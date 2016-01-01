While HTTPS does prevent just anyone from monitoring, I've long been under the impression that the government, and possibly influential corporations, probably have access to any certificates issued by the large CAs.
Is this a tinfoil hat theory? Is anything legally or technically preventing this from happening, and/or are there ways for me to know when my own browsing is truly private between myself and only the party at the other end, and not other curious or intrusive uninvited third parties?
This is a type of man in the middle vulnerability that allows for javascript, posts, etc. to be changed into something malicious.
Why does it need to validate a cert? How acceptable is it if you get it wrong? Depending on the answer, perhaps "have a more reliable clock" is the right answer (plenty of embedded devices certainly have a decent idea of what time it is, and if it's already big enough to validate TLS). It seems reasonably probable that the NTP server stops being available for a reasonable amount of time before you have no idea what time it is anymore and can no longer validate certificates; so depending on the device, telemetry might be a good idea too.
It doesn't sound like a reason to give up, though :)
If your system can't handle that, a few options:
- put a clock in your embedded element
- Pin certs
- Use a frontend, embedded only connects to authenticated embedded system (say, with ssh Port forwarding). Frontend does connection correctly.
Personally, I'm for HTTPS connections to things like government websites (which is what this article seems to be mostly about), but against "HTTPS everything" in the way it's going to be implemented.
You being against HTTPS everything, is the same as being in support of MITM attacks somewhere. I am curious when is that the allowable case?
$:openssl s_client -connect localhost:443
CONNECTED(00000003)
...snip....
lots of cert info
...snip...
GET / HTTP/1.0
Yes, there are tools that let you inspect them, but there's something about being able to walk around right at the protocol level to understand it's nuances (e.g.: CR/LF issues with HTTP).
However, all of that being said, I'm sure the real old-school hackers think all this PHP/Python/Perl mumbo jumbo obscures the real C/C++ code which their interpreters actually drive. And those old-old-school hackers think those C/C++ guys are obscuring their assembly code.. okay, I kid, but you get the point. We all deal with abstractions at some point. Perhaps in time, HTTP/2 tooling will come to improve, and my concerns will vanish as well.
It's a netcat replacement:
openssl s_client -connect www.google.com:443
There's dozens of other subcommands to do useful things like decode certificates (x509), generate keys (genrsa/gendsa) and create certificate signing requests (req), just to name a few.
For example, Stanford's CS144 class uses a patched version of the Linux kernel to enable people to create their own TCP/IP clients[1]. I'm sure that if stuff like this becomes really inaccessible for newbies, similar modifications will be done for other applications to allow simpler concepts to be taught and explored.
[1] http://web.stanford.edu/class/cs144/assignments/ctcp/assignm...
I just wish all software projects felt the need to be more secure [0]:
> Redis is designed to be accessed by trusted clients inside trusted environments.
> While Redis does not try to implement Access Control, it provides a tiny layer of authentication that is optionally turned on editing the redis.conf file.
> Redis does not support encryption.
This is just broken by design software development. [1] It's irresponsible in 2016/2017 to assume you have impenetrable perimeter security.
Redis' excuse is just bullshit. PostgreSQL supports authentication, SSL, and even client cert pinning.
[0] https://redis.io/topics/security
[1] http://antirez.com/news/96
Edit: Loving the downvotes by butthurt developers who have never had a security audit...
Perhaps you should assume people who are using it like this carefully weighted security against their requirements and came to the conclusion that it's a legit tradeoff.
> This is just broken by design software development.
This is just your "I know it all" mindset.
If you don't like what Redis does, you're welcome not to use it.
It's illegal to break into something, but if you leave the door wide open the insurance company might not be so willing, and in some laws it's actually legal to walk into open rooms.
I like what Redis does, and it's also heavily used in industry. What I am saying, not incorrectly, is that their approach to security is harmful to their users. Most of whom won't know, care, or implement additional security which they should.
It's the same argument with HTTPS. Of course HTTPS is optional in a web server, but all major web servers support HTTPS, and there has been a concentrated push to have more people using SSL.
e.g. LetsEncrypt
We should be making it easier for people to deploy secure services. Redis' approach to security makes it extremely difficult for developers to deploy secure services.
I'll say it again: It's irresponsible in 2016/2017 to assume you have impenetrable perimeter security.
Then a different security story within redis wouldn't save them anyway. Security is not magic fairy dust that you sprinkle on something and then hope for the best.
