If you're taking orders online, your eCommerce shop needs to be secure or you'll have big problems. Today, we have Chris Teitzel, the Founder of Lockr.io. Chris is a cybersecurity expert, and we’re going to get pretty deep on the importance of security when it comes to your eCommerce store, and how you can reduce liability while focusing on what you do best: running your business.
Key Takeaways
season-2-epsiode-3
Joe: Hello, and welcome to next level ops, a podcast that explores tools, tips, and techniques for hosting and managing websites presented by plus my name's Joe Casabona and today our guest is Chris Teitzel. He is the. Founder of locker and we're talking about e-commerce and SSL its relevance, how to set it up and the importance of security and performance for e-commerce in general.
[00:00:27] But before we get started, I do have a quick reminder for you. Can you do us just the biggest favor and subscribe to this podcast to get the latest episodes? As soon as they come, you can do that anywhere you can listen podcasts. All right, now let's get on with the show. Chris, thanks for joining us today.
[00:00:49] How are you? Thanks for having me, my absolute pleasure as we record this. It is may the fourth, Chris and I are both big star Wars fans. Uh, so we're, we're both wearing our, uh, our celebratory, uh t-shirts I guess so I, I will say I have, I have one that is, um, the, the poster for empire. And I'm wearing that tomorrow for revenge fifth.
[00:01:14] Chris: So yeah, there you go. Well, it's a, it's a big day in our household too, because our youngest is actually a, this is his birthday. And, uh, so he gets to have a may the fourth birthday and, uh, and all the fun that goes along with that. And fun fact was, uh, his name's Evan, but. We originally were debating, uh, naming him, Lucas, um, completely not knowing that he would be two weeks late and, um, probably about a month or so beforehand.
[00:01:40] I was like, I don't know if I can do Lucas. I really like Evan. And then he was born on may the fourth. And I was like, that is the best decision ever because the kid with the name Lucas born on may, the fourth is just destined to have a hard time. So, uh, yeah, we, we dodged a bullet there.
[00:01:54] Joe: That's great.
[00:01:55] That's great. My daughter just turned four in March and we had a may the fourth. Birthday for her as, as she turned four, she loves star Wars as well, actually. So, uh, yeah, we, we introduced her to the movies because she was dangerously close to figuring out the big reveal. And so I'm like, she's like young, but I wanted to see it and it was great.
[00:02:16] It was totally worth it. Yeah.
[00:02:17] Chris: We won't have any spoilers on the podcast though. That's fine.
[00:02:19] Joe: No, yeah, no spoilers, no spoilers. Well, uh, as much as I could talk about star Wars all day, we're here to talk about, uh, e-commerce and SSL. Uh, this season has been dedicated to e-commerce building your, uh, your digital brand and doing all things.
[00:02:37] E-commerce online, you know, the world, um, I'm sorry, I'm doing all things business online. Uh, the world has changed with the pandemic and more people understand that you need to be online if your business is going to succeed, but you also need to do it securely. And so I reached out to you, you are the founder of lockers.
[00:02:59] So maybe you can tell us a little bit about who you are and what you do. Cause I know like the founder of laugher is just like a small. Percentage of what you do related to cybersecurity. So why don't you tell us a little bit about
[00:03:10] Chris: yourself? Yeah, so, um, I am the founder of locker locker is, uh, uh, we, we describe ourselves as a secrets management company.
[00:03:18] Uh, we run a, what is essentially a CDN for secrets and we can get into more of what that means later, but, uh, the idea being that we'll help protect the things that need protecting on your website or application. Uh, in addition to that, I run a, an agency that builds, um, sites and applications and works with enterprises on everything from process and procedure to actually building the applications and then have been involved with, uh, the open-source community for quite some time now.
[00:03:42] So, uh, originally in Drupal and also in WordPress as well, and, uh, have been working with those, uh, those communities on. Furthering, uh, not only cybersecurity tools, but also, um, with, uh, with privacy and a lot of the new initiatives around privacy. Uh, we have a core initiative, uh, that's tentative for the Drupal core, um, to kind of mimic what's been going on in the, in the WordPress world and bring, uh, privacy as a core tenant to, um, to the Drupal project as well.
[00:04:10] And through that and through some of the privacy obligations, uh, that I've done, I've also been able to, uh, get involved with the department of Homeland security and working with them on, uh, being part of what's. What's called the data privacy and integrity advisory committee. Uh, it's a group of professionals, um, legal, technical, uh, spans the gamut.
