Most active commenters
  • superkuh(5)
  • packetlost(3)

←back to thread

Apple already shipped attestation on the web, and we barely noticed

(httptoolkit.com)
596 points pimterry | 26 comments | 25 Jul 23 14:10 UTC | HN request time: 1.635s | source | bottom
1. superkuh ◴[25 Jul 23 14:15 UTC] No.36862573[source]
Google/Microsoft/Apple essentially did this with HTTP/3 too. None of their shipped browsers are able to connect to a non-"CA TLS" HTTP/3 endpoint. To host a HTTP/3 website visitable by a random normal person you have to get continued approval (every 3 months min) from a third party CA corporation for your website.
replies(2): >>36862591 #>>36863130 #
2. 2OEH8eoCRo0 ◴[25 Jul 23 14:17 UTC] No.36862591[source]
What do you mean approval? You'd need a cert from an entity like Let's Encrypt?
replies(1): >>36862610 #
3. superkuh ◴[25 Jul 23 14:18 UTC] No.36862610[source]
Yep. LetsEncrypt is great but everyone centralizing in them is not so great. Normal browsers having the ability to connect to a bare HTTP endpoint in HTTP/3 would solve any problems that might arise from this centralization. It's a straightforwards and easy thing to fix for the HTTP/3 lib devs and mega-corp browsers using those libs. But no one cares about it.
replies(4): >>36862723 #>>36862727 #>>36863143 #>>36863452 #
4. packetlost ◴[25 Jul 23 14:26 UTC] No.36862723{3}[source]
Kinda surprised there isn't a few CAs that set up Let's Encrypt-like automated infrastructure that charge a small subscription fee for certificates. I'd pay $1-$3/m or so for preventing a mono-culture + big attack surface, but don't really want to give up the convenience of Let's Encrypt.

I know there's a big barrier to entry for being a CA (as there should be), but it shouldn't be impossible.

replies(2): >>36862744 #>>36865061 #
5. cj ◴[25 Jul 23 14:26 UTC] No.36862727{3}[source]
https://www.smashingmagazine.com/2021/08/http3-core-concepts...

> While TLS 1.3 can still run independently on top of TCP, QUIC instead sort of encapsulates TLS 1.3. Put differently, there is no way to use QUIC without TLS; QUIC (and, by extension, HTTP/3) is always fully encrypted.

Basically there is no HTTP/3 without a TLS certificate.

I'm not sure what "problems that might arise from centralization" might be. There are many different TLS certificate providers from different CA roots.

Is your gripe that you don't like TLS? Judging by how long the migration from TLS 1.1 to 1.2 took, I assume we're at least 10-15 years away from a world where everything is encrypted by default without backwards compatibility (if we ever get there at all).

replies(2): >>36862859 #>>36863117 #
6. Avamander ◴[25 Jul 23 14:27 UTC] No.36862744{4}[source]
> Kinda surprised there isn't a few CAs that set up Let's Encrypt-like automated infrastructure that charge a small subscription fee for certificates.

There are other ACME-compatible CA's.

replies(1): >>36862805 #
7. packetlost ◴[25 Jul 23 14:31 UTC] No.36862805{5}[source]
Oh? Examples?
replies(1): >>36862858 #
8. capableweb ◴[25 Jul 23 14:34 UTC] No.36862858{6}[source]
https://zerossl.com/ is a popular alternative. https://www.buypass.com/ is another one I haven't personally tried.
replies(2): >>36863059 #>>36863145 #
9. superkuh ◴[25 Jul 23 14:34 UTC] No.36862859{4}[source]
>Is your gripe that you don't like TLS?

I'm flabberghasted that that's what you took away from my comments. I thought I was very clear. My issue is the lack of HTTP support in HTTP/3 implementations shipped by the mega-corps (CA HTTPS only). CA TLS is definitely the least worst solution we have and I am not against it. I am saying major browsers' HTTP/3 implementations lack of bare HTTP support in HTTP/3, combined with short TLS cert lifetimes these days, is effectively attestation and that's bad. "Basically there is no HTTP/3 without a TLS certificate." is bad.

