[00:05] <mercutio> damn there's been lots of netsplits and no talk :)
[01:07] *** pyvpx_ is now known as pyvpx
[01:22] *** rendrag_ has joined #arpnetworks
[01:22] *** mnathani has quit IRC (Ping timeout: 264 seconds)
[01:57] *** mnathani has joined #arpnetworks
[04:55] *** ziyourenxiang has joined #arpnetworks
[05:00] *** ziyoureniang has joined #arpnetworks
[05:05] *** ziyourenxiang has quit IRC (Quit: ziyourenxiang)
[05:09] *** ziyoureniang has quit IRC (Quit: Leaving)
[05:10] *** ziyoureniang has joined #arpnetworks
[05:11] *** ziyoureniang has quit IRC (Client Quit)
[05:19] *** ziyourenxiang has joined #arpnetworks
[06:31] *** ziyourenxiang has quit IRC (Quit: Leaving)
[06:51] *** mnathani has quit IRC (Ping timeout: 246 seconds)
[06:52] *** mnathani has joined #arpnetworks
[07:57] *** hive-mind has quit IRC (Ping timeout: 240 seconds)
[08:05] *** hive-mind has joined #arpnetworks
[08:13] *** milki_ is now known as milki
[08:20] *** mnathani has quit IRC (Ping timeout: 250 seconds)
[08:22] *** mnathani has joined #arpnetworks
[08:34] *** carvite has joined #arpnetworks
[09:02] *** mnathani has quit IRC (Ping timeout: 250 seconds)
[09:07] *** mnathani has joined #arpnetworks
[09:13] *** mnathani has quit IRC (Ping timeout: 240 seconds)
[09:14] *** mnathani has joined #arpnetworks
[09:47] *** mnathani has quit IRC (Ping timeout: 240 seconds)
[09:57] *** mnathani has joined #arpnetworks
[10:02] *** dwarren has quit IRC (Ping timeout: 265 seconds)
[11:02] *** dwarren has joined #arpnetworks
[14:57] <mercutio> let's encrypt is in limited beta
[14:58] <mercutio> err entering on dec 3rd
[15:00] <mjp__> i still gont get the 90 day expiry part... seems kind of annoying
[15:01] <mjp__> and no... im not running their shitty cert rotation script on my boxes
[15:02] <brycec> Shorter lifetime means smaller attack/compromise surface
[15:02] <brycec> (Google's been running 30-90 day certs for their services for awhile)
[15:03] <chrismsnz> also ensures that your cert handling is up to snuff
[15:03] <chrismsnz> e.g. an automated, simple process in place to swap them out
[15:03] <brycec> (I make no argument for or against their rotation script)
[15:03] <chrismsnz> which is good when it comes to handling certificates securely
[15:03] <brycec> ^ Or it's bad because you hack something insecure together :p
[15:03] * mercutio just did a beta request for a few domains... dunno how it'll go :)
[15:04] <mercutio> tbh, whenever certs are 2 or 3 years expiry it seems people are more liekly to not keep them up to date
[15:04] <mercutio> err to hit a problem for a few days with being out of date
[15:05] <mercutio> esp. with smaller sites.  if it's 3 months, then people kind of have to "fix" the way they do certs.
[15:05] <brycec> I don't get what's so hard about putting the cert expiry on your calendar when it's issued, and poof it won't surprise you
[15:05] <mercutio> heh one of my smokeping's has an out of date cert.
[15:06] <chrismsnz> also there's the mismatch between domain expiry and cert expiry
[15:06] <mercutio> 10 days.
[15:06] <mercutio> chris: i have a ssl cert through namecheap with my domain, not that i'm using it..
[15:06] <chrismsnz> shorter cert expiry reduces the time where somebody has a valid certificate for a domain they do not own
[15:06] <mercutio> cos i'm just using cloudflare..
[15:06] <brycec> Another good point, chrismsnz
[15:06] <chrismsnz> thats fine if you dont mind cloudfare mitm all your traffic :)
[15:06] <mercutio> it seemed like a good idea at the time.