[00:04:30] And, uh, we actually, uh, get together occasionally and help. Um, the department of Homeland security come up with procedure and policy and research. What is, what happens in a data breach? You know, how do, how do we protect data? What systems are going in place, what data are they collecting and how can we make sure that that data stays private?
[00:04:48] So, um, it's been really fun, uh, throughout my career to kind of, you know, I started as a, as a solo web dev and got all the fun experiences and I can talk about e-commerce horror stories and secure security, horror stories from that. Uh, and then, um, you know, working with core projects and the government and everything, it's, it's been great to kind of span the whole, the whole, uh, array of, uh, various, uh, You know, integrations and, and, you know, different each, each community's different.
[00:05:16] Every, um, you know, working in government is different than working in open-source is different than working in private. So I think being able to bring all those together, uh, has been, you know, just a, a fantastic adventure for me.
[00:05:28] Joe: Yeah. That's, that's incredible. I remember when you mentioned that you, uh, you got the gig, uh, working with the department of Homeland security.
[00:05:35] I, I just thought that was so cool. Like somebody from. Uh, somebody that at least I know through the open source community is, is helping influence, you know, government policy and in guiding the government, you know? So, um,
[00:05:48] Chris: and what's fun about that is that, um, that comes kind of from my advocacy side, in that.
[00:05:55] Um, a lot of the times technologists are easy to get angry at policy and get, um, upset when, when things are, um, decided upon and the government, but not too often, do they get involved. And so I wanted to be able to try to be that bridge between. All the griping that we do online about, you know, the next policy or the next tool that's being implemented.
[00:06:15] It's like, no, we need to actually have a seat at the table and do that. Um, and I've been fortunate enough that they've given me that seat at the table and, uh, it's been great. It's, it's been challenging for me because a lot of incredibly bright legal minds on that team. Um, and I kind of walked into the first meeting going, am I in the wrong room?
[00:06:30] I'm here. Like, I feel like, I feel like I entered a group of, you know, a bunch of lawyers. Um, they're all, um, very prestigious in what they do. Uh, but then quickly realized that having technology have a seat at the table alongside policy and legal is, is critical. And I've been working with some, some legal groups to try to blend those as well together.
[00:06:50] So, um, and what's, what's interesting about all that and bringing it back to, uh, kind of the e-comm world. Is that all of the policies and all of the procedures and everything that we talk about at scale apply to even the smallest companies. But the hardest part about being a small online retailer is that you don't have the bandwidth to go and do that.
[00:07:10] Amazon has. Millions, if not billions of dollars for security and privacy and everything, and to build all their tooling. Um, but most online retailers don't have a hundred dollars to do it. Right. And so, um, what I'm, what I always try to do is bridge the two and say, okay, here's what the enterprises and the governments are doing.
[00:07:28] And here's how you can do it at a small scale so that you can protect yourself. Right? And, and the risks that a small shop runs are completely different than the risks that an Amazon or a us government runs as well.
[00:07:40] Joe: Yeah, that's truly fantastic. And, and. So let's, I mean, let's talk a little bit about that.
[00:07:45] Right? I mentioned SSL specifically at the top of the show, because I think that's, um, I mean, it's incredible, it's a requirement for taking credit cards, right? Like you need, um, you have to, you have to, right. So maybe we can start with, there's a couple of things that I'd love to get, um, like professional definitions on and not just like the ones I gave my students when I taught in the classroom, um, uh, SSL, which, uh, when I, uh, I wrote my book, I learned that SSL is actually tech.
[00:08:15] It's like the colloquial term, but there's actually a newer technology. Is that right? And so maybe we could start there.
[00:08:22] Chris: Yeah, everyone talks about SSL because that was kind of the, the first iteration or the first version. Um, you know, it's the secure socket layer. Um, and it just describes how, uh, how folks are talking to each other in an encrypted manner.
[00:08:36] Um, TLS is what everyone uses now or should be using now. Uh, and that's just kind of the more modern, more secure, updated version of SSL. Um, same general principles apply to them, both. Uh, but TLS has more, um, we're not going to get into it now. And frankly, I, some of it I understand, and some of it, I don't, um, but the encryption algorithms are different in TLS and they, they provide a more secure, uh, piece if you want to dive into the crypto there, um, that gets really complex really quick, but the idea being that SSL and TLS allow two parties.
