Is there any reason or use case for plain HTTP servers to be ran?
It's funny that browsers consider self-signed HTTPS servers to be less secure than plain HTTP.
>>51979231
Not now that Let's Encrypt has launched.
>>51979242
This is also no longer a problem now that Let's Encrypt has launched.
HTTP does not exist. There is only HTTPS.
>>51979242
Because you didn't pay the security tax goy.
>>51979280
Let's Encrypt doesn't work on Windows XP
Considering it's the most used Windows version, it's a great reason not to use Let's Encrypt.
>>51979298
>implying I want Windows XP plebs anywhere near my web server
>>51979242
It's ok. If it didn't, computer illiterate people would think just because it's HTTPS, it's secure. Better to warn.
>>51979324
The problem is that other people won't use it for their webserver, and if they're cheapskates, they'll just use plain HTTPS.
The web will probably never be HTTPS-only
>>51979327
Moot point. Computer illiterate people think everything is secure.
>>51979378
Nope. Many people, for example, wouldn't write their bank account number if the website isn't through HTTPS, although they know nothing about this stuff.
>>51979298
What planet are you living on? XP has 5%, 7 has 30% and 8.1 has 10%. Also, all remaining XP users are worthless subhumans who don't deserve the internet.
>>51979298
Do you mean you can't run a web server on windows that is served through Let's Encrypt?
>>51979406
People already looked at their emails containing their personal information over HTTP.
>>51979462
It's the other way around. You can't visit a website that uses Let's Encrypt on XP.
>>51979462
Nope. That can be done, actually. The Let's Encrypt certificate doesn't work on clients, so you'll be losing a large percentage of the Internet.
>>51979493
>5%
>all of them tech illiterates
>a large percentage
>>51979406
Those same people already write their personal information through regular http sites. HTTPS will never be web-standard.
>>51979493
>>51979486
Why is that an issue? Isn't the browser checking the certificates?
>>51979327
>>51979378
>>51979406
HTTPS is secure. You're secure from packet sniffing and you can rest easy that nobody but you and the site you're on saw what went over the network. Sadly, normalfags think you're immune to malware and shit over HTTPS, but that's not my problem.
>>51979506
You are not secure from packet sniffing if the certificate is self-signed.
>>51979501
Majority of computers in the world are running Windows XP.
>>51979503
Let's Encrypt's certificate takes liberties and makes assumptions that XP and older Android versions doesn't tolerate. It's not an ordinary certificate, it uses newer features that allows it to be free of charge.
>>51979530
>Majority of computers in the world are running Windows XP.
That is completely false. Please stop spreading this misinformation. What are your sources?
>>51979527
You're not secure from packet sniffing even if it is authority signed.
>>51979539
No shit. But you will get SSL encrypted packets.
>>51979506
Compiter illiterates would be more safe putting their personal information through self-signed HTTPS instead of the HTTP that they already submit to.
>>51979503
Actually, Firefox might work because it checks its own certificates. Chrome (and obviously IE) uses the OS libraries.
>>51979563
Firefox is a minority-usage browser. Not being able to fully support Chrome or XP is a huge risk to websites that are thinking of using Let's Encrypt.
>>51979242
That's because it is.
Encryption without identity is actively harmful so you can't be sure your not being mitm'd.
Browsers should add per-site fingerprint trust stores though, like we have with ssh.
>>51979585
>if it's 99% secure, it's worse than if it were 0% secure
>people should still pass their data over plan http just because muh authority
>>51979583
>Chrome or XP
Chrome _on_ XP. It's not actually a big deal. Chrome is dropping XP support next year. Then only IE will have the problem, but most sites have already dropped IE8. You should try browsing the web with IE8 these days. Pretty much nothing works.
>>51979618
The most used browser on the most used OS is a big deal that will hold Let's Encrypt back from achieving market share.
>>51979629
>the most used OS
Stop that or post your sources.
>>51979614
How often do you check the authority of the certificate? I generally don't. So, if it doesn't warn me, I assume it is signed by an authority and is secure.
Bulk static content. The hundreds of item thumbnails and images, and CSS files that come to user in every slipping site. That don't need to be emcrypted. Yahoo, amazon and others have sub business that just gist bulk static content, do you don't need to load you're own webserver with it.
>>51979558
There is no reason to use a self-signed cert now that Let's Encrypt is trusted.
>>51979643
The problem is that there's still terabytes of unencrypted personal information being passed over the Internet on a regular basis all because people don't want to pay the security tax to their domain registrar to license their ability to run https.
