2015-12-13 7:17 GMT+01:00 Delan Azabani <de...@azabani.com>: > On Sun, Dec 13, 2015 at 6:28 AM, Kevin Chadwick <m8il1i...@gmail.com> wrote: >> On a low traffic site it already annoys me that I have to change it >> once per year with startSSL. > > This is what the tooling provided by Let's Encrypt is designed to > solve. It shouldn't be hard to issue new certificates, and for many > applications, the fact that issuing them is a manual process results > in more downtime when a certificate is compromised. >
I'll give my 2 cents, First, the author of the Let's Encrypt tool say himself people are perfectly right to not trust a random script downloaded from the internet. Their tools should be seen as an example, not the only true way of doing things. Secondly, this whole thread should have ended long ago. It have been mentioned a couple of times. The main outcome of https is to make caching impossible. It introduce a non trivial computational cost for serving every file. Remember, OpenBSD is no facebook. It serve static file from cache, not the output of a script. There is a lot of whining about refusing https despite it being a mitigation technique. Would you accept a mitigation technique making your favorite OS half as slow and consuming twice as much power ? I don't think so. Signify exist for integrity. You can get an initial key with the CD. The CD looks cool on a shelf, comes with nice artwork, helps pay theo bills and is way harder to tamper than a letter. Who talked about fiendlish difficulty ? VPN is a better tool for anonymity. https doesn't hide your DNS query or the domain you are connecting to. All the bad guy have to search on the site which page have the same length as the one you downloaded. If done right, VPN will hide who is downloading the file and put the burden away from the OpenBSD project. -- Cordialement, Coues Ludovic +336 148 743 42
