undefined | Better HN

0 pointsjorl174y ago0 comments

I'm interested: why do you think it is debatable if HTTPS is "concretely pretty good" as it exists now?

0 comments

It's not always necessary. Think fully offline networks that can't/won't use a CA anyway, or networks where physical/machine access is the intended layer of security (a web server running on localhost).

In these scenarios a self-signed certificate will rarely improve security because most users will click through the warning anyway in case of an MITM attack.

unqueued4y ago

Users should not have to rely on the network being isolated for security.

Even when I have an offline network, I still use SSH whenever possible.

Yes, I don't benefit from initial verification, but I pin the certificate from then on.

I don't think that the current "all or nothing" paradigm that we use with SSL in browsers makes any sense.

I have been really disappointed over the last few years deploying network connected devices and trying to make their services available in a secure way.

It is not really possible for ipcams, routers, etc to offer services in HTTPS in a semi-online network. There should be a kind of 'encrypted but unverified' mode.

Even the worst failure mode is no worse than a plaintext connection.

Nextgrid4y ago

Let’s say I sell a physical device that allows you to use a browser as its UI. You just plug an Ethernet cable and point your browser to its web server.

Security is done by physical access. Anything else is just extra complexity and points of failure, and if an attacker can get physical access to the LAN cable, he can just as well walk to the machine directly and change the settings on the control panel.

HTTPS, with its current UX, would be a net negative in this case.

unqueued4y ago

> HTTPS, with its current UX, would be a net negative in this case.

I would just replace "HTTPS" with "SSH", and see if that statement is still reasonable.

Even though SSH is not perfect when you can't verify the initial connection to a host on a local network, using TELNET instead is not a solution.

I have yet to hear a reason why HTTP is better than self signed and pinned HTTPS; why possibly insecure is worse than insecure.

The only justifications I have heard are UX justifications, and those are really just a critique of the UX, not the protocol.

> Security is done by physical access. Anything else is just extra complexity and points of failure, and if an attacker can get physical access to the LAN cable, he can just as well walk to the machine directly and change the settings on the control panel.

That is an extremely fragile solution.

By default ethernet is very open. It is very easy to bridge it with other devices or routers to announce themselves and start routing. It happens all the time on what are supposed to be closed networks, I've seen it.

And many networks are semi-offline. You may need to have limited internet access. Or the network configuration may change in the future.

1 more reply

pornel4y ago

Browsers make an exception for localhost and treat it as a secure context.

It's also possible to get a certificate from a CA using any public IP address, and then reuse that cert for LAN. Certs are bound to domain names, not IP addresses.

jonhohle4y ago

Why should an org expose details of private infrastructure publicly? For anyone with more than a few internal tools this becomes untenable or unreasonable quickly and sharing a wildcard cert has diminishing returns as its shared between apps, teams, etc.

j / k navigate · click thread line to collapse

0 comments

Nextgrid4y ago

In these scenarios a self-signed certificate will rarely improve security because most users will click through the warning anyway in case of an MITM attack.

unqueued4y ago

Users should not have to rely on the network being isolated for security.

Even when I have an offline network, I still use SSH whenever possible.

Yes, I don't benefit from initial verification, but I pin the certificate from then on.

I don't think that the current "all or nothing" paradigm that we use with SSL in browsers makes any sense.

I have been really disappointed over the last few years deploying network connected devices and trying to make their services available in a secure way.

It is not really possible for ipcams, routers, etc to offer services in HTTPS in a semi-online network. There should be a kind of 'encrypted but unverified' mode.

Even the worst failure mode is no worse than a plaintext connection.

Nextgrid4y ago

Let’s say I sell a physical device that allows you to use a browser as its UI. You just plug an Ethernet cable and point your browser to its web server.

HTTPS, with its current UX, would be a net negative in this case.

unqueued4y ago

> HTTPS, with its current UX, would be a net negative in this case.

I would just replace "HTTPS" with "SSH", and see if that statement is still reasonable.

Even though SSH is not perfect when you can't verify the initial connection to a host on a local network, using TELNET instead is not a solution.

I have yet to hear a reason why HTTP is better than self signed and pinned HTTPS; why possibly insecure is worse than insecure.

The only justifications I have heard are UX justifications, and those are really just a critique of the UX, not the protocol.

That is an extremely fragile solution.

And many networks are semi-offline. You may need to have limited internet access. Or the network configuration may change in the future.

1 more reply

pornel4y ago

Browsers make an exception for localhost and treat it as a secure context.

It's also possible to get a certificate from a CA using any public IP address, and then reuse that cert for LAN. Certs are bound to domain names, not IP addresses.

jonhohle4y ago

j / k navigate · click thread line to collapse