01:36 <yunfan> beneroth: i am more interesting of using cheap drone on agriculture

11:13 <Regenaxer> Hi all! Anybody an opinion about a request to use a "secret" port instead of the standard 443 for a web application?

11:13 <Regenaxer> I'm against it, but a customer believes it is "safer"

11:14 <Regenaxer> I don't want to do it, eg. because of problems with Let's Encrypt

11:14 <raydeejay> add a clause relieving you opf responsibility

11:14 <raydeejay> :-)

11:16 <Regenaxer> not an issue of responsibility

11:16 <Regenaxer> I think it is a bad idea

11:17 <Regenaxer> The other point is whether a VPN is safer than a single open port to httpGate

11:18 <Regenaxer> I'm against having to use a VPN

11:19 <Regenaxer> I believe only TLS via 443 is enough

11:19 <Regenaxer> The purpose is the communication of PilBox Apps with the central server

11:19 <Regenaxer> A very strict, limited protocol

11:20 <Regenaxer> Opening the center with a VPN is overkill imho, and a mess to install on mobile devices for a quick use

11:21 <Regenaxer> I have a meeting with them this afternoon, but it is a long-term issue so later opinions are welcome too :)

11:21 <mtsd> Hi, if it leads to problems with Let's Encrypt it seems changing the port leads to less security

11:21 <Regenaxer> indeed

11:22 <Regenaxer> Perhaps Let's Enc. can be fixed, but I did not investigate yet

11:22 <mtsd> If someone really wants to attack a site, changing the port is not going to stop them

11:22 <Regenaxer> Anyway it is the whole setup which I want to keep simple

11:22 <Regenaxer> Right! That's what I told them too

11:22 <Regenaxer> Security throug obscurity

11:23 <mtsd> Exactly, a simple setup is also easier to keep track of, to keep updated etc.

11:23 <Regenaxer> yep

11:23 <mtsd> No 'everything-is-alright-except-the-special-setup-we-forgot-to-take-care-of'

11:24 <mtsd> Been there ;)

11:24 <Regenaxer> :)

11:25 <mtsd> Let's Encrypt might be changed, but then there is yet another exception in the setup

11:25 <mtsd> No. I don't like changing the port either

11:25 <Regenaxer> ok

11:26 <Regenaxer> How about the VPN request?

11:26 <Regenaxer> I think it is another closed-source thing I don't want to trust

11:27 <Regenaxer> In principle you open up your whole network (if you get a rule wrong)

11:27 <Regenaxer> instead of a stupid https server

11:28 <mtsd> I have just started using a VPN to connect one server to our internal network. But you are right about the rules

11:29 <mtsd> I am never sure I have managed to get the setup right

11:29 <mtsd> I spent time reading the docs, but I still felt unsure

11:29 <Regenaxer> Sometimes a vpn might be necessary

11:30 <Regenaxer> But I have only https communication

11:30 <Regenaxer> db replication

11:31 <mtsd> Ok

11:37 <mtsd> My feeling is simply that changing the port does not provide much added security, just adding complexity to the setup.

11:38 <mtsd> And complexity in setups tends to reduce security

11:38 <mtsd> Something like that

11:38 <Regenaxer> agreed

11:42 <cess11_> Usually it is the implementation of authentication that is the weak spot in these matters. Introducing another set of authentication mechanisms by adding extra VPN adds new risks that need to be managed.

11:45 <cess11_> LE is the only CA worth relying on, the others are risky and some of the big ones have either had breaches or sold or given away secrets.

11:45 <cess11_> Self signed isn't an alternative for regular commercial web or network applications since most browsers discriminate against them for no particular reason.

11:48 <cess11_> If they put a service on 4443 instead of 443 it will still be easy to find with nmap. Using irregular ports alert ISP:s and those who run trojans in their routing equipment, which in itself is a way to ask for sinister interests to come looking.

11:51 <cess11_> LE can be used on irregular ports but not with certbot, it requires some other client and a bit of fiddling with the configuration. Not done it myself yet but I will over the coming months (unless I get swamped in work somehow).

11:52 <Regenaxer> Thanks cess11_!

11:52 <Regenaxer> "adding extra VPN adds new risks that need to be managed"

11:54 <Regenaxer> and the "sinister interests" :)

11:55 <Regenaxer> Yeah, I'm used to certbot

11:55 <Regenaxer> certbot certonly --standalone -d ...

11:56 <Regenaxer> Always worked very well for me

11:58 <cess11> I would advice against using alternate clients in commercial projects since those usually are works in progress and could contain bugs but sometimes it might be reasonable, at least if one audits the client code first and finds it OK.

11:59 <cess11> Still, in your case it will cost more and still attract more unwanted attention to the data traffic.

12:02 <Regenaxer> What kind of clients do you mean?

12:02 <Regenaxer> I my case it is PilBox

12:03 <Regenaxer> and sometimes browser for the web application if the device is online

12:05 <cess11> LE clients, like https://github.com/xenolf/lego .

12:05 <cess11> That update your cert from Let's Encrypt.

12:05 <Regenaxer> Ah

12:05 <Regenaxer> yeah

12:08 <Regenaxer> Thanks! Must go

12:08 <Regenaxer> afp

12:15 <aw-> Regenaxer: Let's Encrypt has a method that allows you to request certificates with DNS authentication,... but your DNS provider needs to have an API (ex: Linode)