[calebl]

FYI, since you're here: visiting your site on FF in Windows 10 is throwing an insecure error, saying you're using an invalid certificate. 100% possible that's somehow an error on my end - but just in case it isn't, thought you'd want to know. Sample URL throwing it: https://www.tedunangst.com/flak/post/books-chapter-three

Side note: I'm hugely grateful for all your work on OpenBSD.

[ams6110]

Same in FF on Mac OS X:

www.tedunangst.com uses an invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. The server might not be sending the appropriate intermediate certificates. An additional root certificate may need to be imported.

Error code: SEC_ERROR_UNKNOWN_ISSUER

And in Chrome:

Attackers might be trying to steal your information from www.tedunangst.com (for example, passwords, messages, or credit cards). NET::ERR_CERT_AUTHORITY_INVALID

[vancan1ty]

Despite the browsers' dire warnings, you are still far more protected visiting a website with a self-signed certificate than visiting a plain http website.

[JdeBP]

M. Unangst xyrself said:

> Yesterday, reading this page in plaintext was perfectly fine, but today, add some AES to the mix, and it’s a terrible menace, unfit for even casual viewing.

-- https://www.tedunangst.com/flak/post/moving-to-https

[j_s]

Not sure how well this stacks up against automating LetsEncrypt these days.

[vancan1ty]

March 24, 2017 -- "During the past year, Let's Encrypt has issued a total of 15,270 SSL certificates that contained the word 'PayPal' in the domain name or the certificate identity. Of these, approximately 14,766 (96.7%) were issued for domains that hosted phishing sites" [1]

LetsEncrypt isn't perfect either. You've got to be cognizant of what details you are sharing over the connection, regardless of who signs the certificate.

[https://it.slashdot.org/story/17/03/25/2222246/over-14k-lets...]

[j_s]

I agree!

> You've got to be cognizant of what details you are sharing over the connection, regardless of who signs the certificate.

So why not cut out the browser errors, for free? Somehow this vaguely feels like Don Quixote straining hard to hold onto the original definition of the term "hacker".

Props to this guy for sticking to his beliefs; I don't mean for this to be interpreted as saying anything should be changed.

[dchest]

There's no reason phishing sites shouldn't have encrypted connection. Case closed.

[ams6110]

more protected from what?

[vancan1ty]

- protected from third parties reading the data in transit

- protected from alteration of the data in transit without either end's knowledge

and, IF you have a means to authenticate the owner of the certificate outside of the regular certificate signing process

- protection from impersonation of the other end of the connection

[vancan1ty]

my point is that TLS can still be useful without the participation of a certificate authority. but you have to be careful.

[ams6110]

Right. I've visited Ted's site in the past, and had no certificate warnings. Now, suddenly, I am getting warnings. So isn't that the exact scenario in which I should be very suspicious?

It's just a blog; I'm not submitting anything, but still it's an indicator that something fishy might be going on.

[microtonal]

This is intentional:

https://lobste.rs/s/wr1oh7/openbsd_changes_note_625#c_sh1obq