It could be slightly mitigated by the mega-corp implementations of HTTP/3 they ship accepting non-CA root based self-signed certs with a scaremongering click-through. But that's also no longer an option. If no company running a CA will give you a cert you'll simply be unvisitable (on HTTP/3). It makes the web something only for commercially approved sites.

replies(4): >>36863023 #>>36863036 #>>36863105 #>>36863765 #
10. ehhthing ◴[25 Jul 23 14:44 UTC] No.36863023{5}[source]
> If no company running a CA will give you a cert you'll simply be unvisitable (on HTTP/3).

This isn't technically correct. I believe on the security warning page you can type "thisisunsafe" (just blindly do it) and it'll let you through.

At the very least this works for bypassing HSTS.

11. snowwrestler ◴[25 Jul 23 14:45 UTC] No.36863036{5}[source]
It’s the opposite of the attestation scheme under discussion, because it requires the server to satisfy attestation, while the client can be whoever. Whereas the Apple and Google schemes require the client to satisfy attestation.

I agree with you on the necessity of maintaining support for bare HTTP in the Web ecosystem. But I think you’re not likely to get as much support on this, simply because far fewer people run servers than clients.

I kind of doubt that clients will ever connect exclusively via HTTP/3. I think browsers keep bare HTTP support. Maybe at some point it may be hidden behind a client config flag.

12. ehhthing ◴[25 Jul 23 14:47 UTC] No.36863059{7}[source]
Also Google Trust Services has free certificates although you need a Google Cloud project for it.
replies(1): >>36863087 #
13. capableweb ◴[25 Jul 23 14:48 UTC] No.36863087{8}[source]
Not sure Google is a great alternative if you want to prevent further centralization of CAs :)
14. foul ◴[25 Jul 23 14:49 UTC] No.36863105{5}[source]
Security measures like Cloudflare anti-DDOS reverse proxy rely precisely on widespread TLS, can deny access to any client not performing sanctioned TLS handshake (like curl, scrapers, or even old browsers which by chance can do TLS 1.2).

https://github.com/lwthiker/curl-impersonate

15. water9 ◴[25 Jul 23 14:50 UTC] No.36863117{4}[source]
"There are many different TLS certificate providers from different CA roots." - Yes but there are only a handful of browsers and they preselect the default CA providers. The average user is not going to be able to configure custom CAs and will effectively be denied service should those pre-selected CAs go rogue.
16. agwa ◴[25 Jul 23 14:51 UTC] No.36863130[source]
There are two reasons this is not comparable to the remote attestation proposal that Google is currently proposing:

1. The only things that WebPKI CAs are required to attest to is that domain validation was properly completed and that the private key is not compromised. The system is designed (in both intent and practice) for any website to be able to easily get a certificate, and even the most untrustworthy, undesirable websites can and do get certificates on the regular. In contrast, Google's remote attestation proposal is clearly intended to assess the trustworthiness/desirability of the client.

2. The TLS requirement imposes a burden on website operators but provides a clear benefit for end users, which is totally in line with the Internet's Priority of Constituencies[1]. In contrast, Google's attestation proposal places a burden on end uses for the benefit of website operators, which violates the Priority of Constituencies.

Additionally, I must note that Firefox also requires a TLS certificate for HTTP/3 (as they did for HTTP/2). Not sure why you'd omit Mozilla from your list of browser makers doing this, but it's a misrepresentation to imply that this is something only "mega-corp browsers" do, when there is actually broad agreement that this is a good thing.

[1] https://datatracker.ietf.org/doc/html/rfc8890

replies(2): >>36863474 #>>36870009 #
17. cyberax ◴[25 Jul 23 14:51 UTC] No.36863143{3}[source]
Why? Just skip the CA verification when you use HTTP/3. Done.

While this is less secure than a verified certificate, it still avoids plaintext on the wire and requires an active MITM to eavesdrop.

18. packetlost ◴[25 Jul 23 14:52 UTC] No.36863145{7}[source]
Oh cool, I couldn't find those on Google. I'll check them out
19. detourdog ◴[25 Jul 23 15:09 UTC] No.36863452{3}[source]
I think the whole changing identity all the time is the exact opposite of a human system. The type of system only a computer could love.

