diff --git a/slides/kube/dashboard.md b/slides/kube/dashboard.md
index 4a8aae67..a45139db 100644
--- a/slides/kube/dashboard.md
+++ b/slides/kube/dashboard.md
@@ -4,11 +4,15 @@
 
 - We are going to deploy that dashboard with *three commands:*
 
-  - one to actually *run* the dashboard
+  1) actually *run* the dashboard
 
-  - one to make the dashboard available from outside
+  2) bypass SSL for the dashboard
 
-  - one to bypass authentication for the dashboard
+  3) bypass authentication for the dashboard
+
+--
+
+There is an additional step to make the dashboard available from outside (we'll get to that)
 
 --
 
@@ -16,7 +20,7 @@
 
 ---
 
-## Running the dashboard
+## 1) Running the dashboard
 
 - We need to create a *deployment* and a *service* for the dashboard
 
@@ -39,11 +43,99 @@ The goo.gl URL expands to:
 
 ---
 
-## Making the dashboard reachable from outside
 
-- The dashboard is exposed through a `ClusterIP` service
+## 2) Bypass SSL for the dashboard
 
-- We need a `NodePort` service instead
+The Kubernetes dashboard uses https, but we don't have a certificate
+
+Chrome 63 (and later) as well as recent versions of Edge will refuse to connect
+
+In real life, we'd use something like [Let's Encrypt](https://letsencrypt.org/)
+
+For this workshop, we'll forward http to https _(do not try this at home!)_
+
+--
+
+.warning[All our dashboard traffic is now clear-text, including passwords!]
+
+--
+
+.exercise[
+
+- Forward http to https
+  ```bash
+  kubectl apply -f https://goo.gl/tA7GLz
+  ```
+
+]
+
+The goo.gl URL expands to:
+<br/>
+.small[https://gist.githubusercontent.com/jpetazzo/c53a28b5b7fdae88bc3c5f0945552c04/raw/da13ef1bdd38cc0e90b7a4074be8d6a0215e1a65/socat.yaml]
+
+---
+
+## Connecting to the dashboard
+
+
+.exercise[
+
+- Connect to http://oneofournodes:3xxxx/
+
+<!-- ```open https://node1:3xxxx/``` -->
+
+]
+
+The dashboard will then ask you which authentication you want to use.
+
+---
+
+## Dashboard authentication
+
+- We have three authentication options at this point:
+
+  - token (associated with a role that has appropriate permissions)
+
+  - kubeconfig (e.g. using the `~/.kube/config` file from `node1`)
+
+  - "skip" (use the dashboard "service account")
+
+- Let's use "skip": we get a bunch of warnings and don't see much
+
+---
+
+## 3) Bypass authentication for the dashboard
+
+- The dashboard documentation [explains how to do this](https://github.com/kubernetes/dashboard/wiki/Access-control#admin-privileges)
+
+- We just need to load another YAML file!
+
+.exercise[
+
+- Grant admin privileges to the dashboard so we can see our resources:
+  ```bash
+  kubectl apply -f https://goo.gl/CHsLTA
+  ```
+
+- Reload the dashboard and enjoy!
+
+]
+
+--
+
+.warning[By the way, we just added a backdoor to our Kubernetes cluster!]
+
+---
+
+## What about making the dashboard reachable from outside?
+
+- We took a shortcut by forwarding http to https inside the cluster
+
+- If we were really using https...
+
+- Inside, the dashboard is exposed through a `ClusterIP` service
+
+- From outside, we need a `NodePort` service instead
 
 .exercise[
 
@@ -68,6 +160,8 @@ The goo.gl URL expands to:
 
 - The dashboard was created in the `kube-system` namespace
 
+--
+
 .exercise[
 
 - Edit the service:
@@ -83,71 +177,6 @@ The goo.gl URL expands to:
 
 ---
 
-## Connecting to the dashboard
-
-.exercise[
-
-- Connect to https://oneofournodes:3xxxx/
-
-- You will have to work around the TLS certificate validation warning
-
-<!-- ```open https://node1:3xxxx/``` -->
-
-]
-
-The dashboard will then ask you which authentication you want to use.
-
-.warning[Make sure that you use `https`! Otherwise, you'll get this error:]
-
-```
-This page isn’t working
-<oneofournodes> sent an invalid response.
-ERR_INVALID_HTTP_RESPONSE
-```
-
-.warning[Chrome 63 (and later) as well as recent versions of Edge will refuse to connect.]
-
-We do not know how to work around that issue for the moment.
-
----
-
-## Dashboard authentication
-
-- We have three authentication options at this point:
-
-  - token (associated with a role that has appropriate permissions)
-
-  - kubeconfig (e.g. using the `~/.kube/config` file from `node1`)
-
-  - "skip" (use the dashboard "service account")
-
-- Let's use "skip": we get a bunch of warnings and don't see much
-
----
-
-## Granting more rights to the dashboard
-
-- The dashboard documentation [explains how to do this](https://github.com/kubernetes/dashboard/wiki/Access-control#admin-privileges)
-
-- We just need to load another YAML file!
-
-.exercise[
-
-- Grant admin privileges to the dashboard so we can see our resources:
-  ```bash
-  kubectl apply -f https://goo.gl/CHsLTA
-  ```
-
-- Reload the dashboard and enjoy!
-
-]
-
---
-
-.warning[By the way, we just added a backdoor to our Kubernetes cluster!]
-
----
-
 # Security implications of `kubectl apply`
 
 - When we do `kubectl apply -f <URL>`, we create arbitrary resources
@@ -197,3 +226,6 @@ We do not know how to work around that issue for the moment.
 - It introduces new failure modes
 
 - Example: the official setup instructions for most pod networks
+
+
+---
