Hacker News new | past | comments | ask | show | jobs | submit login

I could not agree more. Information Technology, for reasons unknown to me, seems to ferment a kind of extremism with a large helping of "if you are NOT doing it this way you are what is killing the world," and the "SSL All the Things!" people are a great example of it. I've heard people suggest that you should just dump your web-serving software in favor of a different webserver that works better with Let's Encrypt, nevermind that a lot of people in the real world are running niche proprietary software that has very specific webservers they are tightly-integrated with. And -- it has been argued to me -- the solution was to not just get in that service sector in the first place.



Most of the time, you can stick Nginx or HAProxy in front of it all, and terminate TLS there, with the last part on your interal network being HTTP.


Sounds great until you consider threats inside your network


I think many here don't get that not working in a tech startup is very different.

The IT budget is shrinking every year instead of increasing with company profits and sometimes a 3 person team needs to handle 300 users plus those machines that nowadays are tightly interconnected. These 300 users are essentially a threat to the company because they often click on anything they get per mail.

So you need to encrypt everything as much as possible to decrease the attack surface inside the network.


> These 300 users are essentially a threat to the company because they often click on anything they get per mail.

I agree, but I have to mention as well that in general all teams (not only IT) got reductions of budgets and amount of employees and in the end everybody is very stressed most of the time, which in turn makes everybody pay less attention to what they're doing.

In my case (IT) last year I received an email with the title "ACTION REQUIRED" and I just blindly opened it and clicked on the link of the document which I was supposed to fill out, and (luckily) it was just a well-crafted internal test related to phishing (which then of course I failed => I then had to take an online course) - in my opinion the problem is that nowadays we're permanently under pressure to deliver/react/do stuff with very short lead times and it's therefore hard after a while not to start to unwillingly forget best practices related to security.

This year the company I'm working for has started as well to use quite often external companies (websites) to provide some services => doing that makes identifying phishing emails even more difficult for me.


You can terminate SSL at nginx and forward over socket or local port to service bound only on localhost. Then you can LB over the nginx's. You can even deploy the same certs to all of them.


Assuming the device isn't some embedded system or router.


It is also assuming that Baldrick, Hacker Extraordinaire, hasn't installed his brainchip in all your developers' brains. That is true.


You can use a secure link between the front-end nginx and the backends (VPNs, another TLS connection with a cert signed by an internal CA, IPsec, ...)


If it's running Linux and you can add HAproxy or Nginx directly to it you can sidestep that issue as well.


As gp said: "different webserver that works better with Let's Encrypt"

nginx is one of the most common examples of that




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: