I wouldn’t expect to have issues with data. I only push in the low single gigabytes per month. If you started a photo blog, that may become an issue, but text is cheap.
While I would also be the same with the amount & type of data I tend to use on the box my wife unfortunately isn’t. She asked me recently about throwing 120 GB of photos on our owncloud instance because the external drive she uses as a backup started to die. That’s an additional cost of 30 USD per month of tarsnap backups. 1TB on dropbox would cost 10 USD per month and I wouldn’t have to think about the off-site backup.
I actually love having my own server & I’m finding more and more uses for it. Just wanted to point out to people the price (financial & time required) one pays for running their own.
Your wife is here and reading it >_>
You can still have comments on a static blog using an external service like disqus.
That’s entirely defeating the purpose. You’re now hosting a part of your blog on a 3rd party where you don’t have control of the data in the end. There are open source disqus alikes, of course. Which would increase the CPU/RAM usage, and use more storage.
Not at all. It’s a tradeoff. Comments are relatively low value data compared to the website itself, so maybe the owner is okay with hosting them elsewhere, as they currently are doing. Depends how much you care about comments, and how much you care about having a purely static site. Maybe soon we’ll have a distributed commenting system base on IPFS/IPNS, which would be cool.
I’m actually more concerned about you as a reader & your privacy. Running disqus & Google analytics is invasive and a service I have no control over.
Comments are high value data for the author, rarely for other readers. I’m not making money on the blog so there’s no initiative for me to keep you occupied on the page longer than it’s required to read the article itself.
And don’t forget things such as lobste.rs, Reddit, and HN. They’re technically comments, and they can be used with static blogs.
In this day & age you have to shell out money to a trusted certificate authority for an SSL ceritifcate so other people who trust you but don’t give a shit about the CA will trust you.
Thankfully you don’t. StartSSL provides free SSL certs that are accepted by most browsers. Soon Let’s Encrypt will too.
I’m looking forward to it. The question is will browsers start to ‘warn’ people with a differently colored padlock that the cert is not from a CA? The whole idea of CA’s is stupid to me. We all use SSH. Why don’t we do the same for TLS and show the user a certificate fingerprint that he should verify and trust instead of slapping a big red warning on self signed certificates?
The whole idea of CA’s is stupid to me. We all use SSH.
We do, but the vast majority of us don’t.
Why don’t we do the same for TLS and show the user a certificate fingerprint that he should verify and trust instead of slapping a big red warning on self signed certificates?
Because lots of web users would promptly trust the certs for facebook.com, youronlinebank.org and everything in-between once I MITM the page and put a nice “FYI, our new fingerprint is 123ABC”, or once I send them an email that says the same.
CAs suck, but asking a widely non-technical audience to perform offline fingerprint verification would dramatically reduce security for everyone.
That’s why I’m worried about let’s encrypt. People will use it to generate certs for facebook.com, youronlinebank.org and everything in between. Soon, you’re browser will decide that it’s better for ‘overall’ security to mark them as ‘red’ or ‘yellow’ instead of a green padlock.
Agreed. Though I wish there was a better solution or a way to educate people effectively :(
Lets Encrypt absolutely performs domain validation.
They’re working to be included as a root CA. There is zero chance that any browser would allow a root CA that signs certs without any validation.
Hell, right now Lets Encrypt is going to operate using an unconstrained intermediate cert from a trusted root - Mozilla has nuked the root CA off the face of the earth when their intermediates fuck up.
Isn’t that what happens, pretty much? If you click the small button/text/box, you’ll be asked to temporarily/permanently accept the certificate. Though it may not be as obvious as SSH typically makes it, it’s there.
Would you prefer implicitly trusting mysterious fingerprints for every website you visit? As I see it, the idea of CAs is that you trust them enough to verify that somebody owns the website, and that it’s not somebody else pretending to be the website you’re going to.