Best Website Hosting and Well Software??

The place for discussion of hardware, software and mobile apps.
User avatar
Corgimom
3 hours later...
Posts: 1031
Joined: Fri Mar 18, 2016 1:23 am

Re: Best Website Hosting and Well Software??

Postby Corgimom » Thu Aug 11, 2016 9:24 am

merlin wrote:
The different styles of hosting systems will have more latency for sure, like shared or VM's. 3 Seconds is pretty good for SSL delivery.

I guess I was just trying to make more of a point that Let's Encrypt is disrupting the very corporate and high profitable SSL Cert system with an open source free system. The more site that are using it the valid it becomes a standard.


The clients are paying for dedicated- not VM so pages should fly. About 4 years ago I had a client who was so sold on SSL that he wanted every page delivered by SSL He changed his mind in about 48 hrs after seeing what it did to server loads for his school so I got to bill him twice.

The fact that lets encrypt does not use web standards for certificates is bothersome as well. Encryption does not replace identity verification for security.

"Let's Encrypt: the bad stuff

The biggest problem with Let's Encrypt is that it democratizes access to https for any website. Yes, on the surface, this should in fact be a positive thing that we're celebrating. Unfortunately human nature comes into play here. When most people (non-geeks/non-IT) see https, immediate and unwavering trust is implied.

Even though Let's Encrypt is merely providing encryption for your website, most people visiting it will give it the same level of trust as websites with the "green bar" https (Extended Domain Validation), which includes the company name next to the padlock in the address bar.

This means that even though identity isn't actually verified at the same level as a green bar https website, most site visitors won't really know the difference. This is terrifying and we should be concerned about this. What most people don't realize is that a secure connection to an untrustworthy website doesn't mean it's safe to use.

To add further concern, there's very little preventing malware distributors from using Let's Encrypt certificates to make malware distribution websites look more official. Not only has it happened already, worse, is the fact that Let's Encrypt's stance on this issue is quite weak.

The initiative is putting far too much trust into the general public's understanding as to how https actually works. Fun fact folks – most people are clueless about tech. And the reality is merely comparing new registrations with Google's records won't be enough. Perhaps the blame for education needs to fall with the browsers instead?"
from http://www.datamation.com/security/lets-encrypt-the-good-and-the-bad.html

WHich brings us full circle to you get what you pay for.
Image Image
Image
est 1953


Image
User avatar
ghostdogg
Rewind. Spit. Scratch. See Heaven.
Posts: 439
Joined: Sat Aug 06, 2016 10:41 pm

Re: Best Website Hosting and Well Software??

Postby ghostdogg » Thu Aug 11, 2016 12:46 pm

Corgimom wrote: a secure connection to an untrustworthy website doesn't mean it's safe to use.


100%
User avatar
merlin
ninja with training wheels
Posts: 52
Joined: Thu Jul 14, 2016 12:49 am

Re: Best Website Hosting and Well Software??

Postby merlin » Thu Aug 11, 2016 6:03 pm

Corgimom wrote:
merlin wrote:
The different styles of hosting systems will have more latency for sure, like shared or VM's. 3 Seconds is pretty good for SSL delivery.

I guess I was just trying to make more of a point that Let's Encrypt is disrupting the very corporate and high profitable SSL Cert system with an open source free system. The more site that are using it the valid it becomes a standard.


The clients are paying for dedicated- not VM so pages should fly. About 4 years ago I had a client who was so sold on SSL that he wanted every page delivered by SSL He changed his mind in about 48 hrs after seeing what it did to server loads for his school so I got to bill him twice.

The fact that lets encrypt does not use web standards for certificates is bothersome as well. Encryption does not replace identity verification for security.

"Let's Encrypt: the bad stuff

The biggest problem with Let's Encrypt is that it democratizes access to https for any website. Yes, on the surface, this should in fact be a positive thing that we're celebrating. Unfortunately human nature comes into play here. When most people (non-geeks/non-IT) see https, immediate and unwavering trust is implied.

Even though Let's Encrypt is merely providing encryption for your website, most people visiting it will give it the same level of trust as websites with the "green bar" https (Extended Domain Validation), which includes the company name next to the padlock in the address bar.

