changeset 166:1f27eb6156d9

Fixed grammar.
author Oleksandr Gavenko <gavenkoa@gmail.com>
date Tue, 30 Oct 2018 21:05:33 +0200
parents 6cd519e7c266
children c27977b91143
files 72b3f008-e28e-11e6-bad9-485b39c42d0f/index.rst
diffstat 1 files changed, 31 insertions(+), 33 deletions(-) [+]
line wrap: on
line diff
--- a/72b3f008-e28e-11e6-bad9-485b39c42d0f/index.rst	Tue Oct 30 20:48:14 2018 +0200
+++ b/72b3f008-e28e-11e6-bad9-485b39c42d0f/index.rst	Tue Oct 30 21:05:33 2018 +0200
@@ -6,53 +6,48 @@
 :updated: 2017-01-25
 :tags: security, lighttpd, admin, web
 
-Tonight I'll show how to set Let’s Encrypt forLighttpd.
+Tonight I'll show how to set Let's Encrypt for Lighttpd.
 
 https://letsencrypt.org/
-  Let’s Encrypt is a free, automated, and open Certificate Authority.
+  Let's Encrypt is a free, automated, and open Certificate Authority.
 
 Serving site via HTTP means that user interaction with server can be intercepted, studied, altered.
 
 If you are prompted to enter password on HTTP page most probably it will be send in clear text
-across HTTP...
+through HTTP...
 
-Browsers have ability to hide interaction with user. It was done via SSL/TSL standards.
+Browsers have ability to secure interaction with user. It is described by SSL/TSL standards.
 
-Unfortunately on time of creation of these standards they dealt with another problem - how user can
-trust server. It is resolved with using of certificates.
+Unfortunately during time of creation of these standards they dealt with another problem - how user
+can trust server. It is resolved with using certificates.
 
 Certificated are ordered in chain of trust. Certificate issuers ask browser vendors to include their
-**root certificates** in browser distribution. If you haven't managed certificates in browser in any
-way that root certificates are trusted by you by default...
-
-Certificate issuers sell signature for certificate for site owners and site owners embed own
-certificate with issuer signature in web servers.
+**root certificates** in browser distribution. Root certificates are trusted by default.
 
-Within browser along with HTML pages you get site owners certificate with issuer signature.
-Signature checked, browser checks if issuer is known and included in trusted database and if all OK
-it decides to trust to site and establish encrypted connection with server.
+Certificate issuers sell signatures for site certificates and site owner embeds this certificate
+with signature into a web servers.
 
-This model have some sides of attack but we here is not going to discuss SSL/TSL security.
-
-Among all that do certificate issuers and site owners, web server and browser implementation of
-SSL/TSL protocol we have *encrypted connection between browser and server*.
+Browser gets site owner's certificate with issuer's signature along with HTML pages. Browser checks
+if issuer is known and included in trusted database and if all OK it decides to trust to site and to
+establish *encrypted connection* with a server.
 
 While authentication of server is a good thing call for secured communication is more important
-nowadays. It is mathematically possible to establish secure connection between server and browser
-without selling signatures but industry stuck with historical implementations and can't move
-further.
+nowadays.
+
+It is possible to establish secure connection between server and browser without selling signatures
+but industry stuck with specific historical implementation and can't move further.
 
 Let’s Encrypt project bring encryption to historical implementations by supplying site owners with
 free of cost SSL/TSL certificates.
 
-Their root certificate already included in all major browsers and software distributions certificate
-stores. Of cause this root certificate marked as weak and have only intention to establish
-encryption between points.
+Their root certificate is already included in all major browsers and software distributions
+certificate stores. Of cause this root certificate marked as weak and have only intention to
+establish encryption between points.
 
-Let’s Encrypt organization performs basic checks before singing your certificate - if you own domain
+Let’s Encrypt organization performs basic checks before singing your certificate - do you own domain
 name and server behind that domain name.
 
-They developed protocol to automate issuing of certificate signatures.
+They developed a protocol to automate issuing of certificate signatures.
 
 ``certbot`` is client that implement that protocol.
 
@@ -98,7 +93,7 @@
 
   service lighttpd restart
 
-Paths to certificates defined in one of::
+Paths to certificates is defined in one of::
 
   $ cat /etc/letsencrypt/renewal/defun.work.conf
 
@@ -121,7 +116,7 @@
   hg.defun.work = /srv/hg
   blog.defun.work = /srv/www/blog
 
-Configuration for static site hosting by ``lighttpd`` is looking like::
+Configuration for static site hosting by ``lighttpd`` looks like::
 
   $ cat /etc/lighttpd/conf-available/92-resume.conf
 
@@ -142,8 +137,10 @@
     ssl.honor-cipher-order = "enable"
   }
 
-The only problem I have is with GCI hosted Mercurial, I added exception in activation of CGI, any
-request to ``/.well-known/`` is hosted as file resource::
+The only problem I had was with GCI hosted Mercurial.
+
+I added exception in activation of CGI, any request to ``/.well-known/`` is hosted as file
+resource::
 
   $ cat /etc/lighttpd/conf-available/92-hgweb.conf
 
@@ -163,7 +160,7 @@
   }
 
 Let’s Encrypt issues single SAN (Subject Alternative Name) certificate and with modern browsers this
-allows serving virtual hosts via HTTPS via single IP.
+allows serving virtual hosts via HTTPS even from single IP.
 
 See also:
 
@@ -182,8 +179,8 @@
 
   https://www.ssllabs.com/ssltest/index.html
 
-My site missed intermidiate certificate. It's due to Let's Encrypt is not in old program trusted
-storages. As workaround Let's Encrypt have signature from *DST Root CA X3* which is already in
+My site missed intermidiate certificate. It's due to Let's Encrypt is not in trusted storage of old
+programs. As workaround Let's Encrypt have signature from *DST Root CA X3* which is already in
 trusted storages.
 
 In order to pass that intermidiate / chain certificate I should tell Lighttpd where it is::
@@ -202,3 +199,4 @@
   List of supported by Let's Encrypt certificate clients.
 https://community.letsencrypt.org/t/which-browsers-and-operating-systems-support-lets-encrypt/4394
   List of supported by Let's Encrypt certificate clients.
+