#indieweb 2017-08-07

2017-08-07 UTC
satamusic, snarfed, KevinMarks, wolftune and eli_oat joined the channel
#
Loqi [indienews] New post: "Universal Sign-In Button" https://unicyclic.com/mal/2017-08-07-Universal_Sign-In_Button
mblaney joined the channel
#
mblaney ^^would love some feedback if anyone wants to try out the bookmarklet generator mentioned there.
wolftune, shalkydri and leg joined the channel
#
aaronpk Well that's clever
shalkydri, snarfed, sh4l_, wolftune, barpthewire, j12t and [kevinmarks] joined the channel
#
[kevinmarks] GDPR << https://amp.theguardian.com/technology/2017/aug/07/uk-citizens-to-get-more-rights-over-personal-data-under-new-laws
#
Loqi ok, I added "https://amp.theguardian.com/technology/2017/aug/07/uk-citizens-to-get-more-rights-over-personal-data-under-new-laws" to the "See Also" section of /GDPR
KevinMarks, friedcell, deathrow1, glennjones, sl007, Pierre-O, KevinMarks_ and Garbee joined the channel
#
Loqi [superfeedr] "Seems like https://woodwind.xyz/ TLS cert is not getting renewed correctly #indieweb" by Ricardo Mendes on 2017-08-07 https://www.rmendes.net/2017/seems-like-tls-cert-is-not-getting-renewed-correctly-indieweb
j12t, Pierre-O, KevinMarks, sl007 and shalkydri joined the channel
#
dgold why is the guardian reporting an EU Directive as if it was invented by their government?
#
sl007 Hey everyone! My new Laserprinter arrived and is already printing out a bunch of https://github.com/sebilasse/indieweb-origami billboards. I could also send some. Just tell me, aaronpk (US) and jkphl sknebel (BER) …
#
Loqi [sebilasse] indieweb-origami: Proposals for indieweb posters, logos, CI
#
sl007 aaronpk are there some stickers left ? Would need some for Dortmund.
#
Zegnat “I could also send some” - I would just hang them on my wall :P
KevinMarks, j12t, gigitux, mblaney, jonnybarnes and [tantek] joined the channel
#
[tantek] Is woodwind's cert still expired? And does anyone know if what was setup with Letsencrypt?
#
[tantek] I'd really like to know because I keep hearing anecdotes about cert expiring, and in some ways it seems like the biggest vulnerability there in practice is self-imposed fragility
#
[tantek] What is certificate expired
#
Loqi It looks like we don't have a page for "certificate expired" yet. Would you like to create it?
#
aaronpk It is letsencrypt yeah
#
[tantek] What is cert expired?
#
Loqi It looks like we don't have a page for "cert expired" yet. Would you like to create it?
#
[tantek] Pretty sure we have a page on this
#
[tantek] What is admin tax?
#
Loqi admin tax is all the time you spend maintaining your personal site, rather than actually using it (like to create posts) https://indieweb.org/admin_tax
#
aaronpk the reason you keep hearing about expired letsencrypt certs is that they only last 3 months instead of the typical 12 or 24 of other certs
#
aaronpk which is an intentional decision of letsencrypt to encourage sysadmins to automate the renewal
#
aaronpk the idea being if it expires in 12 months you're more likely to not do the work to automate the renewal because of the work/reward ratio
#
sknebel and they are the first (to my knowledge) that actually spent effort on renewal protocol and tools
#
[tantek] Aaronpk is there any evidence to back up that "idea"?
#
[tantek] So far I'm just seeing it "fail faster" when people's supposed "automated" renewal stops working
#
[tantek] The problem is that all automation breaks
#
[tantek] And this having a failure mode of "everything stops working" instead of just some downgrade means more stuff stops working.
#
[tantek] E.g. Just a brainstorm, if a site went back to say insecure read only instead.
#
aaronpk https://letsencrypt.org/2015/11/09/why-90-days.html
#
aaronpk Fallback to https isn't something in the realm of what letsencrypt can/should do. That's the job of the web server and you could theoretically do that with any certificate. Tho afaik no web servers have that feature built in so you'd also have to automate that right now
Pierre-O joined the channel
#
Zegnat Forgetting to automate is just as bad on the 12 month lapse as it is on the 3 month lapse. I haven’t seen anyone complain about the 3 month lapse at the places I read, and many there have switched over to Let’s Encrypt. Not sure where your anecdotes are from, [tantek].
#
[tantek] That's a different kind of automation though - just code on one server
#
[tantek] Whereas cert renewal requires everything to do with two servers and the network connection working. Typically also requires a batch process to tuna script
#
[tantek] Totally different kind of automation
#
Zegnat I am talking about automating the cert renewal
#
[tantek] Many more vulns.