[00:09:16] To talk to each other, um, via a private channel, over an insecure, over need, secure pipeline. Right. And so, uh, to think about it is. If you and I are on a phone call or we're on the zoom call now, um, this is actually being, um, transmitted via SSL so nobody can, can read it. But if this was over just the general internet, you're making hops along the way.
[00:09:40] I talked to my local router, which talks to the ISP, which talks to the next to the next to the next. And eventually it gets to you, right? Um, anywhere along the way, what we call as a man in the middle attack, and somebody can inject themselves in between two points and listen to the traffic that goes back and forth.
[00:09:55] And so unless you and I are talking in some sort of private code that only the two of us can understand everything that we talk about is being transmitted openly over the wires. Right? And so that's why if you go to a site that's HTTP and not HTTPS that tells you you're, you're communicating in the open, everything that you post in there, uh, is completely open.
[00:10:14] Now the browsers have gotten better at warning people. Hey, you're about to log in and enter your password into this field. You're off. You're not on HTTPS. So when you enter that password in and you hit send. You're sending your password completely in the clear, and it's like going out your back door and just yelling your prep password out and anyone who's around, you can hear it.
[00:10:33] Right. Um, what SSL and TLS does is effectively takes the tin cans with string, right? And you're, you're talking via a private, private pipeline through an open space through the general public, but only the two people on either side can understand what's going on. And because of that, That allows you to have trust in an untrusted environment.
[00:10:53] I can trust that you and I are talking and nobody's going to be listening in, or, um, a man in the middle attack can manipulate it, you know, in between, um, because of encryption and the way that, that the encryption algorithms work. If someone were to try to tamper with something midstream, it would fail on the other end because you would know that that tampering had occurred.
[00:11:13] And so. It's important to make sure that you have, um, SSL or TLS, if you want to call it that. But if you want it, you want to have that secure conversation between you and the online store because you're entering in passwords, you're entering in credit card information, all that. And you don't want to just go out your back door and start yelling at your credit card information because.
[00:11:32] You know, all your neighbors are going to start ordering off of Amazon and having a good time with it. Right. So that's the idea here is you want to keep a private channel of communication between you and your customers.
[00:11:40] Joe: Yeah, absolutely. And the going on your back door and shouting, and I think that's a really good analogy, right?
[00:11:44] That I relate it a similar way to my students. When I say like, if you were having a conversation with somebody across the classroom, un-encrypted is just yelling in English. Across the classroom. Uh, but encrypted is, is yelling at, in a language that only you and your friend understand. And so everyone hears you, but they have no idea what you're saying.
[00:12:05] Chris: Right. So, and bringing it back to the whole star Wars thing. If you've, if you've got, you know, the plans to the death star and you need to transmit them, you don't want to just send them across open lines and let everyone read them. Right. You want to make sure that you keep your secrets secret. And that's part of what we do with locker is we allow you to keep that, that secret.
[00:12:21] But the idea being you have something very protective, you have something that you need, either your business, your online store, or as a customer, my credit card and my, my financial information. I need to keep that private. Right. I don't want that to get out and open hands.
[00:12:34] Joe: Yeah, absolutely. And so, so talking about your credit card right here in the year 2021, it is a lot easier to take payments online than it was even five or 10 years ago.
[00:12:48] Um, I remember like looking into an authorized.net account and I'm like, this is above my pay grade. Um, so, uh, first of all, if you, um, if you have an e-commerce shop where you accept payments, You need a HTTPS, right? Because right, because bare minimum, you don't want to yearly. So I mean, full disclosure, I'm not a lawyer, Chris, as far as I know is not a lawyer.
[00:13:16] Um, but I suspect if somebody steals my customer's credit cards from my site, I could be liable for that.
[00:13:25] Chris: You, you could be liable. Um, the, the bigger issue that you run into, um, whenever we get into a scenario where we come in and somebody is not doing things as they should, um, the, the, the heavy hand here is PCI, right?
[00:13:39] Yes. The PCI. Um, violations that that go PCI is what dictates how you handle credit card transactions, right? Whether it's a swipe terminal all the way to, uh, online transactions.
[00:13:52] Joe: Let me stop. Let me stop you real quick. Uh, is this only in the United States or is this a global
[00:13:57] Chris: initiative? This is a global initiative.