[15:07] <mercutio> there's nothing critical on it really
[15:07] <mercutio> i mostly just post screenshots and stuff to it
[15:07] <mjp__> changing the cert every 90 days != changing the private key every 90 days
[15:07] <mercutio> but cloudflare's hit rates suck
[15:07] <mjp__> i dont see how its any more secure
[15:07] <mercutio> so i'm actually planning to ditch it
[15:08] <mercutio> i'm actually way more concerned about people using *.domain certs  everywhere across multiple machines
[15:08] <mjp__> "time where somebody has a valid certificate for a domain they do not own"... if letsencrypt were the only cert provider this would be true. but they're not
[15:08] <mercutio> for some reason the name of such is escaping me, wildcard came to mind but that sounds wrong.
[15:09] <brycec> mercutio: *.domain is a wildcard, yes
[15:09] <mercutio> but yeah having a wide attack vector seems messier to me
[15:10] <mercutio> there's also a premium on wildcard certs, but i think if certs can just be cheap/affordable/free then having lots of non wildcard certs /usually/ makes sense
[15:11] <brycec> (Easier for me to have individual Startcom SSL certs for various services than pay for a single wildcard, for instance.)
[15:13] <mercutio> yeh they're expensive.
[15:13] <brycec> And free is just so free...
[15:13] <mercutio> if you have a proxy or constant cdn or such wildcard is just as insecure
[15:14] <mercutio> i kind of hoped that with virtualisation would come more "objects" where one bit of work is done in one place, and another in another, connected together.
[15:14] <mercutio> but currently, it seems that mostly consolidation/cost cutting has happened.
[15:15] <mercutio> there's cool projects with xen and so forth to make an OS image that's a container of sorts that is compiled to only do one function - like you could have a DNS OS or such.
[15:16] <mercutio> at least php is moving to php-fpm etc these days creating some isolation
[15:17] <plett> I have a test domain up and working with letsencrypt
[15:18] <mercutio> plett: cool
[15:18] <mercutio> plett: any thoughts on it?
[15:18] <plett> The 90 day thing isn't the annoying bit for me - that side is solvable with automation
[15:20] <plett> The bit that annoys me is that they only considered web servers when designing it. The only way to get a cert at the moment is to run their python client which can receive traffic on port 80 or 443
[15:23] <plett> You can either run a standalone client which listens on those ports itself and therefore means taking your web server offline, or there are hooks into Apache (and almost nginx) which reconfigure your web server(!) to have a new vhost which can serve the right responses
[15:23] <mercutio> erk
[15:23] <mercutio> why not just do something like google's ad thing does
[15:23] <mercutio> where you stick a special thing in the html
[15:24] <plett> That I don't know
[15:25] <plett> I'm sure more options will come over time, but neither of the current options works for me
[15:26] <plett> I wouldn't want to take my webserver offline and run their client code as root in a cron job
[15:26] <plett> And the thought of them trying to add a virtualhost to my apache config scares me too
[15:28] <mercutio> i just upgraded to nginx 1.9.6 last night
[15:28] <mercutio> on one host.  they have http2 :)
[15:31] <plett> I'm using it as a learning exercise, and my setup is slightly over-engineered. I've got haproxy in a docker container listening on 80 and 443 and doing ssl termination and forwarding everything in to an nginx container which currently just serves some plain text
[15:32] <plett> I think I should be able to use haproxy to filter the letsencrypt authentication traffic off to somewhere else while still serving all the normal traffic
[15:33] <plett> I'm also using it as an opportunity to use the brand new docker-compose networking support
[15:33] <plett> It will probably also need etcd and confd to manage the haproxy config. I've not used them before
[16:12] *** mnathani has quit IRC (Ping timeout: 240 seconds)
[16:14] *** mnathani has joined #arpnetworks
[16:52] *** mnathani has quit IRC (Ping timeout: 264 seconds)
[17:17] *** mnathani has joined #arpnetworks
[17:38] *** mnathani has quit IRC (Ping timeout: 246 seconds)
[17:45] *** mnathani has joined #arpnetworks
[19:05] *** jcv_ has quit IRC (Ping timeout: 240 seconds)
[19:06] *** jcv has joined #arpnetworks
[22:59] *** mnathani has quit IRC (Ping timeout: 240 seconds)
[23:01] *** mnathani has joined #arpnetworks
[23:06] *** mnathani has quit IRC (Ping timeout: 252 seconds)