21 comments

[ 4.8 ms ] story [ 44.1 ms ] thread
This is genuinely a huge win for the EFF. While I’m sure haters will point out that the EFF did almost none of the lifting the much much harder problem is coordinating millions of people to focus on a specific goal and the EFF made “HTTPs Everywhere” a thing that got honest to god real mindshare across the whole industry.

Coordination problems like this are capital H hard. It’s why almost all boycotts, petitions, union formations, vote with you feet/wallet don’t go anywhere because it’s trying to herd cats. Encrypting the web became an inevitability because of the EFF’s work.

So sincerely, amazing job to everyone who worked on the initiative. You crazy fools actually did it!

>2021 was the year the other major browsers followed suit, starting with Chrome introducing an HTTPS default for navigation when a user types in the name of a URL without specifying insecure HTTP or secure HTTPS.

Is it enabled on Android? Last week a few links on HN resolved to HTTP for me, even though HTTPS was available for those sites (I checked). I noticed it because my provider injects ads in unencrypted traffic.

The only relatively mainstream site I can think of that doesn't use https is the Australian Bureau of Meteorology [1]. The weather isn't exactly sensitive info but I don't see any excuse not to just set this up.

[1] https://www.bom.gov.au/

I think they should support both and not automatically redirect from http to https.

The comment just above you:

> Admittedly a small problem, but for microcontrollers that don't support https and just want to get some publically available data like weather-- it is an issue. So lots of hobbiest projects are basically turned off because of this.

... and it is an nightmare...

The web is centralized as it never was before. We have to constantly (every 3 months) renew letsencrypt certificates. They do breaking changes to the tools and protocols to do that with the same periodicity. Now you need this shitty snap to do that. And private networks devices are still an unsolved problem no one talk about...

They claim [1] that they won't be making breaking changes to the protocol, unless absolutely necessary.

Many web servers/reverse proxies such as Caddy and Traefik have build-in ACME handling, so as long as you keep them up to date, your certificates should be correctly renewed. From my experience, configuration of ACME with either of them is a breeze.

I'm not sure why nginx and Apache don't implement this, considering they are the most popular servers.

[1] https://letsencrypt.org/docs/acme-protocol-updates/

There is no legitimate reason why you would need to keep all your servers updated all the time just because you want to have your cert continuing working.

On my case, I was annoyed with an old vps for example because impossible to use docker or snap because you need kernels modules that you don't control in such a setup.

I've had several instances of ACME bot deciding to randomly fail behind Cloudflare, so I've switched to using CF Origin certs on a few hosts. It's not ideal, but it works for my public needs. I'm still running PiHole locally with no certs, which I dislike.
I am not using the official tools, but for the one I'm using, I have had to change something exactly once in several years.
Just always use the latest Docker image of the LetsEncrypt tools. Will always be a working, up to date version that way.
fun fact: even neverssl.com has https now, which it promises to never have lol
Safari still cannot connect to a server exposing only 443/https, and apparently tries to reach port 80.

Chrome/Firefox support this without an issue.

I'm curious, are there any ~~competitors~~ alternatives for Letsencrypt?
Yes.

ZeroSSL.com (Aka Comodo), BuyPass.com, SSL.com

All offer 90 days or more free SSL certs

Admittedly a small problem, but for microcontrollers that don't support https and just want to get some publically available data like weather-- it is an issue. So lots of hobbiest projects are basically turned off because of this.