[00:14:00] And the nice thing about it is this is, I would say one of the rare occasions when private companies are. Actually creating their own policies, right? So rather than the governments all getting together and saying, this is how you have to do things. Um, PCI is the credit card industry. So visa, master Amex, all the big cards, all the big, uh, clearing houses, they all get together and say, this is how it has to happen.
[00:14:26] Granted they're the ones liable to pay all the money. Right? So there's some, there's some interest in this in order to make sure that there's financial incentive and they work hand in hand with the government, of course. And a lot of the times what they ended up doing is implementing government standards.
[00:14:39] So they, so, uh, PCI will say, you need to use NIST validated, um, encryption algorithms, things like that. Right? So, so there is some, some blending there, but what you can do is if you are egregiously out of compliance and say, you're a larger. A larger e-comm store and, and you have a breach or something like that.
[00:14:59] The PCI can say, we're just going to pull your credit card privileges. And all of a sudden you become blacklisted from all the card providers. And if you're sold. Method of online transaction is credit cards. Your business has gone. So that's kind of the stick they use the stick and the carrot, right? They, the, they, the carrot is, Hey, you're going to have better, um, customer service.
[00:15:20] You're going to be able to have access to all these different things. Oh, if you violate it, we're just going to blacklist you from all the credit cards. Um, and same thing, you know, if you're using Stripe or Braintree or, uh, any of those, they can ban you as well and say, Hey, you were just, you know, willfully ignorant on this.
[00:15:35] So then we're we're to pull it from you. It doesn't happen often. I don't hear of that happening often, especially with small shops, there's more of a, a lenience there, but that's, that is the, um, you know, that's the factor that plays into it is that they could pull. All of your credit card processing. So, um, that's where we we've had customers in the past.
[00:15:56] Who said, stop what you're doing. Just stop taking all credit card because you're woefully out of compliant, unless you want to not have any credit card transactions in the future. Um, we need to get you, get you up to speed here.
[00:16:08] Joe: Yeah. So, so there's a couple of things. And I want to, to clarify here, first of all, I have like a war story from, from this, uh, one of my old employers, I was, uh, banging around on our servers and I, I found a, a plain text file with credit card information in it.
[00:16:26] And I like, I freaked it. This was before it was early on enough in my employment that, uh, I just found. And I was like, I immediately told my boss, I was like, okay. We cannot have, like, we can't have us.
[00:16:40] Chris: I have the same. I worked on a database, same thing I got in there and it was card numbers, CVV, expiration date, all that for thousands of people, uh, we had another, another one where they had just had, they took a form like a gravity form or like a basic form.
[00:16:54] And it was collecting all the credit card information for a purchase. And then they had somebody in the secretary's office that was typing it into their, their, um, terminal there and running them by hand. And I was like, No, like you can't do this. And of course they were sending the receipt to the person saying, thank you for payment from credit card, text, and full with like full information.
[00:17:14] So sending it to their email as well. So now, I mean, there was just compounding systems here. And so, um, as a developer, this is where I, I advocate for folks. If you see something like that, just like you said, we got to stop like a isolate the system, but be as a developer and especially I was a contractor at the time, I took a step back and said, I can't touch the system.
[00:17:34] Cause I don't want to, I don't want my hands to get in there. And then all of a sudden I'm somehow part of the liability chain of all that information. So, um, yeah, I've had folks send me credit card information, all that before, and it's just like, great. Now you've just bloated the project because now I have to go scrub all that and fix all the issues and everything.
[00:17:50] So luckily nowadays in 2021, Those mistakes are almost purposeful in their, in their implementation. Right? You have to try to not do this because, uh, I'm a big advocate for a square and Stripe. Uh, I use Stripe in almost everything that we do, um, but they make it so easy to implement now, uh, and implement to the proper PCI standards that, um, even four years ago, if you were doing it right, you still aren't doing it right now.
[00:18:21] Right. So the idea there being, um, A lot of the times now, when you go to a credit card form the inputs themselves. Are R I frames. They're not even part of the site's code Stripe or square or Braintree or authorize are injecting those into your site. And when somebody enters those in and hit send, it's going directly to them, it's not even transition transitioning through your servers.
[00:18:44] So at that point, your servers aren't touching anything. And your, um, your, your compliance that you have to do is very, very minimal. You basically have to prove, Hey, I have HTTPS. I make sure that the code base is maintained and that nobody can alter the JavaScript. That's about it. And then all of the, all of the, the liability for it sits on striper square, where they've got the millions of dollars to handle that.
