undefined | Better HN

0 pointslysace1y ago0 comments

There's some every packet shall be encrypted, even in minimal private VPCs lore going on. I'm blaming PCI-DSS.

0 comments

The big problem with running unencrypted HTTP on a LAN is that it's terribly easy for (most) LANs to be compromised.

Let's start with the obvious; wifi. If you're visiting a company and ask the receptionist for the wifi password you'll likely get it.

Next are eternity ports. Sitting waiting in a meeting room, plug your laptop into the ethernet port and you're in.

And of course it's not just hardware, any software running on any machine makes the LAN just as vulnerable.

Sure, you can design a LAN to be secure. You can make sure there's no way to get onto it. But the -developer- and -network maintainer- are 2 different guys, or more likely different departments. As a developer are you convinced the LAN will be as secure in 10 years as it is today? 5 years? 1 year after that new intern arrives and takes over maintainence 6 weeks in?

What starts out as "minimal private VPC" grows, changes, is fluid. Treating it as secure today is one thing. Trusting it to remain secure 10 years from now is another.

In 99.9% of cases your LAN traffic should be secure. This us the message -developers- need to hear. Don't rely on some other department to secure your system. Do it yourself.

gorgoiler1y ago

Well said. I used to be of the mindset that if I ran VLANs I could at least segregate the good guys from the evil AliExpress wifi connected toasters. Now everything feels like it could become hostile at any moment and so, on that basis, we all share the same network with shields up as if it were the plain, scary Internet. It feels a lot safer.

I guess my toaster is going to hack my printer someday, but at least it won’t get into my properly-secured laptop that makes no assumptions the local network is “safe”.

xp841y ago

For most purposes, when wishing for non-HTTPS, we are talking about development or maybe a staging server of some sort. Maybe if we had state secrets people would be trying to plug into the lan to snoop the traffic, but for 99.99% of developers the traffic between a testing instance and them is the most worthless thing ever. Worst case you might find out what features we will release to the app in 2 weeks. The conflation of “SSL” with “cybersecurity” is unfortunate.

Spooky231y ago

The big issue with encrypted HTTP on the local LAN is that you’re stuck running a certificate authority, ignoring TLS validation, or exposing parts of your network in the name of transparency.

Running certificate authority is one of those a minute to learn, lifetime to master scenarios.

You are often trading “people can sniff my network scenario” to a “compromise the CA someone setup 10 years ago that we don’t touch” scenario.

bruce5111y ago

I agree that setting up a self-signed CA is hard, and harder to keep going.

However DNS challenge allow for you to map an internal address to an IP number. The only real information that leaks is the subnet address of my LAN. And given the choice of that or unencrypted traffic I'll take that all day long.

slimsag1y ago

Also, make sure your TLS certificates are hard-coded/pinned in your application binary. Just like the network, you really cannot trust what is happening on the user's system.

This way you can ensure you as the developer have full control over your applications' network communication; by requiring client certificates issued by a CA you control, you can assert there is no MITM even if a sysadmin, user, or malware tries to install a proxy root CA on the system.

Finally, you can add binary obfuscation / anticheat mechanisms used commonly in video games to ensure that even if someone is familiar with the application in question they cannot alter the certificates your application will accept.

Lots of e.g. mobile banking apps, etc. do this for maximal security guarantees.

swiftcoder1y ago

In practice pinning tends to be very "best effort", if not outright disadvantageous.

All our apps had to auto-disable pinning less than a year after the build date, because if the user hadn't updated the app by the time we had to renew all our certs... they'd be locked out.

Also dealt with the fallout from a lovely little internet-of-things device that baked cert pinning into the firmware, but after a year on store shelves the clock battery ran out, so they booted up in 1970 and decided the pinned certs wouldn't become valid for ~50 years :D

frogsRnice1y ago

Pinning is very complex, there is always the chance that you forget to update the pins and perform a denial of service against your own users. At the point where the device itself is compromised, you can’t really assert to anything. Furthermore, there is always the risk that your developers implement pinning incorrectly and introduce a chain validation failure.

