#arpnetworks 2015-11-17,Tue

↑back Search ←Prev date Next date→ Show only urls(Click on time to select a line by its url)

WhoWhatWhen
mercutiodamn there's been lots of netsplits and no talk :) [00:05]
............. (idle for 1h2mn)
***pyvpx_ is now known as pyvpx [01:07]
.... (idle for 15mn)
rendrag_ has joined #arpnetworks
mnathani has quit IRC (Ping timeout: 264 seconds)
[01:22]
........ (idle for 35mn)
mnathani has joined #arpnetworks [01:57]
.................................... (idle for 2h58mn)
ziyourenxiang has joined #arpnetworks [04:55]
ziyoureniang has joined #arpnetworks [05:00]
ziyourenxiang has quit IRC (Quit: ziyourenxiang)
ziyoureniang has quit IRC (Quit: Leaving)
ziyoureniang has joined #arpnetworks
ziyoureniang has quit IRC (Client Quit)
[05:05]
ziyourenxiang has joined #arpnetworks [05:19]
............... (idle for 1h12mn)
ziyourenxiang has quit IRC (Quit: Leaving) [06:31]
..... (idle for 20mn)
mnathani has quit IRC (Ping timeout: 246 seconds)
mnathani has joined #arpnetworks
[06:51]
.............. (idle for 1h5mn)
hive-mind has quit IRC (Ping timeout: 240 seconds) [07:57]
hive-mind has joined #arpnetworks [08:05]
milki_ is now known as milki [08:13]
mnathani has quit IRC (Ping timeout: 250 seconds)
mnathani has joined #arpnetworks
[08:20]
carvite has joined #arpnetworks [08:34]
...... (idle for 28mn)
mnathani has quit IRC (Ping timeout: 250 seconds) [09:02]
mnathani has joined #arpnetworks [09:07]
mnathani has quit IRC (Ping timeout: 240 seconds)
mnathani has joined #arpnetworks
[09:13]
....... (idle for 33mn)
mnathani has quit IRC (Ping timeout: 240 seconds) [09:47]
mnathani has joined #arpnetworks [09:57]
dwarren has quit IRC (Ping timeout: 265 seconds) [10:02]
............. (idle for 1h0mn)
dwarren has joined #arpnetworks [11:02]
................................................ (idle for 3h55mn)
mercutiolet's encrypt is in limited beta
err entering on dec 3rd
[14:57]
mjp__i still gont get the 90 day expiry part... seems kind of annoying
and no... im not running their shitty cert rotation script on my boxes
[15:00]
brycecShorter lifetime means smaller attack/compromise surface
(Google's been running 30-90 day certs for their services for awhile)
[15:02]
chrismsnzalso ensures that your cert handling is up to snuff
e.g. an automated, simple process in place to swap them out
[15:03]
brycec(I make no argument for or against their rotation script) [15:03]
chrismsnzwhich is good when it comes to handling certificates securely [15:03]
brycec^ Or it's bad because you hack something insecure together :p [15:03]
mercutiomercutio just did a beta request for a few domains... dunno how it'll go :)
tbh, whenever certs are 2 or 3 years expiry it seems people are more liekly to not keep them up to date
err to hit a problem for a few days with being out of date
esp. with smaller sites. if it's 3 months, then people kind of have to "fix" the way they do certs.
[15:03]
brycecI don't get what's so hard about putting the cert expiry on your calendar when it's issued, and poof it won't surprise you [15:05]
mercutioheh one of my smokeping's has an out of date cert. [15:05]
chrismsnzalso there's the mismatch between domain expiry and cert expiry [15:06]
mercutio10 days.
chris: i have a ssl cert through namecheap with my domain, not that i'm using it..
[15:06]
chrismsnzshorter cert expiry reduces the time where somebody has a valid certificate for a domain they do not own [15:06]
mercutiocos i'm just using cloudflare.. [15:06]
brycecAnother good point, chrismsnz [15:06]
chrismsnzthats fine if you dont mind cloudfare mitm all your traffic :) [15:06]
mercutioit seemed like a good idea at the time.
there's nothing critical on it really
i mostly just post screenshots and stuff to it
[15:06]
mjp__changing the cert every 90 days != changing the private key every 90 days [15:07]
mercutiobut cloudflare's hit rates suck [15:07]
mjp__i dont see how its any more secure [15:07]
mercutioso i'm actually planning to ditch it
i'm actually way more concerned about people using *.domain certs everywhere across multiple machines