#
[tantek] Zegnat, anecdotes are what you just saw
#
[tantek] Any others using letsncrypt having their sites go down
#
[tantek] *And others
#
Zegnat Odd. I would expect almost all of them to have been using certbot or other tooling for Let’s Encrypt in the first place. Those are not hard to set-up for auto-renewal.
#
[tantek] Aaronpk that blog post theory I understand.
#
[tantek] Note there is zero data to back the assertions in 1 and 2 in that post
#
[tantek] By now (2 yrs) they ought to have data
#
[tantek] To see if practice backs up their theories.
#
[tantek] Zegnat I disagree with your assertion of "not hard to set-up"
#
[tantek] Seriously there needs to be a lot more empathy for how hard all this stuff is to 1 set up, 2 keep working
#
[tantek] 3 fix when unexpected things break. Because that ALWAYS happens
#
Zegnat If you have to set-up certs yourself, meaning you have shell access to a server and are not at a hosting company that does it for you, no, I do not think it is hard to run a single certbot command: certbot-auto --apache -d example.com -d www.example.com -d other.example.net
#
Zegnat If that is too hard for you, you should probably not be at a hosting provider where you need to login through shell access to do server configurations yourself.
#
[tantek] And if a server randomly restarts and the bots don't?
#
Zegnat What bots? Cert bot installs the certificate in apache. Then you are done.
#
[tantek] I hear of server restarts where all the "automatic" scripts don't all the time
#
Zegnat Server restarts do not affect certs at all.
#
[tantek] For whatever reason.
#
[tantek] Cert bit has to *run* at least every 3 months.
#
Zegnat I have also never seen a linux distro fail to start the cron deamon on restart. If that does happen, you have a whole different problem.
#
[tantek] No bot run = no renewal
#
Zegnat Yes, that is probably a crontab.
#
[tantek] Who knows? Maybe the disk fills etc
#
[tantek] I know for a fact that happened with logs filling disk at woodwind before
#
Zegnat then apache probably wouldn’t start either, and your website is fully inaccessible. Cert or not cert renewal.
#
[tantek] So yeah, stuff happens you can't predict that breaks your automation all the time.
#
sl007 sknebel - in https://indieweb.org/principles-de about the first notice : "duolingo" now seems to be a commercial language learning academy and that link is gone …
#
[tantek] No about the probably assumption.
#
Zegnat That’s why most people set the renewal not to 3 months, but to 2. Meaning you have an entire month of play time in case it doesn’t kick on instantly.
#
Zegnat And if for some reason that doesn’t work, I think Let’s Encrypt emails you a week or so in advance. So if you get an email, you know your automation is dead and you need to take a look yourself.
#
[tantek] Well established sw like apache it hardened to better handle out of memory / disk situs.
#
Zegnat Yes. So are crontabs.
#
[tantek] Your bot / script is not
#
Zegnat If cron, or your prefered OS’s monthly-repeater-system, is less reliable than apache we have an entirely different problem.
#
[tantek] Emails get lost / spam blocked
#
[tantek] Or your services provider doesn't want you running "bots"
#
Zegnat … the software is called “certbot”. It is not a bot. Neither is it a constantly on service. It is just a name of an app.
#
[tantek] Or your web host hires a new junior sysadmin in that sees a bot script and shuts it down
#
Zegnat It could have been called “tanteks-cert-adder”, no difference.
#
[tantek] Lots of reasons any kind of script automation kind fail
#
aaronpk If your host doesn't want you running they'll scripts then they should be providing ssl certs with a checkbox that does it all for you (see DreamHost)
#
[tantek] So having your entire site go down because a script failed to run is very bad
#
Zegnat “Or your web host hires a new junior sysadmin in that sees a bot script and shuts it down” - wow. I need to install my own certs, but the web host lets junior admins also muck about on my server? That’s a huuuuge red flag.
#
aaronpk s/they'll/shell/ thanks autocorrect
#
[tantek] Most web hosts won't let you install new sw or app
#
Zegnat Remember tantek: you should never have to run this yourself in the first place unless you chose to go with a hosting provider that gives you shell access and tells you to handle server configuration yourself.
#
[tantek] And that's most of them
#
Zegnat We are not talking default hosting here. You are already assuming a higher level.
#
Zegnat Yeah, those hosts are not giving you shell access to install your certs either. So that is a moot point.
