> Sysadm - Maja Ingerslev's blog - Den røde blog

Sysadm



Main page
 
 
 
Categories
 
Category menu

Nyhedskategorier på siden
Interesting(114)
Spirituelt(80)
God(48)
Lighed(46)
Peace(43)
Kristendom(36)
New Age(35)
Grateful(28)
Healing(26)
Politik(25)
Freedom and equality(25)
Heart(24)
Social Politik(23)
Gud(22)
1990er(21)
Pictures(20)
Linux(19)
Freedom(18)
Philosophy(17)
Socialdemokratiet(17)
Physics(16)
Quake II(16)
Frihed og lighed(15)
Art(14)
Sundhed(13)
Projects(12)
CDer(12)
Gratefulness(12)
Tutorials(11)
Nature(10)
GNU Free Software(10)
Games(10)
Quantum Mechanics(9)
Computer(9)
1990er musik(9)
Musik(9)
Surrender(9)
Thankfulness(8)
Nsa(8)
Technology(8)
The Heart(8)
Drawings(8)
Healthy living(8)
Analog Photography(7)
Beauty(7)
Trance(7)
Bread cat(7)
Økologi(7)
Henrik Rindom(7)
Music(7)
Gratitude(6)
Hacker(6)
Bible(6)
Kristen(6)
Folkeskolelærer(6)
Guds barn(6)
Buddhism(6)
Fun..(6)
Amiga(6)
Online gaming(6)
90s music(6)
Shubidua(5)
Snowden(5)
Debian(5)
Truth(5)
Folkeskolen(5)
Gnu(5)
Richard stallman(5)
Lucid dreaming(5)
Einstein(5)
Meditation(5)
Politics(5)
Compassion(4)
Sysadm(4)
Arch Angels(4)
Fun(4)
Flyvende drømme(4)
PC(4)
1813 vagtlæge(4)
Velfærds problemer(3)
Langtidssyg(3)
Action quake2(3)
News(3)
Best cellphone(3)
Free games(3)
Science(3)

Any comments to the blog?
Input your comment here, it will be shown below:

Name

Comment

Why ssl on your domains is bad practice...


Enforcing ssl on users in 2016?

Surely you're not the only one, living in fear after the NSA and Snowden case...

But there are many great problems of enforcing ssl on users, like they may be using older pcs, or not the newest certificates, and you may create living hell in their lives by enforcing ssl.

If you run ssl domains, please do not ENFORCE it!. Do not redirect http to https. It is a stupid beginner sysadm mistake!

SSL on domain in Apache 2 .. And Why It's Bad For You. Do Not Use SSL!


SSL in Apache 2 is Bad For You!. Do Not Abuse SSL!
Sorry... only SSL users allowed in here!

Go eat your hat.

We only care for ssl users on this domain.
You are not worthy to use our site. Yes that is basically what we say.

Here are the foolish SSL domains...


1. mozilla.org , very stupid now no old users can get in
2. ftp.mozilla.org , this is as stupid as can get
3. insert your favorite hate ssl domains here. Domains enforcing ssl on you.


Other side effects:
wget will no longer work
curl will no longer work

You cannot fetch files from ssl servers easily, not if your pc clock is set wrongly, then no certs work, you get rejected from the iste.

SSL should only be used as a last resort case.

It has its uses...

It is great to use on mail servers, where high security is of utmost importance. Where certificates are bought for that reason.

It also has its use for openssh/ssh connections.

But nowhere else really , unless your site is a whistleblower site like Snowdens sites/Assanges site / wikileaks or such.

If you do not want to get hunted down.


But enforcing ssl is stupid.
Do not enforce ssl on users.


SSL should be voluntary.
It is your duty as a sysadmin to ensure the users can chose themselves.

do NOT redirect http:// to https://

That is lame.
It ruins the user experience. Maybe the user does not want to be forced https ?

Https is slower.
Requires more server and client cpu.
Requires more new client software, software the user likely hasn't got
Requires the user to have right pc clock set. If clock latches behind, users are refused access to your site. Must use a ntp service if they want to be sure to access your site. This is because certs appear old if clock moves behind by a few seconds or minutes!

SSL is just a pain in the ass.
And many domains are enforcing it now.

I can't say I didn't do it myself once. I was this stupid too once.
But I've learned from my mistakes.

Please sysadms, get some clue!


Here are some of the ugly errors you can get if you enforce SSL on your domains.... NOT worth it!



# wget https://www.seeklogo.net/wp-content/uploads/2012/04/facebook-like-logo-vector-400x400.png
--2016-09-07 00:33:45-- https://www.seeklogo.net/wp-content/uploads/2012/04/facebook-like-logo-vector-400x400.png
Resolving www.seeklogo.net... 104.27.177.137, 104.27.176.137, 2400:cb00:2048:1::681b:b089, ...
Connecting to www.seeklogo.net|104.27.177.137|:443... connected.
OpenSSL: error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error
Unable to establish SSL connection.
# wget http://www.seeklogo.net/wp-content/uploads/2012/04/facebook-like-logo-vector-400x400.png
--2016-09-07 00:33:50-- http://www.seeklogo.net/wp-content/uploads/2012/04/facebook-like-logo-vector-400x400.png
Resolving www.seeklogo.net... 104.27.176.137, 104.27.177.137, 2400:cb00:2048:1::681b:b189, ...
Connecting to www.seeklogo.net|104.27.176.137|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://www.seeklogo.net/wp-content/uploads/2012/04/facebook-like-logo-vector-400x400.png [following]
--2016-09-07 00:33:51-- https://www.seeklogo.net/wp-content/uploads/2012/04/facebook-like-logo-vector-400x400.png
Connecting to www.seeklogo.net|104.27.176.137|:443... connected.
OpenSSL: error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error
Unable to establish SSL connection.