>>51979668
Self-signed certs work well on Chrome and Windows XP, Let's Encrypt does not.
>>51979629
Still no evidence given for xp use.
Cuck.
>>51979700
Let's Encrypt is for cucks who can't get a real SSL certificate.
>>51979698
It's a good thing practically no-one uses XP, unless you found that source. Even OS X has more users than XP.
Is this buyer's remorse or something? Did you buy a cert and get butt-blasted that Let's Encrypt started offering them for free? Or are you just retarded?
>>51979716
Let's Encrypt is for everybody. Every website should use it, no matter if there is no data sent to the server.
>>51979740
Every website wants majority browser/OS support, not Let's Encrypt.
>>51979716
Still spreading misinformation without source.
>>51979735
Yes
Yes
And yes
>>51979740
>every website uses letsencrypt
>some neckbeard ddoses the $100/mo letsencrypt server with a couple of amazon virtual servers
>paypal goes down
>bajillions of dollars lost
>there will never be a free certificate authority again
>>51979749
>Still implies that XP has much market share.
>>51979777
My bad for misunderstanding. I wanted to say, every website should use HTTPS.
>mfw people actually fell for the Let's Encrypt meme
>>51979749
XP is still not the majority OS. It's not even the second or third most used, by any metric. You really are retarded.
How can you expect anyone in this thread to take you seriously when you are blatantly lying in every other post and being repeatedly called out on it? Anyone who hasn't been living under a rock for the past couple of years knows that XP is no longer the most used operating system. Please stop shilling for the paid certificate cartel.
>>51979793
Are you getting desperate? That money you wasted on a certificate isn't coming back.
>>51979537
Not that guy, but what are YOUR sources?
>>51979242
If browsers didn't warn about self-signed certificates, it would be impossible to tell when a usually CA-certified site switches to a self-signed certificate (for instance in a MITM). TLS depends on certificate authorities, there's currently no way to make it more user friendly without sacrificing security.
That said, they should probably start warning users when they visit a site over HTTP. Like making the part of the location bar where the padlock would be for a HTTPS site start blinking red or something.
>>51979537
>>51979831
http://gs.statcounter.com/#desktop-os-ww-monthly-201411-201511
StatCounter, senpai, but I actually can't find a source that says XP is on top.
>>51979831
User agent stats of a popular web server I run.
>>51979845
great sauce buddy.
>they fell for the Let's Encrypt meme
>>51979845
Nice unsourced image. You realise this is no more credible than your posts, right? Is this something you just whipped up in Excel or is it exclusively the usage for Herpderpistan?
>>51979865
>people are ridiculing me, so i'm just going to make the same post over and over until they go away
Give up.
>>51979845
>not even windows 10 on it or linux
>>51979831
You ARE that guy.
And YOU need to provide sources since you are making statements as fact.
>>51979875
>>51979892
LE shills pls go, no one's falling for your meme certificate
Too bad they won't sign IP addresses.
Seems like I'll have to bow down to the DNS jew.
>>51979793
>>51979865
>I don't like or don't know how to use it, therefore I'll call it a meme.
please stop, you're only looking like a fool doing so.
>>51979777
That's not how it works, you little shit.
>>51979845
>>Posts picture from 2003.
>>facts
>>51979936
Why is /g/ so retarded?
>>51979854
So is the target demographic Chinese government employees, or is it just you, in Windows XP, hitting the refresh button over and over?
>>51979940
Pls go LE devs
That meme won't infect /g/.
>>51979952
>/g/ is one person
It's just one faggot who has no clue what he's talking about, just ignore everything he has to say.
>>51979952
It is literally just one person.
>>51979959
He is _really_ desperate,
>>51979957
Follow the discussion. I'm not the one claiming majority runs Windows XP.
>>51979845
>>51979918
>old pics
https://www.youtube.com/watch?v=tkLXANNp0Xc
>>51979969
Thanks for derailing the thread about https, Let's Encrypt shill. Not everything is about your backdoored CA.
>>51979918
>>searches for images where xp is majority.
>>uses them as sources.
Seriously go die in a fire
>LE
>not a botnet
Lots of older hardware, particularly stuff running some sort of embedded software, simply do not have the processing power to run SSL.
For the web connected stuff they do, they need HTTP not HTTPS.
>>51979231
You can't PXE boot over HTTPS.
>>51979976
My apologies.
>>51979974
Just report/ignore, the mods will take care of this shitposting faggot.
>>51980030
>implying mods aren't faggots.
>>51980037
They are, that doesn't mean this one guy who is shitposting isn't also a faggot.