#
aaronpk Yes most of them should be providing certs using methods like this making it transparent to the customer
#
[tantek] No. All are manual except dreamhost
#
[tantek] "Should be" is irrelevant
#
aaronpk and letsencrypt is pushing the industry forward on that
#
[tantek] That's the future
#
aaronpk its not irrelevant because it's a problem and someone is working towards a solution
#
[tantek] I'm talking right now. Being vuln right now
#
aaronpk if you have a problem right now switch to a host that provides the solution right now
#
[tantek] It's irrelevant because you can't run or depend on vaporware "working towards a solution".
#
aaronpk it's not vaporware...
#
[tantek] So that means switch to dreamhost now
#
[tantek] "Working towards" != shipping & usable
#
[tantek] So either it exists or it is a brainstorm or hack in progress
#
aaronpk im sure there are other hosts that have done that by now but I don't make it my business to investigate the features of companies providing a service I don't use
#
Zegnat So. [tantek]. You are saying people are hosting their websites at hosting companies that give shell access to their users, as well as allow those users to install certificates themselves through this shell. Then an average user installs a lets encrypt cert (magically? How do they know how to use the shell at all?) but don’t set-up automation. And t
#
Zegnat his is somehow because it is too hard? They are already in the shell. They are already running CLI commands to install the certs...
#
Zegnat I am just not sure at what point automation is the problem, after they managed to set-up the certs through the same problematic systems.
#
[tantek] Yes this happens all the time. Junior user sets something up with help from someone slightly more experienced. Then stuff fails months later
#
[tantek] Why do you think WP installs get owned all the time?
#
[tantek] Heck people have helped new people setup domains, hosting, sites at IndieWebCamps which then fail later.
#
[tantek] So yes all this stuff is fragile and calling it "not hard" is frankly arrogant and insulting to nearly everyone in /generations.
#
aaronpk I never said anything about it being not hard
#
Zegnat No. I am saying automation is *as hard* as initial set-up. Not that is is not hard. Just that if you can do the initial set-up, you can do the automation as well.
#
[tantek] No it is 2x
#
[tantek] Twice as much work at least
#
[tantek] Cumulatively
#
Zegnat Twice as much work compared to what though? All certs expire. So all certs need automation set-up. Unless of course you are planning to retire the domain within 2 years.
#
[tantek] And if we've learned anything it's that any incremental amount of required work is an opportunity for failure.
#
aaronpk speaking as someone who has a lot of certs, I can certainly say that the initial work in setting up the automation has already paid off in terms of the work required if renewals were not automated
#
[tantek] Aaronpk no argument about "paying off" especially for "lots of certs"
#
[tantek] Point is for many (most?) the overhead for one cert = source of fragility and failure
#
[tantek] Proof in point woodwind
#
[tantek] Kylewm is one of the smartest devs to come through this community
#
aaronpk Even for one cert the benefit is short renewals mean you have more chance to remember the process, instead of waiting 1-2 years and forgetting the workflow <-- this was me before letsencrypt
#
[tantek] And if he and a service he sets up is vuln to this, then 99.99% of everyone is.
#
[tantek] Aaronpk you're missing the point. No one is arguing the benefit overall if you can get automation working.
#
aaronpk Right and I'm saying encouraging automation is the right direction to be going
#
[tantek] Point is people can't or are highly vulnerable to it not working
#
[tantek] What good is a "right direction" if the bar is too high?
#
Zegnat I still have a huge issue with the “people can’t”.
#
Zegnat Because if they can do the initial installation (which involves cert generation, getting it signed, getting server to accept it - or install special tooling like certbot - all through a shell), they surely can set-up automation as well (which depending on the tooling in step 1 may just be a single line added to the crontab).
#
[tantek] Zegnat see above where initial setup happens because they had help
#
[tantek] So your if then is false
#
Zegnat then the help should have extended to the automation. If it did not, then the help is just as much at fault.
eli_oat joined the channel
#
Zegnat Note that this just happens quicker with Let’s Encrypt then. It would still have happened with every other cert, as all of them expire, just a little further down the line.
#
[tantek] This is why I have an issue with "Those are not hard to set-up for auto-renewal."
#
[tantek] Please stop making claims about any of these things being "not hard"
#
Zegnat Not “not hard”, just “as hard”. If you can do 1, you can do 2.
#
[tantek] It is provably false for 99.99% of the people in /generations (since clearly it was too hard for kylewm to get right (for whatever reasons/accidents), and he's pretty darn brilliant at this stuff)
#
[tantek] You're taking theoretically if then. I'm saying evidence disproves your assertion
#
Zegnat I’m assuming it wasn’t too hard for him to do. He may originally have had a different plan for cert renewal. We don’t know.
#
Zegnat Too hard implies additional knowledge needed to me. But if you have all the knowledge needed for step 1, you will have the knowledge needed for step 2.