[00:19:06] Right. And so if you're, if you're a small retailer, you don't want to have to take on all of the card, data, and process and store and encrypt, all that type of stuff. It's a, it's a burden. Uh, and I've worked with folks. Who've tried to do that. And I've my, my answer is why, like, if, if you can go get it off the shelf and it's costing you fractions of a penny per transaction, don't even try.
[00:19:27] Yeah.
[00:19:28] Joe: And, and the, so I think I mentioned authorized.net earlier. Right. And I think if I'm, I'm cracked through authorized.net, you essentially become a, uh, uh, a person or a business that can take credit card transactions. Right, right. Where with Stripe or square, or even PayPal. You're outsourcing that whole thing.
[00:19:51] Right? It's like these kind
[00:19:53] Chris: of right. Yeah. To an extent. Yeah. Yeah. So they're, they're the payment gateway, right? And so once you get into the card card world, that's a whole nother world because even if I swipe a card, It's going to go from the terminal, just like a, uh, SSL connection to hops through a bunch of different points.
[00:20:10] The money actually transacts through a bunch of different switches along the way. And each switch will try to collect their penny here and there fraction of a penny there. And Oh, by the way, it was a, you know, airline reward card. So we're going to take an extra, you know, a fraction of a penny for that.
[00:20:26] All that type of stuff. Right? Those were what, FYI, those reward points. Aren't free. They, they come out of the transaction fees, right. So, um, they have to be paid out of somewhere. And so all along the way, each switch pulls a little, little bit of money out of the process. And that's what books up into your, um, Your your, your rate for, for, uh, processing credit cards.
[00:20:46] So authorized.net. Is that terminal or that gateway that gets you into that system? Um, historically, yeah, they're more of your kind of legacy. We're going to be the, the merchant on record. We're going to do that type of stuff. Technically with Stripe, you're still the merchant on record. So Stripe will process it on your behalf, but they take over much more of the, the, the process.
[00:21:07] And again, it goes back to. In my opinion, if you don't need to handle that much don't and that security in general, if I can, if I can give like a broad security tip, if you don't have to touch it, don't, if you don't need to store it, don't write the, the less you can touch the less you are to screw up in and cause a data breach somewhere.
[00:21:29] And so these providers that now authorized.net does it now too, where they have. Kind of a slimmed down version, uh, similar to Stripe and the others were, Hey, you just want to take quick, quick payments. We can do that. Um, that type of system allows you to offload all that to the people who know how to do it, because I guarantee you most small business owners, most small shops, aren't going to know the ins and outs of PCI DSS and what.
[00:21:54] You know where the card data is and what encryption algorithms are using and how they're storing their keys and all that fun stuff with that. That's for somebody who needs that infrastructure. And even the, even now the big guys are offloading that to Stripe and square and everyone else as well, because they found that just the, the liability of handling that themselves is just too much.
[00:22:13] Joe: Yeah, absolutely. And that makes perfect sense. So like, you know, as, um, as a small business owner myself, I opened up a business bank account. One of the things that my bank said was like, Oh, do you want to get like the credit card transaction terminal from us? And I'm like, no, but like, yeah, but again, I'm a tech savvy guy.
[00:22:35] I knew I didn't need that. I knew I could just get whole thing and plug it into my phone and have effectively the same thing. Um, but a lot of business owners probably, Oh, well I do want to take credit cards, mate, do I need this? Right. Um, right. But if, again, if you're setting up an online shop with, um, you know, I mean, if we look at like the Shopify guys and the Squarespace, they have, they're probably their own deals.
[00:22:57] When Stripe and the vendors and for looking at WordPress, right? You get a WooCommerce, probably will. Commerce, WooCommerce
[00:23:05] Chris: payments is Stripe. So, I don't know if you know that. Yeah. But like woo commerce has their WooCommerce payments, plugin that will say, Hey, woo. Commerce will transact all your stuff.
[00:23:15] That's using Stripe's infrastructure and stripes. You actually, you are creating an account with Stripe and WooCommerce is just facilitating that for you, right? Yeah.
[00:23:25] Joe: D is the same way. I believe it was digital downloads, right? Yeah. There, and some places will make it even easier where their tech, I think.
[00:23:33] Patriot merchant on record on record. Yeah. Yeah, exactly. So you don't need to create a, a Stripe account. And I, I guess the benefits probably with the merchant on record, right. They're probably getting reduced fees or something
[00:23:47] Chris: like that. The merchant account is who holds the liability. Right? And so when you sign up for a merchant account, uh, traditionally through a bank or somebody like that, you're going to go through this whole compliance checklist.