Lots of apps use the anticheat/obfuscation mechanisms added by mobile apps are also trivial to bypass using instrumentation - ie frida codeshare. I know you aren’t implying that people should use client side controls to protect an app running on a device and an environment that they control, but in my experience even some technical folk will try and to do this

PokestarFan1y ago

At some point you have to wonder if your app even matters that much.

1 more reply

Too1y ago

This is way overkill, unless you are making a nuclear rocket launch application. If you can not trust the system root CA, the whole internet breaks down.

You will also increase the risk that your already understaffed ops-team messes up and creates even worse exposure or outages, while they are trying to figure out what ssl-keygen does.

laz1y ago

Exactly what an NSA puppet account would say!

Don't believe the hype. Remember the smiley from "SSL added and removed here"

https://blog.encrypt.me/2013/11/05/ssl-added-and-removed-her...

lysaceOP1y ago

This "NSA puppet" is all for encrypting traffic between networks.

;-)

yarg1y ago

Blame leaked documents from the intelligence services.

No one really bothered until it was revealed that organisations like the NSA were exfiltrating unencrypted internal traffic from companies like Google with programs like PRISM.

baq1y ago

Echelon was known about before Google was even a thing. I remember people adding Usenet headers with certain keywords. Wasn’t much, but it was honest work.

kortilla1y ago

Hoping datacenter to datacenter links are secure is how the NSA popped Google.

Turn on crypto, don’t be lazy

otabdeveloper41y ago

Pretty sure state-level actors sniffing datacenter traffic is literally the very last of your security issues.

This kind of theater actively harms your organization's security, not helps it. Do people not do risk analysis anymore?

shawnz1y ago

Taking defense in depth measures like using https on the local network is "theatre" that "actively harms your organization's security"? That seems like an extreme opinion to me.

Picking some reasonable best practices like using https everywhere for the sake of maintaining a good security posture doesn't mean that you're "not doing risk analysis".

1 more reply

kortilla1y ago

It’s not theatre, it’s real security. And state level actors are absolutely not the only one capable of man in the middle attacks.

You have:

- employees at ISPs

- employees at the hosting company

- accidental network misconfigurations

- one of your own compromised machines now part of a ransomware group

- the port you thought was “just for internal” that a dev now opens for some quick testing from a dev box

Putting anything in open comms is one of the dumbest things you can do as an engineer. Do your job and clean that shit up.

It’s funny you mention risk analysis, plaintext traffic is one of the easiest things to compromise.

soraminazuki1y ago

NSA sniffs all traffic through various internet choke points in what's known as upstream surveillance. It's not just data center traffic.

https://www.eff.org/pages/upstream-prism

These kind of risks are obvious, real, and extensively documented stuff. I can't imagine why anyone serious about improving security for everyone would want to downplay and ridicule it.

TimTheTinker1y ago

Found the NSA goon.

Seriously, your statement is demonstrably wrong. That's exactly the sort of traffic the NSA actively seeks to exploit.

unethical_ban1y ago

Caring excessively about certain metrics while neglecting real security is harmful.

Encrypting all network traffic between endpoints does nothing to actively harm security.

unethical_ban1y ago

That's some "it's okay to keep my finger on the trigger when the gun is unloaded" energy.

j / k navigate · click thread line to collapse

0 comments

bruce5111y ago

The big problem with running unencrypted HTTP on a LAN is that it's terribly easy for (most) LANs to be compromised.

Let's start with the obvious; wifi. If you're visiting a company and ask the receptionist for the wifi password you'll likely get it.

Next are eternity ports. Sitting waiting in a meeting room, plug your laptop into the ethernet port and you're in.

And of course it's not just hardware, any software running on any machine makes the LAN just as vulnerable.

What starts out as "minimal private VPC" grows, changes, is fluid. Treating it as secure today is one thing. Trusting it to remain secure 10 years from now is another.

