undefined | Better HN

0 pointsstaticassertion4y ago0 comments

> Let's say in a rather far out case someone spoofs internal resolution.

Seems trivial. Why wouldn't they?

> You are generally already owned at that point

Well, you might be, since your network is relying on self signed certificates with no PKI.

> heads up, the cert for this IP now mismatches.

Good thing everyone is already trained to click through certificate warnings.

Or you could just do PKI properly and avoid the entire issue, or not have an intranet and avoid the entire issue.

0 comments

3 comments · 1 top-level

altantiprocrast4y ago· 2 in thread

> Good thing everyone is already trained to click through certificate warnings.

With a proper UI there would be different messages when a cert mismatches compared to when a new cert is seen or the previous cert was about to expire. (Quite like Gemini browsers)

geofft4y ago

In the past, there were messages that specified exactly what was different about the situation, and they were by no means "proper UI":

https://docs.jboss.org/jbossas/guides/webguide/r2/en/html/im...

In fact, in the past, browsers used to helpfully give you warnings whenever you started using SSL:

http://acc6.its.brooklyn.cuny.edu/~core51/labs/extralab_file...

dspillett4y ago

Different messages doesn't matter if people are just clicking through no matter what the message.

Even people who should know better. Even with other protocols like how SSH should work. We have clients who send us PPI and other data via SFTP. They do much to make themselves look paranoid: insisting on whitelisting source addresses, in some cases mandating PGP, insisting we pass certain audit requirements including things they may unilaterally make up in future, etc. But do they actually care enough to follow procedures and verify things before clicking through (or hitting the "Y" key)? No. How can I be so sure? I gave out the wrong host key fingerprint for a while (accidentally, I sent a dev/test host's fingerprint instead of the production one's identity) and no one came back to say "hey, this doesn't match, we can't proceed, could you look into why the target host identity doesn't match ASAP?" before I noticed my error.

If supposedly paranoid data management and security professionals are not Doing It Right and are just clicking through no matter what, you can bet your arse & mine that pretty much the rest of the world isn't doing things right, and probably never will, either.

j / k navigate · click thread line to collapse