[15:07]
mjp__"time where somebody has a valid certificate for a domain they do not own"... if letsencrypt were the only cert provider this would be true. but they're not [15:08]
mercutiofor some reason the name of such is escaping me, wildcard came to mind but that sounds wrong. [15:08]
brycecmercutio: *.domain is a wildcard, yes [15:09]
mercutiobut yeah having a wide attack vector seems messier to me
there's also a premium on wildcard certs, but i think if certs can just be cheap/affordable/free then having lots of non wildcard certs /usually/ makes sense
[15:09]
brycec(Easier for me to have individual Startcom SSL certs for various services than pay for a single wildcard, for instance.) [15:11]
mercutioyeh they're expensive. [15:13]
brycecAnd free is just so free... [15:13]
mercutioif you have a proxy or constant cdn or such wildcard is just as insecure
i kind of hoped that with virtualisation would come more "objects" where one bit of work is done in one place, and another in another, connected together.
but currently, it seems that mostly consolidation/cost cutting has happened.
there's cool projects with xen and so forth to make an OS image that's a container of sorts that is compiled to only do one function - like you could have a DNS OS or such.
at least php is moving to php-fpm etc these days creating some isolation
[15:13]
plettI have a test domain up and working with letsencrypt [15:17]
mercutioplett: cool
plett: any thoughts on it?
[15:18]
plettThe 90 day thing isn't the annoying bit for me - that side is solvable with automation
The bit that annoys me is that they only considered web servers when designing it. The only way to get a cert at the moment is to run their python client which can receive traffic on port 80 or 443
You can either run a standalone client which listens on those ports itself and therefore means taking your web server offline, or there are hooks into Apache (and almost nginx) which reconfigure your web server(!) to have a new vhost which can serve the right responses
[15:18]
mercutioerk
why not just do something like google's ad thing does
where you stick a special thing in the html
[15:23]
plettThat I don't know
I'm sure more options will come over time, but neither of the current options works for me
I wouldn't want to take my webserver offline and run their client code as root in a cron job
And the thought of them trying to add a virtualhost to my apache config scares me too
[15:24]
mercutioi just upgraded to nginx 1.9.6 last night
on one host. they have http2 :)
[15:28]
plettI'm using it as a learning exercise, and my setup is slightly over-engineered. I've got haproxy in a docker container listening on 80 and 443 and doing ssl termination and forwarding everything in to an nginx container which currently just serves some plain text
I think I should be able to use haproxy to filter the letsencrypt authentication traffic off to somewhere else while still serving all the normal traffic
I'm also using it as an opportunity to use the brand new docker-compose networking support
It will probably also need etcd and confd to manage the haproxy config. I've not used them before
[15:31]
........ (idle for 39mn)
***mnathani has quit IRC (Ping timeout: 240 seconds)
mnathani has joined #arpnetworks
[16:12]
........ (idle for 38mn)
mnathani has quit IRC (Ping timeout: 264 seconds) [16:52]
...... (idle for 25mn)
mnathani has joined #arpnetworks [17:17]
..... (idle for 21mn)
mnathani has quit IRC (Ping timeout: 246 seconds) [17:38]
mnathani has joined #arpnetworks [17:45]
................. (idle for 1h20mn)
jcv_ has quit IRC (Ping timeout: 240 seconds)
jcv has joined #arpnetworks
[19:05]
............................................... (idle for 3h53mn)
mnathani has quit IRC (Ping timeout: 240 seconds)
mnathani has joined #arpnetworks
[22:59]
mnathani has quit IRC (Ping timeout: 252 seconds) [23:06]

↑back Search ←Prev date Next date→ Show only urls(Click on time to select a line by its url)