This seems like a such a wrong headed approach. LetsEncrypt favors constantly changing magic handshakes over long term good social behavior.

Imagine a network where machines that misbehaved were ostracised instead of being able to register certificates frequently.

I see the promise in the Fediverse as it's ability to develop reputations.

20. oceanplexian ◴[25 Jul 23 15:10 UTC] No.36863474[source]
All of these proposals are in fact the same thing. They're designed to obfuscate, complexify, and over-engineer the Internet to fuck people over. I don't care if my Magic the Gathering fan site has an auto-rotated 3 month expiry TLS certificate to "protect" the users. Those of us who have been online before the 21st Century see this exactly for what it is. A cash grab and a increasing mechanisms to tighten the screws of monopolies like AWS, Google, Apple, and Microsoft, and to lock down our devices and the web into a walled garden that only the tech giants can control.
replies(1): >>36863666 #
21. Avamander ◴[25 Jul 23 15:23 UTC] No.36863666{3}[source]
> I don't care if my Magic the Gathering fan site has an auto-rotated 3 month expiry TLS certificate to "protect" the users.

You don't based on your threat model. Other people have other threat models. I don't want potentially tampered/malicious content/JavaScript hitting my browser, I can also simply not visit your site. Such a simplification can not be made on the wide (and hostile) web. TLS is trivial enough to be the norm.

We can also draw parallels with food safety. Feel free to cook whatever you wish however you wish at your own home. If you want to offer it to people passing by on the street you have to follow food safety rules.

22. tehbeard ◴[25 Jul 23 15:30 UTC] No.36863765{5}[source]
So the gripe is TLS then, because that cert is less about attestation and more not wanting Verizon et al. to inject ads or snoop your data between customer and server.

Attestation is at best a transient side effect of proving your ownership/control of a domain name...

There's perhaps better ways for you to articulate this point I think you are trying to make of "closed club" of Certificate Authorities.

That said a basic google search demolishes that point with there being alternatives to LE.

Also bemoaning the 90 day period seems really weird.

23. seabass-labrax ◴[25 Jul 23 16:35 UTC] No.36865061{4}[source]
I think that Let's Encrypt gets a lot of undeserved criticism for being the only major ACME-compatible CA. Yes, it's not so good to have monopolies on authenticity, but Let's Encrypt was founded by Mozilla, the EFF and the University of Michigan and was endorsed by the FSF.

That's a pretty good set of organisations when considering the general status of the internet, and a set that doesn't overlap with the major players in consumer technology (Apple, Microsoft and Google).

24. superkuh ◴[25 Jul 23 21:45 UTC] No.36870009[source]
Because Mozilla didn't create QUIC or push the QUIC based HTTP/3 through the IETF like Google and Microsoft did. If anything I should've left out Apple, not added Mozilla. But yeah, Mozilla is using the same HTTP/3 libs as everyone else so it's browser is inherently broken too.

But this only becomes a serious problem when HTTP/1.1 support is removed. Mozilla will never remove HTTP/1.1 support from Firefox. Google/Microsoft/Apple are chomping at the bit to remove HTTP/1.1 from their products.

replies(1): >>36871494 #
25. agwa ◴[26 Jul 23 00:15 UTC] No.36871494{3}[source]
Mozilla was the first browser maker to announce an intent to deprecate non-secure HTTP[1]. Even if they keep HTTP/1.1 support, at some point they will require TLS for it, just as they already do for HTTP/2. This is not something new with HTTP/3 nor is it some big-corp conspiracy.

[1] https://blog.mozilla.org/security/2015/04/30/deprecating-non...

replies(1): >>36884425 #
26. superkuh ◴[26 Jul 23 20:24 UTC] No.36884425{4}[source]
Well shit. I'm wrong and things at Mozilla are much worse than I imagined.

re: HTTP/2, yes, everyone is well aware it didn't allow HTTP connections from the start. But there was no risk of HTTP/1.1 going away at that time. And you can technically still use a non-CA self signed cert for the implementations of HTTP/2 in major browsers. But it is also a bad protocol like HTTP/3.

I have no idea what conspiracy theory stuff you're going on about. People just haven't thought through the consequences of these design decisions outside of their work headspace bubble. Much like with WEI.