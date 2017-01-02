Hacker News new | comments | show | ask | jobs | submit login
Why HTTPS for Everything? (cio.gov)
58 points by maxt 1 hour ago | hide | past | web | 42 comments | favorite





Having a "https." subdomain feels so weird.

Main part is "When properly configured". I recently tried out Brave browser on mobile which supports HTTPS everywhere. It slows the mobile web experience so much down that it is not funny. I really like to have HTTPS everywhere but unfortunately not everybody does a good job with that (Handshaking... SPDY, HTTP/2 etc.)

All web traffic that is not encrypted is vulnerable to having its contents altered enroute.

This is a type of man in the middle vulnerability that allows for javascript, posts, etc. to be changed into something malicious.

I feel for later generations - learning tech gets harder and harder. Of course as the sum of knowledge increases this must be true, but as we go HTTPS-only the ability to type commands to a web server over telnet as a learning experience will be a loss.

That's how progress works.

50 years ago you could work on a brand new car with just the tools in your garage, now you'd need specialized knowledge, equipment, and more to the point that it's not really possible to be a home mechanic on many areas.

This isn't new for new's sake, these improvements bring real benefits. And as things get more complex, people will specialize more and more. In the future, your average "dev" might not know the ins and outs of how the transport layer works, but that's okay because there is someone else who mainly only does that.

...as is the ability to inspect the traffic in your network to and from the devices you own. I think that is an even scarier situation, considering what others have discovered about "smart" devices precisely because their traffic was not encrypted. E.g. https://news.ycombinator.com/item?id=6759426

Personally, I'm for HTTPS connections to things like government websites (which is what this article seems to be mostly about), but against "HTTPS everything" in the way it's going to be implemented.

> but against "HTTPS everything"

You being against HTTPS everything, is the same as being in support of MITM attacks somewhere. I am curious when is that the allowable case?

I own my computing devices and I should be able to control the traffic they create. Encryption must not prevent me from doing that.

If you want to avoid telemetry, you need to use open source devices. Prohibiting HTTPS for everything non-government is not a way to go.

I got you bro!

$:openssl s_client -connect localhost:443

CONNECTED(00000003)

...snip....

lots of cert info

...snip...

GET / HTTP/1.0

Telnet/netcat seems simple only because all the layers below are hidden inside the operating system. You don't type in all the MAC/LLC/TCP headers, and you can avoid typing in TLS headers just by hiding them inside the library (LibreSSL, GnuTLS etc.). With libtls API you can think about cryptography in terms of "padlock icon" until you want to learn more.

No, but you can build your own stack from scratch fairly easily, and it's easier to debug when you can see the plaintext through the data structures.

And it's easier to debug a video codec if it's ASCII art, but there's huge benefits for using TLS everywhere instead of plaintext, and they more than outweigh "it's harder to debug."

As others have pointed out, there are tools for creating a TLS socket, not much harder than nc or telnet. However, HTTP/2 will be a totally different game.

Even with HTTP you usually don't use netcat beyond playing with simple GET requests. Most web app developers and hackers use developer tools available in their browser, libraries for their favourite language (urllib for Python, LWP for Perl) and specialized command-line tools (curl).

fully agree, but I think the point was around the educational value of literally being able to handcraft HTTP requests. I learned a ton back in the 90's doing exactly that for various plaintext protocols (FTP, SMTP, POP3, IMAP, HTTP).

Yes, there are tools that let you inspect them, but there's something about being able to walk around right at the protocol level to understand it's nuances (e.g.: CR/LF issues with HTTP).

However, all of that being said, I'm sure the real old-school hackers think all this PHP/Python/Perl mumbo jumbo obscures the real C/C++ code which their interpreters actually drive. And those old-old-school hackers think those C/C++ guys are obscuring their assembly code.. okay, I kid, but you get the point. We all deal with abstractions at some point. Perhaps in time, HTTP/2 tooling will come to improve, and my concerns will vanish as well.

FWIW, OpenBSD's netcat supports creating a TLS socket. I'm not sure it will work on all Linux distributions since it depends on libtls/LibreSSL and most ship with OpenSSL.

You could type them over openssl s_client instead.

Indeed, the openssl tool is a veritable swiss army knife for PKI crypto.

It's a netcat replacement:

    openssl s_client -connect www.google.com:443
while also providing information on the TLS handshake that's useful for debugging (like the server's certificate chain or its list of trusted CAs for client certificates).

There's dozens of other subcommands to do useful things like decode certificates (x509), generate keys (genrsa/gendsa) and create certificate signing requests (req), just to name a few.

openssl s_client is really valuable if you regularly work with minimal container images that don't have curl, wget or even ncat. openssl(1) is almost always there.

Learning a field should get easier the more we collectively know about it - the information should be structured better. This is particularly true of software, where we decide how to structure it. If tech is getting harder, this is our failing, not an inevitability.

Other way round: the more structure we build, the more there is to learn. The blank-slate nature of software is particularly problematic here; people end up proliferating solutions faster than they can be learned.