This means that even though identity isn't actually verified at the same level as a green bar https website, most site visitors won't really know the difference. This is terrifying and we should be concerned about this. What most people don't realize is that a secure connection to an untrustworthy website doesn't mean it's safe to use.

To add further concern, there's very little preventing malware distributors from using Let's Encrypt certificates to make malware distribution websites look more official. Not only has it happened already, worse, is the fact that Let's Encrypt's stance on this issue is quite weak.

The initiative is putting far too much trust into the general public's understanding as to how https actually works. Fun fact folks – most people are clueless about tech. And the reality is merely comparing new registrations with Google's records won't be enough. Perhaps the blame for education needs to fall with the browsers instead?"
from http://www.datamation.com/security/lets-encrypt-the-good-and-the-bad.html

WHich brings us full circle to you get what you pay for.


You can fake the green lock in the Browser by injecting an image into the bar without ever needing to break that encryption and that's what the best do.

Sure people can submit untrustworthy websites to get a CERT but any legit network admin know's that the website is still going to be connected to all the same scanning that is normally done to find bad pages. In theory you could be correct but it's an equal chance with a paid certificate. That to me seems like simplistic reasoning about why you think it wouldn't be needed. At the end of the day security and encryption are needed period and if you are running servers that people log into or transfer data with and you aren't protecting them you screwing up or being careless with information. That's always been a fundamental question between admins, I look at it like this.

A secure site is a safe site. If the admin forces HTTPS I'm all about it.

Let's Encrypt provide a false sense of security?

Bundled with strong security practices, I think offering encryption to your site's visitors is a great valued added service. For websites where forms are submitted or logins are taking place, the offering of https is even more valuable. But for read only websites, however, I feel like it's potentially giving folks a false sense of security. Worse, I fear that webmasters may also find themselves being lulled into a false sense of what's best for their websites.

I believe that Let's Encrypt's best contribution would be to provide support for IP cameras with Internet login pages exposed to the Web, Plex servers not participating in Plex Pass protection and other related examples where an encryption tunnel is badly needed. As for offering it to any and all websites, it's great...but not without greater education to the casual website visitor. People need to understand where encryption ends and commonsense begins. In short, I think it's fantastic for sites where someone is potentially logging into a site or otherwise similar situations.

What say you? Do you think that websites offering https to their website visitors are providing a badly needed service? Perhaps like me, you think it depends on other factors before automatically signing off with the idea of https for all? Hit the Comments, tell me what your thoughts are regarding Let's Encrypt.
User avatar
Corgimom
3 hours later...
Posts: 1031
Joined: Fri Mar 18, 2016 1:23 am

Re: Best Website Hosting and Well Software??

Postby Corgimom » Thu Aug 11, 2016 6:06 pm

I was quoting a review of the service. I always look for the good and the bad when making decisions for sites. I think the nerds will not trust ssl through them because of all the reasons quoted and non nerds could give a fig.
Image Image
Image
est 1953


Image
User avatar
merlin
ninja with training wheels
Posts: 52
Joined: Thu Jul 14, 2016 12:49 am

Re: Best Website Hosting and Well Software??

Postby merlin » Thu Aug 11, 2016 6:10 pm

That's understandable, I would not use a Let's encrypt cert to secure an E-commerce website because of the money to need ratio is there. For something like simple connections between applications or login's or simple websites I would use the Let's encrypt cert to build trust with users. having SSL on your site also gives you a huge boost in SEO value even for a single landing page with a from.

Back to the Main topic. I think that for this School system. it would be smart to have SSL setup because of how lesson plans and other information is shared for only teachers. Need to secure it from the students access. A free cert of cover that nicely.
User avatar
Corgimom
3 hours later...
Posts: 1031
Joined: Fri Mar 18, 2016 1:23 am

Re: Best Website Hosting and Well Software??

