually more comodo certs used for that. In addition its not ssl's job to verify if a site is actually legit (except for maybe EV certs). I would rather blame browser ux for this common misconception.
    https://troyhunt.com/on-the-perceiv...
    Btw let's encrypt is not the only one to offer free certs, comodo does too
  • 0
    @linuxxx
    I think you dont really know what the whole idea with SSL/TLS is about.

    The idea and how SSL/TLS was designed is that you should trust the site you are visiting. The owner of the website/service have gone throu some or extended validation to get that certificate.
    Let's Encrypt totally kills that, it kill the idea of "trust", it goes the opposite way of what the idea and how SSL/TLS was designed.

    Let's Encrypt is a BAD idea, it should not exist.
  • 0
    @Linux No its not, it just validates that they control the domian they are using and not that they actually are who they claim. Thats what EV certs are for and they are neither free nor cheap.
  • 1
    @thiemok
    Explain to me, why Google decided to degrade and remove all the certificates issued by symantec from their google chrome browser because one of symantecs employee has issued 150 certificates wrongly? And google still pumps a shitton of money into Let's Encrypt.

    That's called hypocrisy
  • 0
    @thiemok
    Yes it is.
    The cheaper certificates needs email validation to specific emailaddresses (DV certs).
    And to set up a emailservice to obtain a certificate that is used is malicious activity takes time and slows them down. With LE, they dont need to.
  • 1
    @Linux So adding a simple mail entry to dns is considerably more effort than LE?
  • 1
    @Linux Let's get one thing straight, I completely get your points, I just don't fully agree. Please don't 'attack' me by saying you think I don't know what SSL is about, I know that.

    I deffo don't know as much as you but hey, I'm less experienced, younger and so on.

    I'm saying that although it has its disadvantages (or to whatever level you want to call it), it also has its good things.
    For me, that good thing being that I am able to secure the connection between my users and my servers without it costing me money that I simply don't have.

    And if it's bad as fuck, why not start a collab to create something that works? (no, not being sarcastic, I'm doing the same myself right now with a more low level thingy). The thing is that paid variants are just too expensive for me so without letsencrypt, 80 percent of my sites would run without a secure connection.
  • 1
    @thiemok
    Yes it is.
    Here is something to read.

    https://nakedsecurity.sophos.com/20...

    Also, from a personal perspective - I do encounter ALOT of phising sites and bad sites in general at work. All of them have a LE certificate, all of them.
  • 1
    @Linux Just so you know, I'm not in validating any of your points as I know those are certainly issues, just not entirely agreeing :).
  • 1
    @linuxxx
    Again, 5$/year is something everyone can afford. That's a coffe/pizza/beer.

    And no, I dont think you are that much younger than me really. :) I just see shit every day at work, as I mentioned above.
    Working as a sysadmin that maintain a quite high security hosting environment for customers that pay a shitton of money to have their data secure. Every damn time there is a phishing attempt - Let's Encrypt is involved.

    And something that works - just charge a fee for certificates, any amount. That scares alot of bad guys away because they do not want to be tracked with their credit card.
  • 1
    @linuxxx
    yeah I know that m8, and as you probably can tell - I am extremely frustrated over LE. (TRiGGERED REEEEEEEEEEEE)

    One solution maybee:
    LE can offer free certificates - If a user register and get's validated. Then that person can request via an API a certain number of certificates per month. That will NOT remove the problem, but reduce it alot.
  • 3
    @Linux I'm with @linuxxx here. Just to be clear here, i totally get those points. But a DV cert is just verifing the domain. Is it good that browsers dont make phishing domains mor easily detectable? No. Thats in part why EV certs were created, but they are not used widely enought to make users actually aware what the changed security indicator means. Please ready the second part of the article i linked earlier it shows quite well were i'm comeing from here.
  • 0
    @Linux then what's your age if I may ask? :).

    As I said, I'm not invalidating anything you said, just partly disagreeing!
    It just felt like you were attacking me personally and I didn't like that.
  • 1
    @linuxxx
    I did not mean to make you feel attacked. Sorry about that.