>>51980016
This. And I think some data centers still use plain HTTP internally to save on resources.
>>51979839
Domain names could be the authority.
>>51979429
my dad still uses XP :(
>>51980060
If they started banning shitposters, half of /g/, entire /pol/ and /b/ would die.
>>51980030
>wahhh, mods have to ban the person who disagree with my LE viral marketing
>>51980060
This thread isn't about LE.
>>51980078
Not sure what that's supposed to mean, senpai. The domain names of CAs will obviously use their own certificates, but those aren't counted as "self-signed" the same way as your everyday cheapskate server is, since the CA certificates are already in your trust store. Or are you talking about something else?
>>51980106
>Free as in freedom and cost
>viral marketing
I don't think you know what these words mean.
>>51979793
>>51979865
>>51979936
>>51979959
>>51979997
>>51979298
Depends on your browser and how you set up your server.
https://rms.sexy uses lets encrypt and uses ciphers that are supported by winxp.
https://www.ssllabs.com/ssltest/analyze.html?d=rms.sexy
>>51980081
And it would be fantastic.
What they should do is age verification through CC verification. Require a valid card through a service like stripe that can validate the card data but not charge it.
Would solve the problem overnight.
>>51980152
Hello reddit.
>>51980152
No, shitposting is the soul of 4chan. There is Reddit for you.
>>51980075
Google and several others had their leased lines between datacenters unencrypted until the Snowden leak, not just within facilities. Yahoo was still shuttling email across the public internet in clear until 2014.
>>51980143
Windows XP can support ciphers through web browsers. It's the certificate itself that does not work.
Said browsers (and other software) uses the OS libraries for that.
>>51980152
I'm not sure you get 4chan. You can stop injecting LE into this thread now.
>>51980169
Chrome uses it's own trust store and firefox uses an extended trust store. The latest version of firefox will run on win xp and any version of chrome/IE that run on xp are often not supported by websites.
>>51980187
Chrome uses OS libraries for handling the actual certificates, Firefox does it all internally.
>>51980187
Every Chrome version currently runs on XP.
>>51980187
any browser that doesn't support html5 should be considered trash/dead
>>51980209
But chrome still uses it's own trust store.
>>51980239
https://community.letsencrypt.org/t/certificate-not-working-on-a-certain-windows-xp-machine/6740
>>51980025
It all depends on how the pxeboot system you're using pulls the rest of its files after it gets the kernel. Technically they don't pxeboot over HTTP either. You pull a kernel from a tftpd or bootp server.
>>51980129
LE is untrustorthy, a self-signed cert is better and completely trustworthy.
Yes, because you can't really do HTTPS on small embedded devices with few kilobytes of RAM.
>>51980281
>continues shitposting.
>>51980281
LE is reasonably trustworthy in terms of CAs (ie: not really), it's just not a capable certificate.
>>51980304
No, different anon. Why should I trust LE when I can sign it myself?
>>51980296
Wouldn't ftp be a better choice?
http is still bloated as fuck
>>51980016
Those same devices can have a front-facing proxy handling https. Otherwise, SSL is nearly identical in latency/performance as non-SSL.
>>51980334
Are you really retarded or just pretending to be?
>>51980181
I think they meant LE as l, "Let's Encrypt", not as in, "le redditor making le shitpost le le le le!".
>>51980377
>your only argument is insults
>>51980397
no point to argue with retards.
>>51980339
That's why you use tftpd. It's not really efficient, but it's easy to implement in very small spaces.
>>51980281
LE gives you domain validated certificates, and they are displayed as such when you visit your site. If you want stronger validation, you have to pay up. Same as it's been for years with e.g. StartSSL.
>>51980425
A CA is more like a trusted MITM.
It's dumb that the only argument against self-signed is "but your browser will view it"
>all these faggots saying they don't trust LE
Do you realize that you're irrelevant?
Your browser/OS already does it and that's what counts.
>>51980475
I think the argument is that any CA isn't to be trusted.
>>51980469
Self-signed is exactly like a CA signed one, except you don't even have to infiltrate the CA to construct a malicious certificate. If a CA is like a trusted MITM, then not warning about self-signed certificates is like extending that trust to anyone on earth.
>>51980626
>it's trust only if you pay me
Verisign can facilitate a MITM if the FBI warrants it.
>>51980124
People could just put GPG keys in their domain records instead of relying on a CA. If any malicious activity is performed by a DNS server, it would actually be recorded and documented.
Might as well have the trust with DNS since that's a bigger deal anyway..