In 99.9% of cases your LAN traffic should be secure. This us the message -developers- need to hear. Don't rely on some other department to secure your system. Do it yourself.

gorgoiler1y ago

I guess my toaster is going to hack my printer someday, but at least it won’t get into my properly-secured laptop that makes no assumptions the local network is “safe”.

xp841y ago

Spooky231y ago

The big issue with encrypted HTTP on the local LAN is that you’re stuck running a certificate authority, ignoring TLS validation, or exposing parts of your network in the name of transparency.

Running certificate authority is one of those a minute to learn, lifetime to master scenarios.

You are often trading “people can sniff my network scenario” to a “compromise the CA someone setup 10 years ago that we don’t touch” scenario.

bruce5111y ago

I agree that setting up a self-signed CA is hard, and harder to keep going.

slimsag1y ago

Also, make sure your TLS certificates are hard-coded/pinned in your application binary. Just like the network, you really cannot trust what is happening on the user's system.

Lots of e.g. mobile banking apps, etc. do this for maximal security guarantees.

swiftcoder1y ago

In practice pinning tends to be very "best effort", if not outright disadvantageous.

All our apps had to auto-disable pinning less than a year after the build date, because if the user hadn't updated the app by the time we had to renew all our certs... they'd be locked out.

frogsRnice1y ago

PokestarFan1y ago

At some point you have to wonder if your app even matters that much.

1 more reply

Too1y ago

This is way overkill, unless you are making a nuclear rocket launch application. If you can not trust the system root CA, the whole internet breaks down.

You will also increase the risk that your already understaffed ops-team messes up and creates even worse exposure or outages, while they are trying to figure out what ssl-keygen does.

laz1y ago

Exactly what an NSA puppet account would say!

Don't believe the hype. Remember the smiley from "SSL added and removed here"

https://blog.encrypt.me/2013/11/05/ssl-added-and-removed-her...

lysaceOP1y ago

This "NSA puppet" is all for encrypting traffic between networks.

;-)

yarg1y ago

Blame leaked documents from the intelligence services.

No one really bothered until it was revealed that organisations like the NSA were exfiltrating unencrypted internal traffic from companies like Google with programs like PRISM.

baq1y ago

Echelon was known about before Google was even a thing. I remember people adding Usenet headers with certain keywords. Wasn’t much, but it was honest work.

kortilla1y ago

Hoping datacenter to datacenter links are secure is how the NSA popped Google.

Turn on crypto, don’t be lazy

otabdeveloper41y ago

Pretty sure state-level actors sniffing datacenter traffic is literally the very last of your security issues.

This kind of theater actively harms your organization's security, not helps it. Do people not do risk analysis anymore?

shawnz1y ago

Taking defense in depth measures like using https on the local network is "theatre" that "actively harms your organization's security"? That seems like an extreme opinion to me.

Picking some reasonable best practices like using https everywhere for the sake of maintaining a good security posture doesn't mean that you're "not doing risk analysis".

1 more reply

kortilla1y ago

It’s not theatre, it’s real security. And state level actors are absolutely not the only one capable of man in the middle attacks.

You have:

- employees at ISPs

- employees at the hosting company

- accidental network misconfigurations

- one of your own compromised machines now part of a ransomware group

- the port you thought was “just for internal” that a dev now opens for some quick testing from a dev box

Putting anything in open comms is one of the dumbest things you can do as an engineer. Do your job and clean that shit up.

It’s funny you mention risk analysis, plaintext traffic is one of the easiest things to compromise.

soraminazuki1y ago

NSA sniffs all traffic through various internet choke points in what's known as upstream surveillance. It's not just data center traffic.

https://www.eff.org/pages/upstream-prism

These kind of risks are obvious, real, and extensively documented stuff. I can't imagine why anyone serious about improving security for everyone would want to downplay and ridicule it.

TimTheTinker1y ago

Found the NSA goon.

Seriously, your statement is demonstrably wrong. That's exactly the sort of traffic the NSA actively seeks to exploit.

unethical_ban1y ago

Caring excessively about certain metrics while neglecting real security is harmful.

Encrypting all network traffic between endpoints does nothing to actively harm security.

unethical_ban1y ago

That's some "it's okay to keep my finger on the trigger when the gun is unloaded" energy.

j / k navigate · click thread line to collapse