Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

If you have an closed system, then you have two options: use plain http if you really trust the environment, or use your own CA and have a trusted https. Having an untrusted https and disabling it is a double waste of time.


We have our own CA but they don’t originate with any known root. They are self signed certs


That's ok, that's how you normally do it. But then the second step is adding that CA to the trusted store on all relevant clients, so that it can actually get verified. (Otherwise why bother with the CA, just self-sign everything individually)


It’s our lack of a DevOps / Platform Dept. Our traditional IT groups won’t do it sadly

I mean invest in Smallstep SSH - nope


So let me get this straight: your IT won't do something, you're too lazy to add one flag to your scripts, so your solution is to ask that everyone has their security downgraded instead? That's... one way to approach tech issues.


It’s obviously not a suggestion for everyone as I understand. If I could edit my original comment I would strike out my suggestion.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: