Lukewarm take:
When I see general* "security advice" that mentions "do not use public WiFi" or "use a VPN", I am immediately suspicious about all other advice offered.
Yes, a decade ago that was a consideration, because most sites were not using HTTPS. Credentials were flying cleartext on the wire.
Today, almost all sites use HTTPS. Doesn't mean the risk is zero, but it's way lower.
*) "general" meaning "without a very specific threat model in mind", meant for general public, etc.
Actually, downgraded that take to "lukewarm", it should really not be controversial at all these days. It's been a hot minute since LetsEncrypt changed the HTTPS landscape!
What is beyond me is that such "security advice" still gets pushed. 
Also, shout-out to @letsencrypt for dramatically changing the security landscape of the Web for the better over the years.
Rarely is there an example of a project so effective and so directly improving everyone's lives, while at the same time keeping the original engineering mindset and just Doing Stuff Right™ humbly in the background.
Next November it will have been exactly a decade since LE started. We all owe them a huge 10th birthday party.
@stepan @rysiek @letsencrypt do you want to offer a random public wifi provider a fraction of your DNS traffic, or an VPN provider all of your DNS traffic? I think the later is worse.
Yes, VPN brings protection, but only if you run the server yourself.
@rysiek @letsencrypt For real! Certs used to be so expensive! And often confusing. LE absolutely changed the game.
I might get away from building web software if we ever devolved back to the pre-LE days.
@rysiek And other people just say this was Google enforcing TLS security with HTTPS on the web.
There are legitimate applications on the web, that don't need TLS to work, which are perfectly fine for the creative commons, e.g..
And that it's not clear why a web page requested via HTTP should be marked as insecure in the UI, if it will not receive any particularly sensitive information.
That Let's Encrypt was a heist to further enclose the open web.
It was a revelation for some, not all.
@yala @rysiek Some providers started injecting JavaScript into pages served without TLS, sometimes to display ads, sometimes to show warnings about your account.
HTTPS everywhere also killed the annoying and RFC-violating NXDOMAIN capture pages served by some providers.
Letsencrypt and HTTPS everywhere are a good thing that needed to happen to the web.
@neverpanic
Thank you for calmly explaining this further. I need to nod to the fact that the side-effects of the protocol design of HTTP do not only affect the implementations of some enthusiast environment, but the Web at large. There we must address for a quite larger diversity of possible misuse, which is well covered by HTTPS.
@yala @rysiek let me help you here: https://www.troyhunt.com/heres-why-your-static-website-needs-https/
TLDR: Because it's not all about sending sensitive data. Attackers can manipulate your site when served over HTTP. They can inject all kinds of nonsense, from animated gifs to crypto miners to requests to other websites. And these things are done in the real world at ISP levels in various countries.
So while you might don't need the encryption HTTPS provides, you probably want the authentication.
It was Jan last year that I suggested HTTPS adoption had passed the "tipping point" [https://www.troyhunt.com/https-adoption-has-reached-the-tipping-point/], that is, it had passed the moment of critical mass [https://en.wikipedia.org/wiki/The_Tipping_Point] and as I said at the time, "will very shortly become the
> They can inject all kinds of nonsense, from animated gifs to crypto miners to requests to other websites.
Not to mention actual malware:
https://citizenlab.ca/2014/08/cat-video-and-the-death-of-clear-text/
@FritzAdalis or if you actually just have a way of doing that. Automating certificate renewal before @letsencrypt was an utter pain in the arse even if you wanted to do it!
@bencurthoys @rysiek @letsencrypt current TLS with SNI does not hide which site you visit
@rysiek
Without @letsencrypt I would probably not be able to self-host the things I host. I used to do StartSSL (they also offered free certs) but that was a manual process that I would need to complete for a bunch of domains. And then I would probably either decide against self-hosting or against publicly exposing the service or use something unsafe like putting all projects on the same subdomain.
At any rate: this is so much better! Thanks Letsencrypt!
@rysiek @letsencrypt I remember getting a certificate for the first time for one of my sites, $100+ a year. Insignificant for most businesses but it was something for me.
Now can just set up a new domain or subdomain and register a certificate in minutes...
For another reason, @letsencrypt can be considered pioneers: their service is both free *and* commonly accepted.
One of the most uncomfortable, overlooked consequences of "certified" electronic IDs, timestamps etc is that lawmakers and regulatory bodies have resorted to defining heavy constraints only, leaving implementation to the "market".
The result is that related services are essentially inaccessible when you can't afford to pay for a commercial provider.
@rysiek the only thing that pisses me off re: #LetsEncrypt is tuat they basically got #VC-#TechBro #FastLane in regards to acceptance whilst #CaCert got #Cockblocked by #GAFAMs all day despite doing actual #DueDiligence re: who gets a #certificate.
But better @letsencrypt than no #SSL, even tho I think #X509 is bad and ibstead we should've #OpenPGP-based #encryptioncfor everything...
@rysiek I know.
And @letsencrypt is better than no encryption at all.
It just feels kinda shit when one does actual effort akd due diligence and then just gets rolled over by a huge ass firm...
Interesting perspective wrt Let’s Encrypt vs CA Cert. My take was that Let’s Encrypt basically did the minimum that was required by the CA/Browser forum while CA Cert constructed a parallel scheme for verifying OpenPGP certs which is in no way required for CA/Browser forum regulations.
As for OpenPGP/X.509 of course the CA system is suboptimal but it works while OpenPGP is used only in niche environments (let’s put aside the OpenPGP/LibrePGP split that’s going on right now).
@rysiek In Let's Encrypt's un-defence, their usefulness comes from the fact that they're fixing a glaring hole that commercial web-makers of late nineties built into the protocol stack in order to pave the way for a centralised WWW.
Michał "rysiek" Woźniak · 🇺🇦
Charims
Štěpán Škorpil
Christoph Petrausch
viq
Jack Linke 🦄
arutaz
jon r
Clemens
Max Harmony
Sheogorath
Fritz Adalis
waldi
mirabilos
Karolina Broniarek
Ben Curthoys
~n
Henrik Kramselund - kramse
The Jack of Sandwich
Mike Edey
Jessamyn
*sigh*Ber nard
Derick Rethans
Gord
Claudius
mathew
Cenobyte 
katzenberger
Sean Killeen
Marcus
Kevin Karhan 
Wiktor Kwapisiewicz
Riley S. Faelan