Unable to access mozilla.org. Invalid security certificate (Mozilla Firefox)

403 error. This page is only available over SSL, https. Please use the https version of this page!

Nice way to annoy all your users..
They may not come back though. You may exclude as much as 70% of your users by using SSL on your domains...

As many as 70% may have non ssl browsers, i.e. IE5.0 or such with outdated certs. And a pc clock that runs wrongly. So cannot get in. They will not understand the error message is due to their pc clock running behind. A clock that is not in sync will give browser ssl errors!!
So user cannot understand he/she cannot access your page. Tries to troubleshoot for hours. Only to find out they need a NTP service to enter your site. Must have accurate pc clock. SSL requires this.
Windows xp users will no longer be able to enter. Microsoft disabled their NTP service that users sync their pc clock to

Something worth thinking about.

Never enforce ssl. It is bad practice.

Just make it an option for the user , if he/she wants!


Nobody likes getting enforced stuff anyway.

See also:


Mozilla enforces SSL on their main domain, thus breaking non ssl browsers and old firefoxes!


Who is author?


He is an old time sysadmin who has worked in larger serverparks for years. He also runs a few dns servers authorized by DK-Hostmaster. And then he runs many virtual hosts on apache, so know how annoying ssl on domains is, can be. Thus never recommends to use it.

Isn't security a user obligation, and not admin obligation?


In Category.
SSL is bad for you
Mod_Rewrite is bad for you
Http to https redirect is wrong!
Http to https redirect in Apache 2.
Do not redirect http to https in apache2
SSL on domain - How to.
Http to https redirect is a bad practice...
SSL on domain - How to in Apache 2.
Postfix ssl tutorial
Postfix ssl howto
Postfix sasl how to
Say No To SSL on Domains
How to redirect http to https by not doing it.
Enable SSL Apache 2 https howto - A guide and tutorial.
10 reasons not to enable https on your webserver.


This is why I call this guide 10 reasons NOT to enable https on your webserver

Do things the right way.


You want top security sites only to have https on.


Your netbanking
Your email provider's server. As they buy certs for it.
Leak sites of secret military stuff. Wikileaks i.e. so the users cannot be surveilanced.
Google (but should be OPTIONAL)
Wikipedia (should be optional https)

But no ordinary site needs https unless it has political causes that may put the users in jail or such.

Unless your site has that or falls into one of the above categories, you do not need https likely.

Adding https to your site will annoy and only cause your site to load slower and require more cpu cost.

Polluting the environment and the users computers with needless certs they do not need.


Sites that have stuff you may get arrested for, i.e. Wikipedia if you search bombs etc. it can be a good idea to allow https or make it mandatory.

But on normal sites it is just stupid. Those certificates will also expire for you every 2 years or so. So you forget to renew them, thus annoying your users further with a 403 error every 2 years.

Using ssl is a stupid sysadm beginner mistake. And even worse is self-signed certificates.

Of course the newbies do not even know what anything of this means, they just think https is cool and they want that on their webserver.

Do not use something you do not need.

It gives hidden problems down the road... many.

Avoid https unless you strictly need it. It has its few uses, but they are not that many.


Another big problem is that it will cause you as a site admin much pain and troubleshooting, time you do not need. Of course you may think you're such a competent system admin that it is easy pie to set up.

But in a year or two you forgot how it was set up, now one cert does not work, or has wrong permission. Certs add extra server maintenance, and something you must keep remembering to set up everytime you migrate your server often.

It is just pain to maintain. Do not use certs unless you need them.



Apache 2 ssl certificates. Which one. None. SSL is bad for you! Avoid ssl!. Bad sysadm practice.


...

You think I'm wrong here?

People abuse HTTPS just like they abuse mod_rewrite in Apache 2

Both are beginner, foolish mistakes.

Now every page on their webserver becomes yourdomain.com/i-got-cool-url-watch-me-here-sellling-you-stuff-check-this-cool-long-url-i-can-use-mod-rewrite

But it should be yourdomain.com/store.html


Same for https...
Abusing https everywhere, only adds clutter.



Get sane today!:

  • Avoid using SSL unnecessarily

  • Do not abuse mod_rewrite



You don't use a hammer to screw in a screw either. Use the right tool for the job. Http.


2016-09-07 - Af Maja Ingerslev
 
 
Andre Artikler i Kategorien Sysadm
Diskspace usage with df -Pl and sed oneliner "Only one tool" (Sysadm cron code)
Postfix Gmail setting up a Relay Server "HowTo" (SASL+TLS)
Performing backups on Linux.. the Elegant way! Sysadms look out
Why SSL on domains is bad for you.... SSL should Never be enforced!

Andre artikler



643....Albert Einstein - What is Education about?

642....Does the soul exist? yes! – Here's many arguments why

641....There's nothing wrong having a big couch, as long as not attached to it

640....Live by example, moving focus from teaching others, to Co-Creation

639....No, not alone in space... far from it, not alone as intelligent species





Vis alle

Any comments to the blog?
Input your comment here, it will be shown below:

Name

Comment



Comments received:


No comments received for this page/article.