Postby Corgimom » Thu Aug 11, 2016 6:59 pm

Maybe you don't know who I am. Every school I manage has paid certs and permissions based roles- real learning systems. Just so you know- SSL- other than for forms thatr are not part ot the learning system - plays havoc with small to medium Learning systems. (100-3000 students is small to medium)
Google El Cooper moodle
Image Image
Image
est 1953


Image
User avatar
merlin
ninja with training wheels
Posts: 52
Joined: Thu Jul 14, 2016 12:49 am

Re: Best Website Hosting and Well Software??

Postby merlin » Fri Aug 12, 2016 12:21 am

Corgimom wrote:Maybe you don't know who I am. Every school I manage has paid certs and permissions based roles- real learning systems. Just so you know- SSL- other than for forms thatr are not part ot the learning system - plays havoc with small to medium Learning systems. (100-3000 students is small to medium)
Google El Cooper moodle


I don't know who you are but I like your style! Rocking it out on moodle since 2003!

When I'm building out stuff with my teams we always attack things in a certain way. We do a lot of Government Websites that require us to have it. I've always pushed myself and the team to expand our design practices to encompass more security. I know that it's not required but I push myself and the team to make it happen.
User avatar
Corgimom
3 hours later...
Posts: 1031
Joined: Fri Mar 18, 2016 1:23 am

Re: Best Website Hosting and Well Software??

Postby Corgimom » Fri Aug 12, 2016 12:29 am

Actually, that is my 2nd moodle account- I had a stalker in 2002 so I set up a new ID. I literally have no idea how many websites I have built over the years but full blown school sites with learning systems- a couple of hundred. Now I just do schools and learning systems. Teach copyright, education standards compliance and legal compliance. I have also been known to do simulated/practice tests for standardized exams.
Image Image
Image
est 1953


Image
User avatar
Corgimom
3 hours later...
Posts: 1031
Joined: Fri Mar 18, 2016 1:23 am

Re: Best Website Hosting and Well Software??

Postby Corgimom » Fri Aug 12, 2016 10:02 am

I guess my point in bringing up school websites is and was that security standards are very different based on what kind of website is being run and the intended end users. A school with a free SSH would not meet federal or state guidelines for a long number of security reasons. Paid SSH with the owner verification step is certainly the standard for personal (IE transmission of ID numbers) and financial data. Free does not meet that standard. It is a false equivalency.

Paying $50 for ID verification and the real security that step gives is cheap.

You know the whole SSH=security is kind of nonsense. SSH encryption is just another tool and it is the right tool in some cases.

I heartily disagree that it gives people a sense of security. Geeks know the difference and average users would have a false (if any) sense of security. If it were the standard for complete websites browsers would demand it. In this very thread, we have a relatively sophisticated above average user who is failing to see the point of SSH on a simple, publically readable forum.

Security- when needed is a whole series of protocols based on what is being done at any given time on a site. On forums, passwords are encrypted then a then a whole series of programmatic rules for who can do what.

As far as a google bump goes the bump is based on the site being owner verified and therefore slightly more safe. Free SSH has no owner verification and is, therefore slightly less safe. Google knows the difference.
Image Image
Image
est 1953


Image
User avatar
ghostdogg
Rewind. Spit. Scratch. See Heaven.
Posts: 439
Joined: Sat Aug 06, 2016 10:41 pm

Re: Best Website Hosting and Well Software??

Postby ghostdogg » Sat Aug 13, 2016 1:00 am

Corgimom.. that's some pretty impressive stuff. I think the best use of "lets encrypt" would be to use on staging/test instances of production environments that require valid SSL certification. It's a nice way of "replicating" the environment without having to make extra configs. I can't tell you how frustrating it can be to work with an application that's constantly prompting you to "continue to page".
User avatar
Corgimom
3 hours later...
Posts: 1031
Joined: Fri Mar 18, 2016 1:23 am

Re: Best Website Hosting and Well Software??

Postby Corgimom » Sun Aug 14, 2016 9:56 pm

ghostdogg wrote: I can't tell you how frustrating it can be to work with an application that's constantly prompting you to "continue to page".

I hate that shit.

And tk for the kind words.
Image Image
Image
est 1953


Image

Return to “Tech, Software & Apps”

Who is online

Users browsing this forum: No registered users and 2 guests