Follow

Once again reminded about my least favorite thing about requiring HTTPS/SSL:

At first the problem was it literally recentralized the internet via cert authorities. Then LetsEncrypt came along and *kind of* fixed that.

Now the problem is it's recentralizing the internet via an expert class of People Or Companies Who Understand HTTPS/SSL as gatekeepers of the internet. Self-hosting is ~10x harder than it used to be.

HTTPS is a good idea but we need to keep working to mitigate these problems.

@darius this is why I've started directing people to neocities or Github/Gitlab Pages instead. They deal with that nonsense for you. 👍

@darius in my experience this hasn't been true. the annoyance of setting up TLS for self-hosting is a rounding error compared to the headache of dynamic DNS and port forwarding, and for non-self-hosting (dreamhost) it's just "check this box and we do it for you"

@technomancy Yes, that's true, if you're hosting literally from your house over your ISP it's extra hard and certs are the least of your worries. I wish ISPs would more readily provide static IPs for users willing to pay for them (mine doesn't and I definitely don't want to deal with dynamic dns).

@darius so the thing is, I don't think there's much point in telling non-technical users to run their own servers unless they're actually running their own servers physically.

a VPS seems like the worst of both worlds for non-technical folk; all the headache of administering your own certs and applying security updates but without the benefit of actually owning anything yourself.

@technomancy Ideally yes. I would 100% be hosting Friend Camp out of my basement if it weren't for the DNS/IP issues.

Still, I think a VPS is nice if you want to run your own custom software. I don't have root access to dreamhost and can't ask them to install a custom tool that I built for my friends.

@darius i think the problem is that encrypted transports and verifiable identities are fine ideas, while https itself is a fairly terrible set of ideas about how to implement those things.

(not that there is, at the moment, any better option.)

@darius @ivesen i'm really happy with caddy, and i even figured out systemd enough to get it up and running.

@darius
Have you tried self-hosted with #YunoHost or #Cloudron?
Both handle Let's Encrypt by design without much user intervention, it's just default when adding new domains and are wildcards on demand for the naked domain or subdomain apps.. It really help self-hosting in two different ways.. (cloudron being docker) Yunohost being bash scripting for most of the app packages, in both you can deploy Mastodon with a few clicks or CLI commands.. #lovingit

@rmdes I've heard a lot about YunoHost. I'll have to give it a look.

@darius
People around Yunohost also power internetcu.be, this thing loads Yunohost just fine, and has nice goodies like double wifi chip so it can (when subscribed to neutrinet.be non profit service) have one wifi network piped through a VPN (neutrinet add-on service of top of the cube) and another piped into Tor, that leaves you with a box that default any connection to its VPN or Tor wifi network without anything to be done for clients - 1/3

@darius It's really cool, to my knowledge there is no chapter out of France and Belgium but this little thing is definitely a nice gift to offer around.. The cube is 50€ (cheaper if you buy and do all the work on your own, it's all open source parts) add a domain and even without the add-on services it's an amazing tool for teaching Linux administration, existing code bundling into packages, collaboration over foss software. - 2/3

@darius
I'm not involved in the project or code but I take all opportunities to pitch them :) - 3/3

@darius i mean... caddyserver is doing automatic letsencrypt ...

@milan Yes, and that's good and I'm really excited to hear it! I plan to play around with it ASAP.

I also literally just heard of them 30 minutes ago for the first time, which is part of the problem.

@darius Eh. On DigitalOcean I've spent hours and hours wrangling Ghost upgrades and my Nginx config, and maybe five or ten minutes running the Let's Encrypt setup script.

I don't understand what it's doing, but it seems to work fine.

@jamesgecko There are many places where things break down, but if you just want to host static stuff, the configs generally work out of the box and SSL is your big problem. (Yes, I'm the type of person who would like to host a static site out of my basement rather than just use github pages or whatever)

@jamesgecko You're right, though. There are probably other barriers that are worse than HTTPS.

@darius I guess I don't understand how Let's Encrypt is harder on a box in your basement than on a VPS? Or is that even knowing that Let's Encrypt is a thing is a barrier?

@jamesgecko I'm counting boxes in basements and VPSes as the same deal here. I realize that they're not, but for my purposes "having root on a server" counts as self-hosting, and there are degrees of "what rights do I have over the hardware" under that

@darius I will miss being able to telnet to port 80 to see what's going on, but more than that the vague reassuring feeling that it's just text all the way down and I could type it myself if I had to

@genmon @darius if you liked `telnet ${host} 80` you may like `openssl s_client -connect ${host}:443`

(there’s also support in s_client for starttls on some protocols)

a word of warning, if you’ve never encountered it, is that openssl’s command line is arcane bullshit and you’re better off searching for other people’s task-specific openssl guides than trying to puzzle together the right combination of flags for most other cases

@darius I’ve read that all these certs cause huge loading time lag in certain parts of the world too.

@darius
Do you mean that certbot is too hard for some peoples?

True that I did not configure any cron for it last times I setted up a service, @yunohost did it for me.

@Zykino Yeah. Specifically things like setting up cron, or dealing with wildcard certs (letsencrypt will issue them, but certbot doesn't actually handle them automatically)

@darius
> Then LetsEncrypt came along and *kind of* fixed that.

How did LetsEncrypt fix anything? It's basically become the Google of cert authorities.

@josemanuel it meant you didn't have to pay money to get a cert, and could do it semi and sometimes fully automatically

this is exactly why I said kind of.

@josemanuel it did not help with centralizaton but did help with accessibility at least.

@darius CAcert was a much better (and earlier) option, but, for whatever reason, browsers wouldn't add it to their trusted cert authorities lists. Surprisingly, they did so immediately with LetsEncrypt.

That, I think, is what actually helped with accessibility, given that, at least in my experience, it is easier to install a CAcert certificate than LE ones.

@josemanuel yeah. Let's Encrypt had massive corporate backing and sponsorship

@darius Exactly. That's my problem with them and the reason why I'm not sure they aim to fix recentralisation. Not even *kind of*.

In other words, I was agreeing with you all along on everything except for that small detail.

@darius Tsss. All W3C protocols are piece of shit. They are all side-channel non-safe, and they all push toward client server architectures to ensure everything gets centralized as much as possible as complexity is rising in these techs.

Theirs nazi standards = Their nazi cyber-power models.

Sign in to participate in the conversation
Friend Camp

Hometown is adapted from Mastodon, a decentralized social network with no ads, no corporate surveillance, and ethical design.