[00:23:57] Are you compliant? Are you doing this and this and this, what strike does it said, Hey. Will be the merchant account. We'll transact it on your behalf will be that merchant account. And then we'll take on that liability. And we have that shared liability across enough people. Then it makes it worthwhile.
[00:24:11] And then yeah, they can turn around again to all the people who switch along the way and say, Hey, I'm not going to pay you half a percent. I'm going to pay you a quarter percent, but I'm going to push an extra 50 million through you and they go, okay. Right. So, um, you kind of get the collective bargaining of, of Stripe rather than trying to do it yourself.
[00:24:28] And what's interesting is I actually helped a small business implement. One of those, uh, terminals. Right? Uh, and it was provided through the bank. And once we started running all the numbers and at the end of the day I was looking at it, I was like, man, our terminal fees are high. And I, again, everything is like such and such Southwest switch.
[00:24:47] One penny, this, this, this, and I added it all up and they were paying over 4%, just over 4% on their credit card fees, because they were taking Amex here. And Amex has a higher percentage than visa and master. That's why you go places. And people are like, Oh, we don't do Amex because they're the ones having to pay that.
[00:25:02] Right. What Stripe and all those guys do is they say, Hey, we're going to collectively bargain with everybody and say, we'll give the customer a flat 2.99. And then behind the scenes they go in and negotiate. Hey, we'll do a 1.1 or 1.25. Okay. Now that float of the 1%, um, at scale is a lot of money. Uh, I helped a business build something like that, where we transacted airline tickets.
[00:25:26] And, uh, we charged the airline 4%. We negotiated with the banks down to about two, and we were able to take 2% off the top, um, throughout the business. So, um, that's what happens along the way, but unless you can see all those different fees and all those different. Uh, pieces it, you know, that's why going back to these larger brokers, not only is it more secure, it's more cost efficient.
[00:25:48] Like you don't have to deal with everything about it. So, uh, again, nowadays there's no reason not to go with one of these because they're, they're secure. Um, they help you build your site properly. They help you with all the plugins to, to all the different providers. Um, there's no reason not to, uh, and that's why I say it's almost planned.
[00:26:06] Ignorance. If I'm, if I'm going to go against that, there's a reason why I'm going against it. It's either a really valid reason, or it's a really bad reason that you think is good.
[00:26:14] Joe: Yeah. Yeah, absolutely. Uh, and this has been great. Well, yeah, we got pretty deep there. I like, and I liked when we get, when we get deep, cause I'm all about the technical side.
[00:26:24] Um, but as we wrap up here, I think perhaps the biggest takeaway is have SSL. Uh, maybe the biggest takeaway. Cause I mean, if you, if you use managed hosting, right. If you use. Plastic, you can easily spin up a free SSL certificate, right.
[00:26:41] Chris: Something very much worth pointing out here is that, um, let's encrypt is an organization that has come out over the past few years.
[00:26:48] And, and with SSL, just like with credit cards, you have the whole, um, Industry saying, this is how we're going to do things. SSL was the same way. And so for the longest time GoDaddy and the rest, um GeoTrust and, and everyone else, they were the ones issuing these certificates and they're the ones validating.
[00:27:05] Yes. You know, Chris is who Chris says they are. Right. Um, and that was a good business for them. Right. Because they could charge good money for that. Let's encrypt came along and said, Hey, SSL should be. For everybody and it should be free and it should be possible. Um, and so they kind of changed that paradigm and they started releasing those free scripts.
[00:27:23] And so now yet, if you're on a managed host, you're on, plus you're wherever you're at, you should have access to let's encrypt and that will meet you. And just to clear up any of the FID out there, the fear uncertainty doubt that that kind of plays into the marketing is. A let's encrypt cert is just as good as any other cert it doesn't, it's nothing different from a security standpoint.
[00:27:44] Um, you're not any less secure. You're not using any different encryption. You're not doing anything different. Um, the only thing you're paying for and other providers other than let's encrypt is the domain validation, the organization validation. And you're also getting some liability protection from GoDaddy that they say, Hey, If you purchase as a cert through us, and for whatever reason you get hacked, because of that, sir, you've got some liability protection from us.
