ninjette.org - View Single Post

InvisiBill · February 11th, 2023, 09:47 AM

@Alex, you've got about 5 weeks left on the current SSL cert. If you've got some time, it might be worth looking into Let's Encrypt/ACME stuff now-ish. https://letsencrypt.org/docs/client-options/

Because of the way my host is set up, and the fact that I use a different provider for DNS, I have to do LE renewals manually. But honestly, it's still fairly quick and easy with the Windows commandline client and some copy & paste. The hardest part is actually that my host's setup means I have to manually select the installed wildcard cert from a dropdown for each subdomain I have.

Based on stuff you've done around here previously, I assume you'd be able to install the necessary things to automate it.

For the non-technical people, renewing your SSL certs is comparable to rekeying the locks on your house on a regular basis, just to make sure anyone who happened to get a copy of your key can no longer get in. The cert expiration sets the schedule to rekey your locks (originally based on the time needed for someone to brute-force crack the encryption). Being past the expiration date just means that it's still using the old lock and the schedule says the lock should've been rekeyed by now, not that anyone has actually breached the lock.

Other SSL warnings mean other things though, like the MyEtherWallet imposter server mentioned above. Unfortunately, I think a lot of browsers do the user a disservice in this regard. A lot of them seem to just be "SSL IS BROKEN!!!!1 INSECURE!!!!!!1" on all issues without any real detail about the problem or what it likely means. Ninjette's SSL cert expiring 12 hours ago is much less of an issue (Alex just forgot to update it on time) than MyEtherWallet's cert saying that it's coming from an untrusted root cert (a financial website suddenly switching to a "homemade" cert instead of one from a trusted authority). Even a cert that's been expired for 10 years might not really concern you. If it's just a website listing some oil filter part numbers or something? It doesn't matter to me if the connection is actually secure, because I'm not transferring any data that needs to be secured. If it's a financial service? I'm not giving them any info at all if parts of their security haven't been touched in 10 years.

February 11th, 2023, 09:47 AM	#28
InvisiBill EX500 full of EX250 parts Name: Bill Location: Grand Rapids-ish, MI Join Date: Jul 2012 Motorcycle(s): '18 Ninja 400 • '09 Ninja 500R (selling) • '98 VFR800 (project) • '85 Vulcan VN700 (sold) Posts: A lot. Blog Entries: 1 MOTM - Aug '15	@Alex, you've got about 5 weeks left on the current SSL cert. If you've got some time, it might be worth looking into Let's Encrypt/ACME stuff now-ish. https://letsencrypt.org/docs/client-options/ Because of the way my host is set up, and the fact that I use a different provider for DNS, I have to do LE renewals manually. But honestly, it's still fairly quick and easy with the Windows commandline client and some copy & paste. The hardest part is actually that my host's setup means I have to manually select the installed wildcard cert from a dropdown for each subdomain I have. Based on stuff you've done around here previously, I assume you'd be able to install the necessary things to automate it. For the non-technical people, renewing your SSL certs is comparable to rekeying the locks on your house on a regular basis, just to make sure anyone who happened to get a copy of your key can no longer get in. The cert expiration sets the schedule to rekey your locks (originally based on the time needed for someone to brute-force crack the encryption). Being past the expiration date just means that it's still using the old lock and the schedule says the lock should've been rekeyed by now, not that anyone has actually breached the lock. Other SSL warnings mean other things though, like the MyEtherWallet imposter server mentioned above. Unfortunately, I think a lot of browsers do the user a disservice in this regard. A lot of them seem to just be "SSL IS BROKEN!!!!1 INSECURE!!!!!!1" on all issues without any real detail about the problem or what it likely means. Ninjette's SSL cert expiring 12 hours ago is much less of an issue (Alex just forgot to update it on time) than MyEtherWallet's cert saying that it's coming from an untrusted root cert (a financial website suddenly switching to a "homemade" cert instead of one from a trusted authority). Even a cert that's been expired for 10 years might not really concern you. If it's just a website listing some oil filter part numbers or something? It doesn't matter to me if the connection is actually secure, because I'm not transferring any data that needs to be secured. If it's a financial service? I'm not giving them any info at all if parts of their security haven't been touched in 10 years. __________________________________________________ * Unregistered, I'm not your mom and I'm not paying for your parts, so do whatever you want with your own bike. *