<yunfan>
beneroth: i am more interesting of using cheap drone on agriculture
yumaikas is now known as yumaikas|away
aw- has joined #picolisp
alexshendi has quit [Ping timeout: 240 seconds]
orivej has joined #picolisp
rob_w has joined #picolisp
_whitelogger has joined #picolisp
mtsd has joined #picolisp
orivej_ has joined #picolisp
orivej has quit [Ping timeout: 256 seconds]
alexshendi has joined #picolisp
alexshendi has quit [Ping timeout: 260 seconds]
<Regenaxer>
Hi all! Anybody an opinion about a request to use a "secret" port instead of the standard 443 for a web application?
<Regenaxer>
I'm against it, but a customer believes it is "safer"
<Regenaxer>
I don't want to do it, eg. because of problems with Let's Encrypt
<raydeejay>
add a clause relieving you opf responsibility
<raydeejay>
:-)
<Regenaxer>
not an issue of responsibility
<Regenaxer>
I think it is a bad idea
<Regenaxer>
The other point is whether a VPN is safer than a single open port to httpGate
<Regenaxer>
I'm against having to use a VPN
<Regenaxer>
I believe only TLS via 443 is enough
<Regenaxer>
The purpose is the communication of PilBox Apps with the central server
<Regenaxer>
A very strict, limited protocol
<Regenaxer>
Opening the center with a VPN is overkill imho, and a mess to install on mobile devices for a quick use
<Regenaxer>
I have a meeting with them this afternoon, but it is a long-term issue so later opinions are welcome too :)
<mtsd>
Hi, if it leads to problems with Let's Encrypt it seems changing the port leads to less security
<Regenaxer>
indeed
<Regenaxer>
Perhaps Let's Enc. can be fixed, but I did not investigate yet
<mtsd>
If someone really wants to attack a site, changing the port is not going to stop them
<Regenaxer>
Anyway it is the whole setup which I want to keep simple
<Regenaxer>
Right! That's what I told them too
<Regenaxer>
Security throug obscurity
<mtsd>
Exactly, a simple setup is also easier to keep track of, to keep updated etc.
<Regenaxer>
yep
<mtsd>
No 'everything-is-alright-except-the-special-setup-we-forgot-to-take-care-of'
<mtsd>
Been there ;)
<Regenaxer>
:)
<mtsd>
Let's Encrypt might be changed, but then there is yet another exception in the setup
<mtsd>
No. I don't like changing the port either
<Regenaxer>
ok
<Regenaxer>
How about the VPN request?
<Regenaxer>
I think it is another closed-source thing I don't want to trust
<Regenaxer>
In principle you open up your whole network (if you get a rule wrong)
<Regenaxer>
instead of a stupid https server
<mtsd>
I have just started using a VPN to connect one server to our internal network. But you are right about the rules
<mtsd>
I am never sure I have managed to get the setup right
<mtsd>
I spent time reading the docs, but I still felt unsure
<Regenaxer>
Sometimes a vpn might be necessary
<Regenaxer>
But I have only https communication
<Regenaxer>
db replication
<mtsd>
Ok
<mtsd>
My feeling is simply that changing the port does not provide much added security, just adding complexity to the setup.
<mtsd>
And complexity in setups tends to reduce security
<mtsd>
Something like that
<Regenaxer>
agreed
<cess11_>
Usually it is the implementation of authentication that is the weak spot in these matters. Introducing another set of authentication mechanisms by adding extra VPN adds new risks that need to be managed.
<cess11_>
LE is the only CA worth relying on, the others are risky and some of the big ones have either had breaches or sold or given away secrets.
<cess11_>
Self signed isn't an alternative for regular commercial web or network applications since most browsers discriminate against them for no particular reason.
<cess11_>
If they put a service on 4443 instead of 443 it will still be easy to find with nmap. Using irregular ports alert ISP:s and those who run trojans in their routing equipment, which in itself is a way to ask for sinister interests to come looking.
<cess11_>
LE can be used on irregular ports but not with certbot, it requires some other client and a bit of fiddling with the configuration. Not done it myself yet but I will over the coming months (unless I get swamped in work somehow).
<Regenaxer>
Thanks cess11_!
<Regenaxer>
"adding extra VPN adds new risks that need to be managed"
<Regenaxer>
and the "sinister interests" :)
cess11_ is now known as cess11
<Regenaxer>
Yeah, I'm used to certbot
<Regenaxer>
certbot certonly --standalone -d ...
<Regenaxer>
Always worked very well for me
<cess11>
I would advice against using alternate clients in commercial projects since those usually are works in progress and could contain bugs but sometimes it might be reasonable, at least if one audits the client code first and finds it OK.
<cess11>
Still, in your case it will cost more and still attract more unwanted attention to the data traffic.
<Regenaxer>
What kind of clients do you mean?
<Regenaxer>
I my case it is PilBox
<Regenaxer>
and sometimes browser for the web application if the device is online
<cess11>
That update your cert from Let's Encrypt.
<Regenaxer>
Ah
<Regenaxer>
yeah
<Regenaxer>
Thanks! Must go
<Regenaxer>
afp
<aw->
Regenaxer: Let's Encrypt has a method that allows you to request certificates with DNS authentication,... but your DNS provider needs to have an API (ex: Linode)
aw- has quit [Quit: Leaving.]
tankf33der has quit [Quit: Connection closed for inactivity]
orivej_ has quit [Ping timeout: 260 seconds]
tankf33der has joined #picolisp
alexshendi has joined #picolisp
mtsd has quit [Quit: Leaving]
karswell has quit [Remote host closed the connection]