Holy crap, Let's Encrypt is super easy!

Well, I just set up Let's Encrypt on my home server for the first time.  When I was finished, my first thought was, "Damn, that was awesome!  Why didn't I set that up a long time ago?"

Let's Encrypt logoIf you're not familiar with Let's Encrypt, it's a non-profit project of the Internet Security Research Group to provide website operators with free SSL certificates.  The idea is to make it easy for everyone to have SSL properly enabled for their website, as opposed to the old days when you had to either buy an SSL certificate or use a self-signed one that browsers would complain about.

I didn't really know much about Let's Encrypt until recently, other than then fact that they provide free SSL certs which are actually trusted by browsers.  And really, that was all I needed to know to be interested.  So I decided to try it out on my home server.  I was already using them on this website, that that was a slightly different situation: my web host integrated Let's Encrypt into their control panel, so all I had to do to set up a cert for one of my subdomains was click a button.  Super convenient, but not really any learning process there.

It turns out that setting up my home server to use the Let's Encrypt certs was pretty painless.  The recommended method is to use certbot, which is a tool developed by the EFF.  It basically automates the entire process of setting up the certificate.  Seriously - the entire process.  It's actually way easier to set up a Let's Encrypt cert with certbot than it is to make your own self-signed cert.  You just need to run a command, answer a couple of questions, and it will get the certs for each of your sites, install them, and keep them updated.  The only catch is that you need root shell access and your web server has to be accessible via port 80 (for verification purposes).

Compared to the old self-signed cert I was using, this is way easier.  You don't have to generate any keys, or create a CSR (Certifiate Signing Request), or edit your server config files.  Running certbot takes care of everything for you.  So if you haven't tried Let's Encrypt and you're running a site that could use some SSL, I definitely recommend it.

Thinking about DNS over HTTPS

I read an interesting article on the drawbacks of DNS over HTTPS (DoH) the other day.  This comes on the heels of the news that Mozilla is rolling out DoH to all Firefox users by default

I'd never really thought too much about DoH.  In general, more encryption is usually better, so my initial thought was "it's probably a good thing", but that's about as deep as it went.  After reading a little more about the down sides, I'm less convinced.  I still think it's a probably good thing that DoH exists, but I'm note so sure that it's a good idea to push everyone toward it.

My main reservation at this point is that DoH seems architecturally wrong.  It introduces a way to do DNS queries that's not really compatible with the old way and it's not clear to me that it offers any really big wins.

Of course, I'm not saying that DoH has no benefits or use-cases.  There are definitely cases where it can be useful and add another layer of privacy.  But it kind of reminds me of PHP "security" features like safe_mode in the sense that it does solve a legitimate problem, and does so in a way that "works" (for certain definitions of "works"), but solves it at the wrong layer and in a way that can interfere with other legitimate things.

As this blog from the PowerDNS team discusses, DoH is not a panacea in terms of privacy.  Yes, it adds a layer of encryption, and that is definitely useful in some cases.  But it doesn't do anything to address the myriad other ways in which your online activity can be tracked.

Of course, that depends very much on whom you want to stop from tracking you.  Obviously it does zero to stop advertisers or website operators from tracking you - they do their tracking at a much higher level.  It also doesn't stop your ISP from tracking you - even if everything else is encrypted, you can't stop your ISP from knowing the IP addresses you visit.  I mean, that's just how the web works.  And from an IP address, you can usually determine the website pretty easily.  And, of course, your DoH provider still has access to all your DNS requests, so you better make sure you trust them.

For me, personally, the bottom line is that DoH doesn't give you anything that you don't already get with a half-way decent VPN provider.  Granted, the VPN provider is then your single point of privacy failure, so you better make sure you pick a reputable on (I like and recommend Private Internet Access).  But a VPN covers pretty much everything you can do at the network level, not just DNS for web requests.  Of course, you still need browser privacy plugins to block tracking at higher levels in the stack, but sadly that's necessary either way.

WiFi doesn't work, but only in one place

So here's a random Windows 10 issue: I can't connect to WiFi.  But only one particular WiFi access point.  And I have no idea why.

On Saturday mornings, I take my son to a social skills class.  He's too young to drop off and leave (and I don't really have anything nearby that I want to go to), so I sit in their lounge area and do stuff on my laptop - code, blog, whatever.  Well, this fall they moved to a new building, which is really nice.  But that means that they changed their network and now my laptop refuses to connect to the WiFi.

This is fairly infuriating, because it's not even remotely apparent what the problem is.  My phone can connect to the WiFi with no problem at all - it's just my laptop.  Windows doesn't give me any error message or information beyond "could not connect," so I really have nothing to go on in terms of looking for a solution.  I've never has problems connecting this laptop to any other WiFi access point, and I don't think anything has changed with it recently. 

The problem doesn't seem to be an adapter issue, because I tried plugging a USB WiFi adapter into the laptop and that experienced the same problem trying to connect.  So the problem seems to be with Windows.  I suppose I could confirm that by booting into some flavor of Linux from a USB drive, but that seems like more work than it's worth. 

Searching the web, I found are a number of potential solutions, but so far none of them have made any difference.  Most of them involve either "reinstall the drive/network/whatever and hope," which I don't really want to do because of the risk of breaking all networking (and because "reinstall and pray" is a terrible strategy), or changing adapter settings.  There were also some suggestions to change settings on the WiFi router, but since I don't control the AP in this case, that doesn't help me.

So at this point, I'm pretty much stuck.  My best work-around is to just tether my laptop to my phone, which works, but isn't great because the cellular reception inside the building is kinda iffy.  I'd kinda like to fix the problem, but as I said, I really don't have much information to work with, I have limited time (less than an hour once a week), and I don't really want to be doing major updates on my laptop out someplace where I don't even have a secondary system with good internet access.  So I guess I just have to live with it.

The most frustrating thing about this is that, in the six years that I've owned this laptop, this is the first real Windows problem I've encountered.  I've been running Window 8 or Windows 10 that entire time and, while I've heard plenty of complaints and horror stories about Windows, I never experienced any significant problems.  This is the first issue I've encountered that actually bothers me, and I'm at a loss as for what to do about it.