You might have to do some custom work to make some of the "history" accessible.

For example, Stanford's CS144 class uses a patched version of the Linux kernel to enable people to create their own TCP/IP clients[1]. I'm sure that if stuff like this becomes really inaccessible for newbies, similar modifications will be done for other applications to allow simpler concepts to be taught and explored.

[1] http://web.stanford.edu/class/cs144/assignments/ctcp/assignm...

i think that's more a tooling problem. Making tech accessible to someone new really important.

Isn't the CIO a presidential appointment? I wonder who the next one will be. Or, will there be one at all?

So, what's an embedded system supposed to do when it can't reach its NTP server and needs to validate a cert?

reply


As usual: it depends.

Why does it need to validate a cert? How acceptable is it if you get it wrong? Depending on the answer, perhaps "have a more reliable clock" is the right answer (plenty of embedded devices certainly have a decent idea of what time it is, and if it's already big enough to validate TLS). It seems reasonably probable that the NTP server stops being available for a reasonable amount of time before you have no idea what time it is anymore and can no longer validate certificates; so depending on the device, telemetry might be a good idea too.

It doesn't sound like a reason to give up, though :)

Presume the cert is wrong.

If your system can't handle that, a few options: - put a clock in your embedded element - Pin certs - Use a frontend, embedded only connects to authenticated embedded system (say, with ssh Port forwarding). Frontend does connection correctly.

Ask the user for the time.

  > What time is it?
  Jan 2nd, 2017
  > Sorry, your certificate is expired. Access Denied.
  Wait, I wrote the wrong date, it's Jan 2nd, 2016
  > Ok. Authorized

It's great to see a positive attitude toward security also gaining support in Government.

I just wish all software projects felt the need to be more secure [0]:

> Redis is designed to be accessed by trusted clients inside trusted environments.

> While Redis does not try to implement Access Control, it provides a tiny layer of authentication that is optionally turned on editing the redis.conf file.

> Redis does not support encryption.

This is just broken by design software development. [1] It's irresponsible in 2016/2017 to assume you have impenetrable perimeter security.

Redis' excuse is just bullshit. PostgreSQL supports authentication, SSL, and even client cert pinning.

[0] https://redis.io/topics/security

[1] http://antirez.com/news/96

Edit: Loving the downvotes by butthurt developers who have never had a security audit...

Different projects - different requirements.

Perhaps you should assume people who are using it like this carefully weighted security against their requirements and came to the conclusion that it's a legit tradeoff.

> This is just broken by design software development.

This is just your "I know it all" mindset.

Sometimes it can be safer to assume that something is completely insecure, than to assume ( incorrectly ) that it is. Not implementing any security on a product guarantees the former - outside of complete user incompetence. I would also say that guaranteeing security is beyond the scope of most projects, especially those with limited development resource ( Redis for example ).

Redis and Postgre are meant to play different roles.

reply


Authentication and encryption takes a lot of CPU, but turning security OFF for performance reasons should always be behind a configuration flag.

It's illegal to break into something, but if you leave the door wide open the insurance company might not be so willing, and in some laws it's actually legal to walk into open rooms.

> If you don't like what Redis does, you're welcome not to use it.

I like what Redis does, and it's also heavily used in industry. What I am saying, not incorrectly, is that their approach to security is harmful to their users. Most of whom won't know, care, or implement additional security which they should.

It's the same argument with HTTPS. Of course HTTPS is optional in a web server, but all major web servers support HTTPS, and there has been a concentrated push to have more people using SSL.

e.g. LetsEncrypt

We should be making it easier for people to deploy secure services. Redis' approach to security makes it extremely difficult for developers to deploy secure services.

I'll say it again: It's irresponsible in 2016/2017 to assume you have impenetrable perimeter security.

I don't get why it would be that way? It's built to be deployed in a DMZ on a private network and that's how 99% of users (typically professionals) use it.

The idea of a hardened perimeter around a soft squishy interior has been proven repeatedly not to work.

> I like what Redis does, and it's also heavily used in industry. What I am saying, not incorrectly, is that their approach to security is harmful to their users. Most of whom won't know, care, or implement additional security which they should.

Then a different security story within redis wouldn't save them anyway. Security is not magic fairy dust that you sprinkle on something and then hope for the best.

fork -> add feature -> pull request

There is no reason to use redis over a non-local network as it loses its performance appeal completely. Even talking to a redis server on a different rack doesn't make a lot of sense, unless you have a total control over a network there. So encryption by default goes against its value proposition.

> The IETF has said that pervasive monitoring is an attack, and the Internet Architecture Board (the IETF’s parent organization) recommends that new protocols use encryption by default.

While HTTPS does prevent just anyone from monitoring, I've long been under the impression that the government, and possibly influential corporations, probably have access to any certificates issued by the large CAs.

Is this a tinfoil hat theory? Is anything legally or technically preventing this from happening, and/or are there ways for me to know when my own browsing is truly private between myself and only the party at the other end, and not other curious or intrusive uninvited third parties?

