undefined | Better HN

0 pointsarwineap5y ago0 comments

> It handles it by asking "Do you want to trust this new server?"

That's basically how it works though; your OS packages a group of trusted CA certs. You can add additional trusted CA certs, even ones minted by you to ensure your apps trust the connection

0 comments

paledot5y ago

There are two options:

* Manually install a root certificate, which is a confusing process for most end users and a non-starter for anyone who cares about security. (Imagine walking your parents through the process.)

* Trust a self-signed certificate, which is an increasingly difficult and counterintuitive process since Chrome and Firefox started competing to see who could destroy their usefulness faster. I'm not even sure if it's possible anymore.

Neither of these are acceptable.

Spivak5y ago

I mean I’m not sure if there’s a solution that will make everyone happy then. Making trusting self-signed cheers easy and not scary has real security implications because users just click-through warnings.

imtringued5y ago

Making casual users create their own root certificates sounds like an even worse problem. Now an attacker isn't restricted to impersonating your lightbulbs. They can impersonate any domain if they can get your private CA. Now imagine if an IoT vendor engages in questionable practices like creating the CA for you and the user only has to download an exe that automatically installs the root certificate. The benefit for the vendor would be that all devices you order from their website would be shipped with correctly signed https certificates. Later a hacker dumps the database with root CAs and uses it to impersonate your bank.

elcritch5y ago

That’s why self-signed and "local signed" should be distinct concepts, IMHO. The .local domain is already special cased, and could provide a different UI path more akin to how SSH works. AFAICT, you can’t get a https cert for a .local domain, so it’d not break existing https security model. It’d provide a more secure way for apps like syncthing to provide a secure local UI as well. Getting browsers to accept my self-signed certificate is a pain and makes people just use http.

arwineapOP5y ago

Honestly, I don't trust most end users to install root certificates

If you are doing something for an end user, I think it makes a lot of sense just to get a certificate; it's just not a large barrier anymore.

loeg5y ago

The mechanism SSH uses is called Trust on First Use ("TOFU") and is closer to what used to be HTTPS certificate pinning. In this scheme, certificates never expire, and if they do, clients warn about the unexpected change in certificate.

It is different from the CA PKI system, where the client trusts any certificate signed by a trusted CA without prompting the user at all, and doesn't prompt the user if the certificate for a site changes.

zozbot2345y ago

Self-signed certificates give you basically this. It's a bit of a hassle to mark them as trusted, but you only have to do it once.

loeg5y ago

That has not been my experience with current versions of Chrome.

j / k navigate · click thread line to collapse

0 comments

paledot5y ago

There are two options:

* Manually install a root certificate, which is a confusing process for most end users and a non-starter for anyone who cares about security. (Imagine walking your parents through the process.)

Neither of these are acceptable.

Spivak5y ago

imtringued5y ago

elcritch5y ago

arwineapOP5y ago

Honestly, I don't trust most end users to install root certificates

If you are doing something for an end user, I think it makes a lot of sense just to get a certificate; it's just not a large barrier anymore.

loeg5y ago

zozbot2345y ago

Self-signed certificates give you basically this. It's a bit of a hassle to mark them as trusted, but you only have to do it once.

loeg5y ago

That has not been my experience with current versions of Chrome.

j / k navigate · click thread line to collapse