#
[tantek] Why would he have a different plan if the plan you're espousing is just as easy as setting up Letsencrypt in the first place?
#
[tantek] Again you are asserting if ... (then) you will have
#
[tantek] So for whatever reason he didn't
#
Zegnat He may not have wanted to auto-renew, but may wanted to do manual, because he was waiting for wildcard certs to be released in the future and wants to move to them asap.
#
[tantek] Disproving your assertion.
#
Zegnat Just one such reason
#
[tantek] Whatever the reason, the point is it's a fragile path
#
Zegnat Sure. But that’s certificates. They all need renewal. And all renewal paths are fragile.
#
Zegnat I am just saying that automating Let’s Encrypt renewal is the least fragile path we have had so far.
#
Zegnat And I agree with aaronpk that Let’s Encrypt urging people to actually take this path, by having low expiry times, is a good thing.
#
[tantek] Again theory
#
[tantek] I want to see the data that it actually has encouraged better renewal I practice.
#
[tantek] *in practice.
#
[tantek] Show me the data (no more just reasoning / blog posts) that shows lower expiry times = more renewals and uptime
#
Zegnat Well. I know I didn’t do auto renewal before Let’s Encrypt. Judging from aaronpk’s earlier comment he didn’t do it automatically either. That’s atleast 2 more people pushed towards auto renewal by Let’s Encrypt
#
[tantek] I don't care if 100s of people "agree"
#
Zegnat Because before, it was super easy to say “why automate a yearly thing?”
#
[tantek] Again no don't care about the reasoning. Already over it.
#
[tantek] So we have two data points you & aaronpk added automation *after* you switched to Letsencrypt ?
endi joined the channel
#
[tantek] That's a start at least
#
dgold add a third
#
Zegnat Me: yes. aaronpk: I am assuming from his earlier comment.
#
[tantek] I want to know how many http sites are now offline after having switched to Letsencrypt
#
[tantek] That's the fragility I'm talking about
j12t joined the channel
#
Zegnat But is that fragility Lets Encrypts fault? You would need to compare all HTTP sites that have switched to free HTTPS certs, and then see how many of them remember to renew on time.
#
sknebel I've seen quite a few people say that they won't switch to Let's encrypt because they don't want to / could not do automatic renewal and they didn't want to do it every 3 months by hand
#
sknebel => 3 months increases the pain enough for them
#
sknebel (because manual renewal is easily forgotten or done wrong, so they really only want to do it as seldom as possible)
#
aaronpk That's the opposite viewpoint I had, which is manual renewal is easy to forget so I want to do it often so that I don't forget how
#
schmarty i would just as soon say that browsers should not "disable" a site because its cert has recently expired.
#
aaronpk (That was prior to letsencrypt of course)
#
schmarty especially if you have visited the site recently and the cert has not changed
#
aaronpk schmarty: agreed, seems like a soft fail or warning about recently expired certs would be better than the brick wall you get right now
#
sknebel schmarty: doesn't that just shift the problem to expire + "soon"?
#
schmarty sknebel: i like aaronpk's suggestion of a warning or soft fail
#
schmarty but hey i'm a curmudgeon who thinks that the whole CA system is poorly designed
#
aaronpk Well that's a whole different story :-)
#
sknebel softer warnings might be a thing, not sure about the reasoning there
#
Zegnat Aren’t there softwarnings for certain things? Certs not expired but issued for a different domain, things like that?
#
Zegnat I seem to recall you can then chose to click through/add exception
#
sknebel in that sense, *all* warnings that are not HSTS/HPKP violations are "soft"
#
schmarty browsers often allow you to click through and add exceptions unless the site has HSTS headers
#
schmarty ^ what skenebel said
#
Zegnat Yeah, there might be a bigger problem with people setting up HSTS/HPKP without realising what this means exactly.
#
sknebel is that a big issue?
#
sknebel I can't remember any major incident, despite quite a few predictions that they'd happen
#
Zegnat It makes it a lot harder to (even temporary) serve your site without a valid cert
snarfed joined the channel
#
Zegnat I don’t know any major incidents with expired certs either, sknebel. I thought we were talking about smaller/personal sites specifically at the moment :)
#
sknebel Zegnat: I'd accept "major issues with a personal domain" as a "major issue" ;)
#
sknebel haven't read anything about something like that either
#
sknebel that doesn't mean it never happened
#
sknebel but is some indication that nobodys rant about it blew up
#
Zegnat I guess that’s why much of the chat has been anecdotal.