[00:28:08] Um, but just to kind of clear that up let's encrypt is, is not only. Free it's just as good. And a lot of the managed shows now are actually implementing let's encrypt as their, uh, as their certificate provider, because of that. So, um, super easy to set up, um, and, um, and implement. And again, if you're on a managed host, that's another thing.
[00:28:29] Security tip here. I always tell folks, focus on what you do best because that's where you're going to make money. If you're not, if you're an online provider and I'm selling, you know, uh, cat t-shirts, I don't care about, um, you know, what am I using? What version of TLS am I using or, or is my, uh, certificate proper?
[00:28:50] Is this set up properly? Is my, you know, are my servers routing properly? All that. Let someone else do it. Um, the more that you can offload that to a managed host to, um, a service like plastic that can set up and create that entire environment for you do it because then you're not messing with it and you can go make money off of the stuff you're doing.
[00:29:08] Just like with the credit card processors. Yeah. You're going to pay 5 cents more. If you sell enough cat t-shirts that 5 cents shouldn't matter. A bit, right? Like sell your widgets, do your thing, focus on that and let the, let the folks who do what they do best and you'll be more secure and more profitable because of it.
[00:29:25] Joe: Yeah. I love that. I mean, that's, I, I have a t-shirt shop through cotton Bureau and I make less on the margins, but I don't have to print the shirts. I don't have to pay for any in advance. I don't have to deal with storage or fulfillment. Yeah. So, I mean, yeah. Five bucks a t-shirt perfectly fine with, for me to literally do nothing.
[00:29:42] Um, right. So, uh, and I, I, you, you, um, you answered the other question I was going to ask, right? Which is what are you paying for? And it's. Validating, maybe on a higher level, but it's also kind of that, that
[00:29:56] Chris: liability, you're getting some liability insurance and stuff for it. And there's actually quite a bit of a debate going on in the community right now.
[00:30:03] The, the browsers, um, have become more heavy handed in the, in the process. And now browsers like Chrome and Firefox. You used to get the green bar. Right. And that meant that they were domain validated that it was not only secure, but we know who that person is. Um, They've taken that off and they've, and so now it's not like you pay the extra $500 a year to get the green bar.
[00:30:26] If you look on Chrome, now there is no green bar. Right. Um, you just get the little lock up there, you know, it's good. You're you're ready to go. Um, and they've been able to push the idea that asserts, asserts assert. As long as you can reliably know who you're talking to. Right. And that you have to have some let's encrypt doesn't let you just meant to, sir.
[00:30:46] I can't meant to search for your website. Right? I have to go in and prove that I have your domain, that I have that. So there is some validation that goes on there, but that validation is, and should be enough to do your basic transactions. And so. The browser's kind of led that war and said, Hey, we don't, you don't let's encrypt is just as secure.
[00:31:03] So let's take off that green bar, which everyone was paying $500 a year extra for, um, you don't need that green bar anymore.
[00:31:11] Joe: That's I love that. And, and when I was going to say maybe a good rule of thumb is, is. If the browser has the lock, then your ser is, is good. Right. But yeah, maybe. So, so let me ask you Lee, this'll be the last question, um, before the big kind of wrap-up, um, self signed certs.
[00:31:32] Yes, you can. So you can assign an SSL cert uh, And technically have that data encrypted. What is the ramification on the browser side? Are they going to be like, we, this is self signed, like we don't know,
[00:31:45] Chris: but so getting into kind of the nitty gritty of how these certificates are, are minted or, or built there's trust authorities.
[00:31:52] Um, and it's a chain of authorities, right? And there's actually a ceremony that goes on and there's a vault that has the, the, you know, the, the, the, the folks that are part of the trusted few that are up in the top echelon there, but they then will sign a cert for the lower people who then signed. That's why you get what's called intermediary certs.
[00:32:14] You have the major cert providers, and there's, there's a handful of them in the world that are trusted on the web. In order to do that, let's encrypt is become one of those, right. So then you have the intermediaries which can sign on behalf of the top person and it's called the trust chain. Right? And so what you're doing is you're, you're establishing a train of, uh, a chain of trust that says this person vouches for the next two vouchers for the next two vouchers for the next.
[00:32:37] And as long as you can trust everyone in that chain, then you know that the committee education is secure. There's nothing technically that stops you from creating your own trust chain. And that's what a self-signed cert is. You're signing it yourself saying. I'm Chris and I say, I'm Chris. Well, I can also create one that says I'm Joe.
