<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Actually, nvm - I did a quick search and apparently ERL =
EdgeRouter Lite. Have not seen it abbreviated that way before. I
have an EdgeROuterX, which also has a firewall baked in</p>
<p>Calling it a night, but am pressing a spare Pi 3 into service. I
am embarrassed to say how that happened, but I am going to roll Pi
Hole + SNMP trap + OpenVPN on this thing. I may pelt the list with
questions when that happens. <br>
</p>
<p>- Damien<br>
</p>
<div class="moz-cite-prefix">On 2/8/20 8:34 PM, Rick Hornsby wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAP--A0m2KqCmMba0O20fjEBj70WtDG+AAumNU2MJo1rTptdumQ@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<style>body{font-family:Helvetica,Arial;font-size:13px}</style>
<div style="font-family:Helvetica,Arial;font-size:13px"><br>
</div>
<div class="gmail_signature">On February 8, 2020 at 18:09:22, Rob
Funk (<a href="mailto:rfunk@funknet.net" moz-do-not-send="true">rfunk@funknet.net</a>)
wrote:</div>
<div>
<blockquote type="cite" class="clean_bq"
style="font-family:Helvetica,Arial;font-size:13px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none"><span>
<div>
<div>On Saturday, February 8, 2020 6:48:35 AM EST <a
href="mailto:jep200404@columbus.rr.com"
moz-do-not-send="true">jep200404@columbus.rr.com</a><span
class="Apple-converted-space"> </span><br>
wrote:<span class="Apple-converted-space"> </span><br>
> On Sat, 8 Feb 2020 00:23:33 -0500, Chris Punches
<<a href="mailto:punches.chris@gmail.com"
moz-do-not-send="true">punches.chris@gmail.com</a>><span
class="Apple-converted-space"> </span><br>
wrote:<span class="Apple-converted-space"> </span><br>
> > Also I noticed today that we're now using a
self-signed cert on the main<span
class="Apple-converted-space"> </span><br>
> > website. We should probably stop doing that. I
highly recommend ACME.<span
class="Apple-converted-space"> </span><br>
><span class="Apple-converted-space"> </span><br>
> What do we need a cert for?<span
class="Apple-converted-space"> </span><br>
<br>
1. Because people going to the site over https will get
a scary error page<span class="Apple-converted-space"> </span><br>
from their browser telling them it's insecure and
unsafe. I don't know about<span
class="Apple-converted-space"> </span><br>
Firefox, but on Chrome you have to click two different
things from there in<span class="Apple-converted-space"> </span><br>
order to get to the page.<span
class="Apple-converted-space"> </span><br>
<br>
2. Because encryption is no good if you can't be sure
who you're talking to.<span
class="Apple-converted-space"> </span><br>
Without a valid signed certificate the site can be
intercepted (MITM) and<span
class="Apple-converted-space"> </span><br>
modified/replaced by ISPs or anyone else who can get in
your network path<span class="Apple-converted-space"> </span><br>
(e.g. someone else at the coffee shop) and use their own
self-signed<span class="Apple-converted-space"> </span><br>
certificate.<span class="Apple-converted-space"> </span><br>
<br>
3. If the key is compromised and someone uses your
self-signed certificate,<span
class="Apple-converted-space"> </span><br>
the self-signed certificate can't be revoked.<span
class="Apple-converted-space"> </span></div>
</div>
</span></blockquote>
</div>
<p>It’s certainly nostalgic, but I don’t particularly care for the
world that we live in, where HTTPS is all but a requirement for
all sites. An encrypted link to your destination regardless of
protocol more generally is the norm now - authenticated or not,
as it unfortunately should be.</p>
<p>My earliest experiences of playing with TCP-enabled
applications was using the RFCs to figure out how to manually
SMTP/POP3 into OSU’s mail servers because they would break too
often and somehow that would break Eudora. I learned a ton about
how things worked by doing that. Part of the reason I was able
to do that - using just telnet - was we weren’t nearly as
worried about bad actors then, so it was plain vanilla no
SSL/TLS SMTP/POP3/IMAP. Today, there are too many bad apples -
the ones you don’t know like hax0rs and the ones you know like
your ISP - to make encryption optional.</p>
<p>You wouldn’t think that #2 would be a thing from your ISP who
is just supposed to provide a link and that’s it. But I’ve seen
them inject content and basically stand between us and the
interwebs - either through cheesy “did you mean X? Here’s some
search results we think relate to domain name you seem to have
misspelled” DNS redirect pages (gtfo! AT&T), or ads
injected/added onto web pages you visit. That’s not to mention
logging and selling your interweb activity to anyone with a
nickel.</p>
<p>I can’t remember which ISP(s) do the ad injection thing, but I
seem to recall at least one recently offering a cheaper price if
you allow them to modify web pages in flight to show ads.</p>
<p>On the server side, LetsEncrypt/ACME makes dealing with TLS
certs _way_ easier than it ever has been. Also, LE is free as in
beer. There’s not a good reason to not have a properly signed
cert fronting your site, and a bunch of really good reasons to
use HTTPS everywhere.</p>
<p>I haven’t gone full site-to-site VPN from my residential link,
but I use CloudFlare encrypted DNS (DHCP server supplies the
config to all devices), and put a Ubiquity ERL/firewall between
the cable modem and the LAN. All to keep TWC out of my business,
and reduce the impact of any cable modem vulnerabilities.</p>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
colug-432 mailing list
<a class="moz-txt-link-abbreviated" href="mailto:colug-432@colug.net">colug-432@colug.net</a>
<a class="moz-txt-link-freetext" href="http://lists.colug.net/mailman/listinfo/colug-432">http://lists.colug.net/mailman/listinfo/colug-432</a>
</pre>
</blockquote>
</body>
</html>