#
sknebel well, forgotten renewals has happened all the time for instance, and you'll find many people saying it has happened to them or observing it happening
#
snarfed from https://indieweb.org/SSL_expired#Maintenance_tax_and_site_fragility : "longevity and privacy/security are all worthwhile goals. We should work toward both of them at the same time, instead of seeing them as a (false) dichotomy."
#
snarfed more concretely, i wish more web servers had an option to temporarily switch/redirect back to http after a cert has expired
#
snarfed problematic because logged in users would send their cookies in the clear, but maybe worth the tradeoff
#
sknebel snarfed: important cookies should be httpsOnly
#
snarfed true!
#
sknebel the bigger issue is that you can't redirect a user using https to http without a cert
#
sknebel and if you do the typical 301 redirect to HTTPS browsers remember it
#
snarfed eh yeah but servers could at least stop serving the http => https redirect
#
[tantek] This is why I said fallback to http read-only. Implies no cookies
#
Zegnat You can’t tell browsers “stop sending the cookies” unless you originally set them to httpsOnly, [tantek]. That’s one of those little pitfalls :(
#
[tantek] Sounds more like a how to
#
[tantek] What is httpsOnly?
#
Loqi It looks like we don't have a page for "httpsOnly" yet. Would you like to create it?
#
[tantek] And does the camelCase matter?
#
snarfed but broadly, yes, servers could definitely build in some smart fallbacks to better handle expired certs, and sadly i've never seen those in any server before
#
[tantek] That should be required.
#
[tantek] I really don't get why so many are so ok with such fragility.
#
[tantek] It's like XML draconian all over again
#
Zegnat [tantek], the camelCase does not matter. It’s actually 2 separate settings. You want the cookie to have the “secure” flag and the “httpOnly” flag.
#
Zegnat At least, PHP doesn’t have a single flag for it.
#
sknebel oh, right
#
[tantek] Wiki that? ^^^
#
Zegnat What is cookie?
#
Loqi It looks like we don't have a page for "cookie" yet. Would you like to create it?
#
Zegnat Seriously?
#
Zegnat What are cookies?
#
Loqi It looks like we don't have a page for "cookies" yet. Would you like to create it?
#
[tantek] What is httpsonly?
#
Loqi It looks like we don't have a page for "httpsonly" yet. Would you like to create it?
#
[tantek] CamelCase--
#
Loqi camelcase has -1 karma in this channel (1 overall)
#
Zegnat A cookie is a bit of data stored by the [[browser]] that gets send with every request to a website.
#
Loqi ok
#
Zegnat cookies is /cookie
#
Loqi ok
#
Zegnat Now to add a security section there…
#
Zegnat What is a browser?
#
Loqi It looks like we don't have a page for "browser" yet. Would you like to create it?
#
Zegnat Again. Seriously?!
#
sl007 What is Firefox?
#
Loqi Firefox is a free, open source web browser made by Mozilla https://indieweb.org/Firefox
#
sknebel Zegnat: I guess nobody who's been accessing our channels has had that question before ;)
KevinMarks joined the channel
#
Zegnat cookie << https://www.troyhunt.com/c-is-for-cookie-h-is-for-hacker/
#
Loqi ok, I added "https://www.troyhunt.com/c-is-for-cookie-h-is-for-hacker/" to the "See Also" section of /cookie
#
Zegnat That link is a good walk through if you think my security section is too succinct :)
eli_oat, snarfed, ricardokirkner, KartikPrabhu, wolftune, [kevinmarks], j12t, [tantek], Pierre-O, amz3`, gRegorLove, KevinMarks, jmelesky, sl007, Exodist, [miklb] and tbbrown joined the channel
#
Loqi [superfeedr] "This gets a lot of the problem right, but proposes corporate answers not an #indieweb response https://www.wired.com/story/our-minds-have-been-hijacked-by-our-phones-tristan-harris-wants-to-rescue-them/amp" by Kevin Marks on 2017-07-29 http://known.kevinmarks.com/2017/this-gets-a-lot-of-the-problem-right-but-proposes
KevinMarks_, wolftune, KevinMarks, gigitux, amz3`, joshproehl, jacus and Exodist joined the channel
#
Loqi [indienews] New post: "IndieWeb ActivityPub bridge" https://snarfed.org/indieweb-activitypub-bridge
#
snarfed !tell tantek,aaronpk,strugee,KevinMarks,dgold,sebsel ^^^ i'd love thoughts on this if you have any! (https://snarfed.org/indieweb-activitypub-bridge )
#
Loqi Ok, I'll tell them that when I see them next
#
Loqi [Ryan Barrett] IndieWeb ActivityPub bridge
KartikPrabhu, snarfed and KevinMarks joined the channel