 and go over here, my Fawcicon shirt, I changed my shirt earlier. Fawcicon, if you don't know, here in Florida a couple of years ago, this guy, Brian, really cool guy, started Fawcicon here in Orlando, free and open source software conference, so it's not a Linux conference, he did two of them and the last one was in 2015 and there hasn't been one since. He always seemed very stressed out, it's a lot of work for him, so I understand why he hasn't done any, I've tried to contact him and he hasn't really replied to any of my things, but if Brian, if you're out there, I'd love another conference, man. Okay, so let's see. I wanna talk about, hmm, that's not the best lighting, let's, there we go. I wanna talk about a couple of weeks ago and I bring up this guy often, a lot of you probably watch his videos, you may have different feelings about him, Brian Lunduk, Brian Lunduk, I love watching his videos. I agree with a lot he says, I disagree with some of the stuff he says, especially when it comes to JavaScript stuff, he just hates JavaScript and I think his reasons are unfound, but he recently did a video about HTTPS and why he doesn't use it on a site and it's his site, he can do whatever he wants and he brings up some valid points, but his arguments are poor and so this was his main two things, why he doesn't like HTTPS for, he's like, okay, obviously I'm banking sites and transaction stuff, but other sites, you don't need it and I disagree. First of all, let's talk about why you need HTTPS, even if you're not submitting forms or transferring personal information, is that if you've done any type of network sniffing, you can know you can inject stuff, you know, the old joke of flipping all the images on a website or changing out the images, but really, if I am on a network, anybody else on that network, if the communication is not using HTTPS, it's not encrypted, they can not only see what I'm doing, but they can manipulate what I'm doing, they can redirect me to other pages, they can change text on this page, they can change download links, if I had to download something from a site, it could be infected with something malicious and it's just a bad idea to not have things encrypted when you can, not the end of the world. If I'm here at home, I kind of without middle of nowhere, there's no other house to surround me, so there's not a lot of, you know, Wi-Fi traffic, I would kind of notice if there was somebody else not here, somebody else not here, somebody here who's not supposed to be here, I have my network encrypted, but you know, if you're out on an open network and you're not using a VPN or some sort of tunnel or something like that, and people can sniff your traffic and they can change things. So let's say I went to Brian Lunduk's website and I don't really know if he has anything to download he has software he's written, but I think he probably has it up on GitHub or something, but let's say I wanted to download something from a site, even if something as simple as a PDF, if I'm using an insecure PDF viewer and there's some sort of malicious software or malicious code inside a PDF, I'm not too concerned about that since I don't use the Adobe viewer, but it directly could happen with any software that has a security issue in it. But let's say he puts the code for one of his projects online, and someone downloads that code and compiles it, it'd be very easy for someone to inject different code there, or even if I'm downloading, especially if I'm downloading binaries. So HTTPS is a good idea, even if you're not transmitting personal stuff, because I could be going to Brian Lunduk's website and I could start reading stuff and someone on my network could inject text on there and also I think Brian Lunduk's a Nazi, although it seems like some people already think he is, which is, he's not. So, that's reasons for HTTPS, even when you're not transmitting bank information or submitting forms, anything being transmitted to your computer can be injected. I mean, they can inject, if you have Flash enabled on your machine, they can inject a malicious Flash application. Hopefully I think a lot of people viewing this like me have Flash disabled majority of the time. I have it installed in Chrome, but I have it disabled except for sites that I enable it. But maybe, I mean, I doubt he has any Flash on his website. I can tell you right now he doesn't. But let's say I went to a site and I enabled Flash and they'll send someone injects another Flash and there's a Flash vulnerability, which there is all the time, blah, blah, blah, blah. Encrypt when you can. His arguments against putting HTTPS, encrypting the traffic to his site were two things. The first thing was he was talking about older machines becoming obsolete because they don't have options for the HTTPS. I am all about backwards compatibility when possible. And yes, you can leave HTTPS off and these old, I can open up Windows 95 and open up Windows Explorer and go to a website with HTTP or with HTML and download it. But even then a lot of stuff from those old machines aren't gonna work and his point is again, you should be backwards compatible. But yeah, but you also need to move forward at times. Earlier in this stream, I talked about how my site uses JavaScript, but I also have just plain HTML that does server-side stuff that you can use in the shell. My site works for both in that case. But what about HTTPS? My website uses HTTPS. Since let's Encrypt is free, why wouldn't I? Well, according to him, you shouldn't because of older software, older operating systems, we won't be able to access the site then, which is not true. Not true because when you set up HTTPS, you have an option to auto forward to HTTPS. And you can disable that if you want. My site, as far as when I set up my encryption keys, I don't automatically forward. But then I do have some Apache settings that certain parts of my site automatically forward because there's some parts of my site that I made a while ago that I would need to update the code on the page because not all of it's encrypted and you'll get alerts, HTTPS will go. If you're trying to receive something that's not encrypted, it goes, whoa, which it should, this is not encrypted. But you have the option. I can have HTTPS on my site, but make it optional. So just having HTTPS, just encrypting your site does not mean that everyone has to encrypt if their software doesn't. That's an option of the website's designer. So just because you have HTTPS on your site doesn't mean that you're locking other people out. Now I could make it a requirement, okay? But