[00:32:55] And I say, I'm Joe, you should trust me because I say I'm Joe and your browser will then go, well, how can I trust you? Who's who's validating your trust. And you go, no, no, no. Just trust me. Trust me. I'm Joe. Right? Um, it's that type of thing. Like, I wouldn't walk up to you on the street and be like, Hey, you know, trust me, I'm Joe, you know, pay me, pay me 50 bucks.
[00:33:13] Cause I'm Joe, you'd be like, you know, buzz off. I don't know who you are. Um, that's the same thing a browser does with itself. Sign certain. That's why you get that crazy big thing that says, Hey, you're going into an insecure zone. Are you sure about this? It's because your browser is warning you. And this is what's been great.
[00:33:27] Is over the years, the browsers have kind of taken on the responsibility of protecting the consumer is saying you're about to enter something that may not be what you think it is. They say, they're this person, but they're the only ones who say that nobody else has validated it. And nobody else that we can trust allows us to say that, that you are secure.
[00:33:45] So for now, if you're browsing the web and you go to amazon.com, you see that lock in the corner, you know, you're talking to Amazon, right? Because your browser has talked to a person who's talked to a person who's talked to a person who's talked to a person and that's all cryptographically signed. Right?
[00:34:00] So, uh, we can get into the encryption stuff and all that on another episode. But the idea being that can't be cracked, you can't, you can't go halfway up the chain and twist a knob and then everything down, it still works. If you, if you change something in the intermediary, everything breaks below it, the chain of trust is broken.
[00:34:17] And so because of that, That's how, you know, and that's where let's encrypt came in and said, Hey, we're going to insert ourselves into that trust chain. And then we're going to have our own validation and they do, and they validate you own the domain. Right? So locker.io is our website. I can validate with, um, with let's encrypt, Hey, I own locker.io.
[00:34:36] I put something in the DNS records that state I do. They go check that. Yep. You own that domain for all intents and purposes. So we'll let you start issuing certificates against it. Right. Um, Now that being said, I'm probably not the best, best example here because we also use, um, private search. We have, we go through a certificate provider because we have some various global, um, and, and multi-point and multi, um, sub domain restrictions that let's encrypt doesn't get into.
[00:35:03] 99.9% of people let's encrypt the word and it'll, it'll be there. It's that chain of trust is already built and there's no reason to go outside that.
[00:35:12] Joe: Right. I have managed WooCommerce hosting and it uses let's encrypt. Um, so I mean like it's, you know, I'm, I'm trusting my e-commerce shop with it. It's fine.
[00:35:22] Right, right, right. Well, Chris, we've talked about a lot of stuff. I think if we're, if we're going to, and I loved it. Thank you so much for your thorough aspirations. Um, so, uh, if, if we're going to have two takeaways for the listeners here, one get an SSL certificate. Let's encrypt is free. It's going to be most places where you host a website.
[00:35:42] Uh, and then when you are ready to take credit cards, just use Stripe and square. Uh, that's the easiest, that's the easiest thing for you to do? Um,
[00:35:53] Chris: Christine? Well, they, I mean, they, they implement all the different stuff too. Right. And so that's, what's great about stripes not going to limit you, you get the whole gamut of everything.
[00:36:03] Yeah.
[00:36:03] Joe: When I, when I, when I want to buy something, not on Amazon, I use Safari just so I can use Apple pay. Um, awesome. Well, Chris, if people want to learn more about you, where can they find you? Uh,
[00:36:15] Chris: I'm on Twitter all the time, a tech nerd title, and then, um, locker.io. Uh, and then hopefully once we get back to some in-person stuff, um, you'll see me at, uh, the various cons and conferences and all the meetups.
[00:36:28] So, um, I, I enjoy being in the community and being around.
[00:36:33] Joe: Likewise. Likewise. Um, and just for clarification locker, is that missing the E is that
[00:36:39] Chris: it's missing the E yeah, we went the whole, like web 3.0, let's drop a vowel. And the cool thing. Right? So LOC K r.io. Yeah.
[00:36:47] Joe: And I will link, uh, we will link to all of that in the show notes in the blog post over at plesk.com/podcast.
[00:36:54] Thanks Chris so much for your time. I really appreciate it. Yep. Thank you. All right. And once again, for all of the show notes, head over to dot com slash podcast. If you liked this episode, please considering, please consider following or subscribing depending on the app you used. Thanks so much for listening to next level ops.
[00:37:12] And until next time, remember to take it to the next level. .