>>51980690
Sure. But without it, Eve who works as a network technician for your ISP can do it by herself.
>only if you pay me
No?
>>51980726
Oh, now I see what you mean. Yes. You will be able to do that with DANE records: https://tools.ietf.org/html/rfc7671
>>51980730
>But without it
Irrelevant, Certificate Authority is an inferior method of security.
>>51980756
You can do it now with DNS records and a userscript
>>51980758
Inferior to what? You have to present an alternative, like this gentleman >>51980726 with DNSSEC. The argument is that a CA is better than no trust at all.
>>51980785
>The argument is that a CA is better than no trust at all.
It's not really the argument, considering CA is forced in many implementations. Forcing an inferior security model is a big problem compared to allowing users to use their own validaiton.
>>51980819
>the superior alternative is forced
Wow, what a shame.
Wait until there is actually a viable alternative before you go on a rant.
>>51980892
SSL is a relic of the 90's done by a rushed Netscape employee, anon.
>>51980930
Sure? And HTTP is a rushed relic of the 90's done by a rushed CERN employee. Literally no one likes SSL or the public key infrastructure, but it's the only alternative we have as of today.
>>51980985
Relics have no place in modern security.
>>51981012
Tough luck.
>>51979280
Seems like the support for IIS or other Windows HTTP servers is a bit scarce. Basically amounts to requesting the cert on Linux, then import it into Windows.
Someone's made a github repo to smoothen out the rough edges and, apparantly, eliminates the need for Linux. But it's not official, so I wouldn't trust my webservers with it.
https://github.com/ebekker/ACMESharp
>>51981028
If you're putting this much faith in your leaked personal information, then I'm sure you'd defend it a little better.
>>51981067
I wouldn't trust my webservers with Let's Encrypt either, but generated certificates can still be ran on Windows. Reading them doesn't work under XP.
>>51981099
>your leaked personal information
Huh? My domain name? I'm not paying for a cert with identity info.
And why would I defend PKI? It's inarguably shit, like I've been saying from the beginning. Just slightly less of a security theatre than using self-signed certificates.
>>51981155
Inferior security, especially if it's forced, will result in leaked information, we've been over this.
>>51981181
You can't say "inferior" when it's the only alternative, senpai. It's broken, yes. No one is disagreeing with that. This whole comment chain started with some tard arguing for self-signed certificates, which don't even offer any of the perceived security that a CA does. Now you're arguing against SSL altogether, which I agree with.
>>51981274
SSL/CA is not the only security method.
>>51981312
So what's your alternative? I already mentioned DANE/DNSSEC, what else? It has to be transparent to the client.
>>51981345
CA also allows for transparent MITM.
Also, https://en.wikipedia.org/wiki/Category:Cryptographic_protocols
>>51981345
Oh, and Namecoin, now that I think about it. Currently has no indication of browser vendors pushing to support it, though.
>>51981391
>here is a list of cryptographic terms
Anon, pls. Most of these solve completely unrelated problems.
>>51981449
CA isn't a problem, it's a flawed solution that originated from a rushed 20 year old standard.
>>51981449
Namecoin sounds like something DNS servers have already achieved. What's next? NNTPcoin? Haha.
>>51981495
The difference would be that you place your trust in the entire network, instead of just a single registrar. With DNSSEC, you still place your ultimate trust in your TLD registrar, or have I misunderstood something? Them changing something would make it visible to everyone else, but they still have that power. Right?
(I kind of think Namecoin is an Aaron Schwartz-ian pipe dream, though. It won't ever be a serious option.)
I also found this: https://en.wikipedia.org/wiki/Convergence_%28SSL%29
Seems like the only option not already mentioned, going by a couple of semi-recent security.SE threads.
>>51981606
With keys placed in DNS entries, you're placing momentary trust in the entire domain name system, and the security of knowing that if any MITM is attempted, the entire Internet would know. As opposed to CA, which can be done transparently.
>>51981704
Okay. So then the difference is whether to trust the domain name system or the Namecoin network. Guess it's not worth the effort to go the blockchain route only for the sake of SSL identities.
>>51981747
Pretty much any distributed system, even Usenet, is better than CA.
>>51981805
Not talking about CA any more, senpai.
>>51979671
>an entire market with billion dollar companies all because of a shit trust method
>>51979231
Performance
Less latency
Faster webpages
Guys what is so bad about self signed certificates? I self-sign all my shit and it keeps out the paranoid and the idiots. This is something good! Besides this my certificate will be alive until 2099 and I never have to redo that shit again.
