Disabling cert checks: we have not learned much (opens in new tab)

(daniel.haxx.se)

35 pointscaution1y ago22 comments

22 comments

I think that many instances are disabling checks in order to troubleshoot something and then never enabling it again. And we see this on all levels - development, devops and also sysops of course. Just quickly disabling something without leaving a TODO, disabling a MSDeploy certificate check because a proper PKI has never been set-up, just ignoring any certificate errors in LAN management tools because installing a certificate is so hard.

hypeatei1y ago

Somewhat related is a recently discovered bug in the qBittorrent client where SSL checks had been disabled for a long time before someone noticed:

https://news.ycombinator.com/item?id=42004219

ghusto1y ago

Kind of related, but a little off-topic: I think tying name checking to encrypting traffic was a mistake. They are two different use cases, and shouldn't have been so tightly coupled.

Sometimes I care only about my traffic being encrypted, and resent having to jump through hoops to ignore the name mismatch. Sometimes I care only about assurances that the name is correct, and don't care about having the traffic encrypted.

Jasper_1y ago

Encryption without authentication is not very useful; if unauthenticated, your ISP could middle-man your connection and effectively decrypt everything while making you think you're encrypted.

If that's not in your threat model, and you want encryption for another purpose, then I could understand that, but currently, protecting the endpoints against malicious attackers in the middle is the big value of TLS.

SahAssar1y ago

> Sometimes I care only about my traffic being encrypted, and resent having to jump through hoops to ignore the name mismatch.

Why do you care about encryption without authentication? Without TOFU, PKI or a preshared key what is the value?

> Sometimes I care only about assurances that the name is correct, and don't care about having the traffic encrypted.

So signing?

clbrmbr1y ago

I just today reviewed a PR with a default insecure option. But here we’re working on local networks where there’s no way to get a certificate because there’s not a domain name that points to the local IP address.

At least with HTTPS over the local network, it can frustrate attempts to break into it. That said we are sure to call it “https-insecure”.

dspillett1y ago

> But here we’re working on local networks where there’s no way to get a certificate because there’s not a domain name that points to the local IP address.

There are options for this, that needn't cost.

In a company with controlled workstations, have your own CA and push the trust of that through GP or in your standard OS build, point whatever domain you like (“real” or just a local-only DNS entry) at your host and sign a cert for that with the internal CA. Generating keys & certs for each workstation can be automated. You could sign a wildcard subdomain and key+cert for each machine or person, .pc101.devteam.internal/.johndoe.devteam.internal, so each user can setup multiple dev/test services on their box without requiring support from the infrastructure team.

Or get a wildcard from LE or similar for some [sub]domain, point *.[sub.]domain to 127.0.0.1 and let everyone have the keys for that. You need to renew every 3 months or less and redistribute the cert, but that isn't massive hardship and can be automated. Also make sure this is only for dev/test though, not internal tooling that might handle read data/controls, or having multiple (potentially many) people with access to the private key is a massive security issue.

Using proper names & certs and not encouraging disabling checks for local dev/test, reduces the risk of code that doesn't do proper verification getting let out into the wild later when someone forgets to switch checks back on.

SahAssar1y ago

>There are options for this, that needn't cost.

> In a company with controlled workstations, have your own CA and push the trust of that through GP or in your standard OS build

I'd be surprised if this did not cost when done properly. Securing a (even internal) CA is a whole thing that is not trivial.

2 more replies

Joker_vD1y ago

Or you can do none of that razzle dazzle which, if you stop to actually think about it, doesn't really bring in any security. Yeah, "let everyone have the keys for that", that's sure much more secure against some vaguely imagined threat connected with people already running arbitrary stuff on your internal network.

1 more reply

firesteelrain1y ago

Except in airgap environments where there is no CA available to check against.

orf1y ago

This makes no sense. Do you believe TLS is somehow impossible on “airgap environments”?

firesteelrain1y ago

If the root CA is in a place that is inaccessible then there are no CRLs to check against for example. Root CA may exist outside of the airgapped env. Especially if the root CA is one that produces self signed certs. You are back to insecure TLS

1 more reply

jedisct11y ago

Create a local root CA.

ghusto1y ago

You mean create a root CA, install it as a trusted CA on _every single_ client that will interact with the client, manage revocations (whole thing in itself), and handle all the other management that goes along with being an authority (local or otherwise, it makes little difference).

firesteelrain1y ago

I can't be a CA for a root cert I don't own

1 more reply

j / k navigate · click thread line to collapse

22 comments

sebazzz1y ago

hypeatei1y ago

Somewhat related is a recently discovered bug in the qBittorrent client where SSL checks had been disabled for a long time before someone noticed:

https://news.ycombinator.com/item?id=42004219

ghusto1y ago

Kind of related, but a little off-topic: I think tying name checking to encrypting traffic was a mistake. They are two different use cases, and shouldn't have been so tightly coupled.

Jasper_1y ago

Encryption without authentication is not very useful; if unauthenticated, your ISP could middle-man your connection and effectively decrypt everything while making you think you're encrypted.

SahAssar1y ago

> Sometimes I care only about my traffic being encrypted, and resent having to jump through hoops to ignore the name mismatch.

Why do you care about encryption without authentication? Without TOFU, PKI or a preshared key what is the value?

> Sometimes I care only about assurances that the name is correct, and don't care about having the traffic encrypted.

So signing?

clbrmbr1y ago

At least with HTTPS over the local network, it can frustrate attempts to break into it. That said we are sure to call it “https-insecure”.

dspillett1y ago

> But here we’re working on local networks where there’s no way to get a certificate because there’s not a domain name that points to the local IP address.

There are options for this, that needn't cost.

SahAssar1y ago

>There are options for this, that needn't cost.

> In a company with controlled workstations, have your own CA and push the trust of that through GP or in your standard OS build

I'd be surprised if this did not cost when done properly. Securing a (even internal) CA is a whole thing that is not trivial.

2 more replies

Joker_vD1y ago

1 more reply

firesteelrain1y ago

Except in airgap environments where there is no CA available to check against.

orf1y ago

This makes no sense. Do you believe TLS is somehow impossible on “airgap environments”?