    I am 25, married with three kids ^^
  • 0
    @Linux That sounds good yes! And yes I gathered the triggered part ๐Ÿ˜†
  • 1
    I do also second @linuxxx opinion. Having a normal cert imo only verifies that nobody tampered with the data on the way between the server and the browser. It makes the web more secure.
    Sure it's a bad thing, that let's Encrypt certs get abused for phising. Yes. But then again, there are more "advanced" certs also displaying the name of the company which should be used, if you wan't to verify a company as well as the integrity of the request.
  • 2
    @Linux damn, we're the same age and I couldn't imagine being maried and having kids currently.
  • 1
    @Linux you're only three years older than me ๐Ÿ˜ฎ. For me, step one right now towards children is finding a girlfriend ๐Ÿ˜ž. Thanks for the apology, appreciated! *installs new letsencrypt cert* ๐Ÿ˜œ
  • 1
    @Wack Yes you can. Just use your mind and your dirty fantasies!
  • 1
    @linuxxx lol you are my new favorite fucking ranter!
  • 0
    @greenhouse D'awhhh ๐Ÿ˜Š howso? :D
  • 1
    @linuxxx cause you fucking say it how it fucking is and you put these fad following, 'wanna be' engineers in there fucking place ; )
  • 2
    Funny really. Here I am getting SSL for my static site, while apparently logins don't necessarily need to be secure.
  • 4
    I'm smack down in the middle with this, partly agree with both parties. LE became an enabler, but unfortunately also for bad guys. Should LE stop? Fuck no! But make it a little scarier for the bad guys. Charge my credit card, verify I'm the owner of the card, debit the charge back then allow me to use LE
  • 0
    @LrdShaper What if you don't have a credit card? ๐Ÿ˜…
  • 3
    @linuxxx BTC FTW! ๐Ÿ˜€ Or use parent's/girlfriend's (pro tip: you need a girlfriend for the latter to work)
  • 1
    @LrdShaper yum install girlfriend did not work ๐Ÿ˜“
  • 3
    @linuxxx apt-get moo to get the powers that you need, then apt-get install the hell out of it
  • 1
    @wolt
    Well, tell that to Bob the builder who has learned to look for the green lock.
    I dont doubt your ability to see throu phishing sites at all. But maybee my wife's and her Mom

    Meanwhile, take a look at this :)
    http://thehackernews.com/2017/04/...
  • 1
    @Linux Just to add here my 2 cents.

    Self signed certs are not OK. They look sketchy as fuck. You expect a user of your site to see that big red chrome warning about a self signed certs and just proceed? I don't think so, they'll just leave.

    So I'm with @linuxxx here. LE is doing the world a service in that they are trying to move the whole web to HTTPS. With paid certs that would never happen and we'd still have a ton of sites sending traffic in plaintext. Now we at least have a chance of getting there
  • 0
    @Froot
    I am NOT talking about using self signed certificates on sites that other users are supposed to use. Only for private use. Using a self signed one for your website - well, even lets encrypt is better.
  • 0
    @Linux To be honest I wouldn't use self signed certs anywhere. They just make whatever site you have look bad. I don't want my hard work made look bad because of certs, even if I'm the only one using it.

    (We have self signed certs on our company's internal sites and I fucking hate it)
  • 1
    @Froot
    How are you going to use LE on your companys internal tools?
  • 2
    I'm with @Linux with this one. It is also allowing places like Shopify to offer services like "free ssl" even though they are just Let's Encrypting it. This is giving average users the false impression that their ecommerce is secure... while it might have a basic ssl, I feel like you should have something paid and legit if you are doing anything with credit cards.

    $5 is less than your domain and I don't see anyone here bitching about paying for that.

    RIP the original .tk
  • 4
    Even my personal website has SSL. It's just a portpholio, static content, no forms or passwords or so get transfered, but still has SSL 'cause it's 2017 man.
  • 0
    @Linux Hah, good point actually. Never thought about that.
    I guess you could have internal sites on the same domain as external site or create a new domain for internal ones that doesn't really serve much externally. Not sure how ours is done
  • 3
    Who needs SSL when you can base64 the password in the client side? ๐Ÿ˜‚๐Ÿ˜‚
  • 1
    @arbel03๐Ÿ˜ท๐Ÿ˜ฒ
  • 1
    Why even use passwords? The are way to hard to use...
    http://theregister.co.uk/2016/08/...
  • 1
    @thiemok In devRantron, this is only giving me the 08/2016 archives ๐Ÿ˜…. And in case I didn't welcome you yet, welcomes much!
  • 0
    Thanks!
    Search for strawberrynet security or something like that.
    In essence the are a large online retailer and tought passwords are not needed๐Ÿ™ˆ
  • 0
    @linuxxx is devRantron truncating the link by chance? If i just open theregister.co.uk/2016/08 i get the archives too
  • 1
    @thiemok Thanks! And DUCKDUCKGO ALSO ALLOWS FOR "site:yoursitename.tld" O.o that's a new one for me!
  • 0
    @linuxxx They have an amazing amount of parameters actually. They also allow you to switch the search engine using ![site] e.g. !g searches using google, !r using reddit and so on.
    That got me a few months ago when an error message i was trying to look up had an !r in there๐Ÿ˜…

    Anyways shall i open an issue for devRantron about the link thing?
Add Comment