undefined | Better HN

0 pointsrvnx7y ago0 comments

Any CA can issue any certificate for anyone. This is where Certificate Transparency Log comes into play (this little backdoor in the browsers that sends the hosts that you visit to Google and friends).

Imagine, you are the host of a domain and you receive a HTTPS request.

What are your possibilities ?

A) Drop the request ? Fallback to HTTP and get the user MITM

B) Self-signed certificate

C) A certificate trusted by a well known authority

D) MITM yourself with CloudFlare ? Put CloudFlare in front then CloudFlare will proxy the traffic in pure HTTP to GitHub.

Now talking about risks:

   $ openssl s_client -servername blog.securem.eu -connect blog.securem.eu:443 | openssl x509 -noout -dates

   notBefore=Apr 15 15:48:38 2018 GMT
   notAfter=Jul 14 15:48:38 2018 GMT

https://letsencrypt.org/2015/11/09/why-90-days.html

The certificates are valid only for 90 days.

It looks like just inventing a problem. If you decided to give control of part of your domain to GitHub, yes they will be able to serve content on your behalf. That's normal, and logic.

0 comments

icebraining7y ago

I don't think it's a major problem, but it does violate the Principle of least astonishment, which I think we (developers) should strive to avoid.

rvnxOP7y ago

I think they should just add a line in the UI instead of hiding the info deep in tickets or issue, but that's a mere communication issue. Overall, it's not surprising, and actually good for the user.

On letsencrypt.org:

     In Progress:
     These large providers are currently rolling out support for Let’s Encrypt for custom domains.
     You may or may not be able to enable support in their control panel,
     or you might notice certificates have recently been issued for your domains hosted with these services.

     Blogger
     GitHub Pages

https://github.com/isaacs/github/issues/156#issuecomment-366... https://community.letsencrypt.org/t/web-hosting-who-support-...

and so on.

hannob7y ago

> I don't think it's a major problem, but it does violate the Principle of least astonishment,

The principle of least astonishment should tell you that in 2018 HTTPS is becoming the default and hosting web pages with automated HTTPS should be expected.

What you should be astonished about is that it took Github so long to support HTTPS everywhere.

icebraining7y ago

They already supported HTTPS, just not for custom domains.

j / k navigate · click thread line to collapse

0 pointsrvnx7y ago0 comments

Imagine, you are the host of a domain and you receive a HTTPS request.

What are your possibilities ?

A) Drop the request ? Fallback to HTTP and get the user MITM

B) Self-signed certificate

C) A certificate trusted by a well known authority

D) MITM yourself with CloudFlare ? Put CloudFlare in front then CloudFlare will proxy the traffic in pure HTTP to GitHub.

Now talking about risks:

   $ openssl s_client -servername blog.securem.eu -connect blog.securem.eu:443 | openssl x509 -noout -dates

   notBefore=Apr 15 15:48:38 2018 GMT
   notAfter=Jul 14 15:48:38 2018 GMT

https://letsencrypt.org/2015/11/09/why-90-days.html

The certificates are valid only for 90 days.

It looks like just inventing a problem. If you decided to give control of part of your domain to GitHub, yes they will be able to serve content on your behalf. That's normal, and logic.

0 comments

icebraining7y ago

I don't think it's a major problem, but it does violate the Principle of least astonishment, which I think we (developers) should strive to avoid.

rvnxOP7y ago

I think they should just add a line in the UI instead of hiding the info deep in tickets or issue, but that's a mere communication issue. Overall, it's not surprising, and actually good for the user.

On letsencrypt.org:

     In Progress:
     These large providers are currently rolling out support for Let’s Encrypt for custom domains.
     You may or may not be able to enable support in their control panel,
     or you might notice certificates have recently been issued for your domains hosted with these services.

     Blogger
     GitHub Pages

https://github.com/isaacs/github/issues/156#issuecomment-366... https://community.letsencrypt.org/t/web-hosting-who-support-...

and so on.

hannob7y ago

> I don't think it's a major problem, but it does violate the Principle of least astonishment,

The principle of least astonishment should tell you that in 2018 HTTPS is becoming the default and hosting web pages with automated HTTPS should be expected.

What you should be astonished about is that it took Github so long to support HTTPS everywhere.

icebraining7y ago

They already supported HTTPS, just not for custom domains.

j / k navigate · click thread line to collapse