again, he's talking about older hardware. And yeah, if you go way, way back, the older hardware, it's, you're not gonna be able to put much new software on there's not software being developed for it. But a lot of older hardware, if you go back to the nineties, I can grab a nineties computer, run a current version of Linux on it and have HTTPS. So he's not talking about just old machines, he's talking about old software. And old software, I love working with old machines. I love seeing what type of modern stuff that I can, and things that I can accomplish on old hardware. But if you're choosing to use old software, you're choosing to use old software usually for fun. It's not productive stuff. Obviously there might be some examples out there, someone who's stuck with an old machine and they need to use this old software, which is really a bad habit, which means it's probably proprietary software because if it was open source, you'd be able to update it for the newer features. So I just don't like his first argument because one, like I said, I can have HTTPS but make it optional. So just having HTTPS on my site doesn't mean that I'm locking you out. If I mandated it, I don't think there's necessarily a way around it. For say, if the software doesn't work with security certificates, at least not the older stuff, you can tell newer software to ignore it, but I don't know if the older software would know what to do. But again, you're talking about a very small amount of the population. And if they really, really care that much, they should upgrade their software, either take the code and add in the functionality for HTTPS or just say, I can't go to these sites, right? So that's the first argument. His second argument is complete BS. His second argument is that HTTPS, because the security certificates expire after a time, make them DRM because if I designed a site add a security certificate and then abandon that site after a certain amount of time, those certificates are gonna expire and my site is gonna become unusable, making it DRM, which is not true at all. Because even if I let my certificates expire, that doesn't prevent people from going to my site. They're gonna get an alert saying, hey, the certificate has expired, warning, don't go to this page unless you trust it, but you can always ignore that. Even with WGIT, you can say ignore SSL certificates in Chrome and Firefox, you can say continue anyway. So it's not DRM having HTTPS on your site because just because certificates expires does not mean that you're preventing it from doing it because it can expire and that person just have to say, I don't care, let's go anyway, because that certificate's still there, they can still use that certificate, it's just expired and you're gonna get warnings on your machine unless you tell your computer, hey, ignore these, ignore these warnings and then you won't even see them. Like I said, with WGIT, you can say, I forget the exact minutes like dash dash no SSL certificate or something like that or SSL certificate no or false or something like that, you can tell it to ignore it. So it's not DRM because there isn't a limit on how long you can use that computer, that website because it expires, it's just a limit to where the certificate's considered valid and you can always ignore it. As far, if I'm wrong, let me know, write down in the comments and stuff like that, but as far as I know, at least with modern software, you can say ignore certificates even if they're expired. So no, I don't see it as DRM in the least. So those are his two arguments. I see the point of backwards compatibility, but at the same time, we can't live in the past for everything, there are certain things that we need to move forward and securing a website even if there's nothing, private on there needs to be done because of injection, redirecting, all that sort of stuff, again on my local network, my network's encrypted, I'm pretty sure it's secure, I'm not worried here at home, but if I was out and about, which happens, and even if I'm doing it here at home, people in between your ISP and other people can interject stuff if they wanted to, obviously hopefully they wouldn't do that, but I see the point of his two arguments, but they're both invalid, especially the second one, that it's DRM, that's just ridiculous because it does not prevent you from going to site. It's the best of my knowledge. I even let the certificate on my website expire the other day, just for a little bit, and I was still able to get to my site just to test it out. So if you went to my site the other day and the certificate was expired, that's why, just was like that for a little bit. So yeah, again, with let's encrypt, there's no reason not to encrypt unless you're with a web host that doesn't let you use those certificates, which before I switched over, I currently use Vulture, I'm not paroling them, I've been very happy with them. It cost me $2.50 a month to have a website and an extra dollar to do bi-weekly, not bi-weekly, twice a week backups that in case something goes wrong, I can go back and then I can manually make backups as much as I want, images as much as I want. You don't let you pull those images takes elsewhere, although there's ways around that, you can boot a live CD and DD or image over and stuff like that, but with them, I just, you know, you set up a virtual machine, I log in, it's my Debian machine that I just set up and download the let's encrypt and run them and I'm good to go. Before that, I was with HostGator, which wasn't a virtual machine that I was using, it was just their web machine and to the best of me, I couldn't get let's encrypt to work and when I read, they didn't allow those certificates, you had bi-certificates from them and if you are with a service like that, you might wanna look into switching to another service, plus I was paying much more for the HostGator website. Anyway, encrypt, use let's encrypt and if a website like Brian Lungduke's site doesn't support SS8, HTTPS and you're not on a secure net, what you consider a secure network, suggest using VPN or some sort of tunnel. Again, it's not the end of the world and really if you're not downloading stuff from that website, the worst, well, I'll say the worst that can happen because again, malicious plugins could be, you know, installing a site like Flash, but if you're smart, you have that stuff disabled, but still, it's like, you never know if you're looking at what you're supposed to be looking at if it's not encrypted, even then, you know, you can only trust it so far. So let's see, let me move here.