Most active commenters
  • bruce511(3)

←back to thread

.INTERNAL is now reserved for private-use applications

(www.icann.org)
563 points joncfoo | 25 comments | 09 Aug 24 16:36 UTC | HN request time: 1.242s | source | bottom
Show context
8organicbits ◴[09 Aug 24 22:03 UTC] No.41205729[source]
My biggest frustration with .internal is that it requires a private certificate authority. Lots of organizations struggle to fully set up trust for the private CA on all internal systems. When you add BYOD or contractor systems, it's a mess.

Using a publicly valid domain offers a number of benefits, like being able to use a free public CA like Lets Encrypt. Every machine will trust your internal certificates out of the box, so there is minimal toil.

Last year I built getlocalcert [1] as a free way to automate this approach. It allows you to register a subdomain, publish TXT records for ACME DNS certificate validation, and use your own internal DNS server for all private use.

[1] https://www.getlocalcert.net/

replies(12): >>41206030 #>>41206106 #>>41206231 #>>41206513 #>>41206719 #>>41206776 #>>41206828 #>>41207112 #>>41208240 #>>41208353 #>>41208964 #>>41210736 #
yjftsjthsd-h ◴[10 Aug 24 00:33 UTC] No.41206513[source]
Do you mean to say that your biggest frustration with HTTPS on .internal is that it requires a private certificate authority? Because I'm running plain HTTP to .internal sites and it works fine.
replies(6): >>41206577 #>>41206657 #>>41206669 #>>41208198 #>>41208358 #>>41210486 #
1. lysace ◴[10 Aug 24 00:51 UTC] No.41206577[source]
There's some every packet shall be encrypted, even in minimal private VPCs lore going on. I'm blaming PCI-DSS.
replies(5): >>41206652 #>>41206686 #>>41206797 #>>41207668 #>>41207971 #
2. bruce511 ◴[10 Aug 24 01:13 UTC] No.41206652[source]
The big problem with running unencrypted HTTP on a LAN is that it's terribly easy for (most) LANs to be compromised.

Let's start with the obvious; wifi. If you're visiting a company and ask the receptionist for the wifi password you'll likely get it.

Next are eternity ports. Sitting waiting in a meeting room, plug your laptop into the ethernet port and you're in.

And of course it's not just hardware, any software running on any machine makes the LAN just as vulnerable.

Sure, you can design a LAN to be secure. You can make sure there's no way to get onto it. But the -developer- and -network maintainer- are 2 different guys, or more likely different departments. As a developer are you convinced the LAN will be as secure in 10 years as it is today? 5 years? 1 year after that new intern arrives and takes over maintainence 6 weeks in?

What starts out as "minimal private VPC" grows, changes, is fluid. Treating it as secure today is one thing. Trusting it to remain secure 10 years from now is another.

In 99.9% of cases your LAN traffic should be secure. This us the message -developers- need to hear. Don't rely on some other department to secure your system. Do it yourself.

replies(4): >>41207245 #>>41207321 #>>41207535 #>>41212678 #
3. kortilla ◴[10 Aug 24 01:25 UTC] No.41206686[source]
Hoping datacenter to datacenter links are secure is how the NSA popped Google.

Turn on crypto, don’t be lazy

replies(1): >>41206832 #
4. yarg ◴[10 Aug 24 02:02 UTC] No.41206797[source]
Blame leaked documents from the intelligence services.

No one really bothered until it was revealed that organisations like the NSA were exfiltrating unencrypted internal traffic from companies like Google with programs like PRISM.

replies(1): >>41208794 #
5. otabdeveloper4 ◴[10 Aug 24 02:13 UTC] No.41206832[source]
Pretty sure state-level actors sniffing datacenter traffic is literally the very last of your security issues.

This kind of theater actively harms your organization's security, not helps it. Do people not do risk analysis anymore?

replies(5): >>41206889 #>>41208432 #>>41208868 #>>41210156 #>>41213945 #
6. shawnz ◴[10 Aug 24 02:34 UTC] No.41206889{3}[source]
Taking defense in depth measures like using https on the local network is "theatre" that "actively harms your organization's security"? That seems like an extreme opinion to me.

Picking some reasonable best practices like using https everywhere for the sake of maintaining a good security posture doesn't mean that you're "not doing risk analysis".

replies(1): >>41208731 #
7. gorgoiler ◴[10 Aug 24 04:06 UTC] No.41207245[source]
Well said. I used to be of the mindset that if I ran VLANs I could at least segregate the good guys from the evil AliExpress wifi connected toasters. Now everything feels like it could become hostile at any moment and so, on that basis, we all share the same network with shields up as if it were the plain, scary Internet. It feels a lot safer.

I guess my toaster is going to hack my printer someday, but at least it won’t get into my properly-secured laptop that makes no assumptions the local network is “safe”.

8. slimsag ◴[10 Aug 24 04:31 UTC] No.41207321[source]
Also, make sure your TLS certificates are hard-coded/pinned in your application binary. Just like the network, you really cannot trust what is happening on the user's system.

This way you can ensure you as the developer have full control over your applications' network communication; by requiring client certificates issued by a CA you control, you can assert there is no MITM even if a sysadmin, user, or malware tries to install a proxy root CA on the system.

Finally, you can add binary obfuscation / anticheat mechanisms used commonly in video games to ensure that even if someone is familiar with the application in question they cannot alter the certificates your application will accept.

Lots of e.g. mobile banking apps, etc. do this for maximal security guarantees.

replies(4): >>41207549 #>>41207722 #>>41208226 #>>41208246 #
9. Spooky23 ◴[10 Aug 24 05:29 UTC] No.41207535[source]
The big issue with encrypted HTTP on the local LAN is that you’re stuck running a certificate authority, ignoring TLS validation, or exposing parts of your network in the name of transparency.

Running certificate authority is one of those a minute to learn, lifetime to master scenarios.

You are often trading “people can sniff my network scenario” to a “compromise the CA someone setup 10 years ago that we don’t touch” scenario.

replies(1): >>41209487 #
10. PokestarFan ◴[10 Aug 24 05:34 UTC] No.41207549{3}[source]
At some point you have to wonder if your app even matters that much.
replies(1): >>41209507 #
11. laz ◴[10 Aug 24 06:10 UTC] No.41207668[source]
Exactly what an NSA puppet account would say!

Don't believe the hype. Remember the smiley from "SSL added and removed here"

https://blog.encrypt.me/2013/11/05/ssl-added-and-removed-her...

replies(1): >>41219942 #
12. frogsRnice ◴[10 Aug 24 06:28 UTC] No.41207722{3}[source]
Pinning is very complex, there is always the chance that you forget to update the pins and perform a denial of service against your own users. At the point where the device itself is compromised, you can’t really assert to anything. Furthermore, there is always the risk that your developers implement pinning incorrectly and introduce a chain validation failure.

Lots of apps use the anticheat/obfuscation mechanisms added by mobile apps are also trivial to bypass using instrumentation - ie frida codeshare. I know you aren’t implying that people should use client side controls to protect an app running on a device and an environment that they control, but in my experience even some technical folk will try and to do this

13. unethical_ban ◴[10 Aug 24 07:42 UTC] No.41207971[source]
That's some "it's okay to keep my finger on the trigger when the gun is unloaded" energy.
14. swiftcoder ◴[10 Aug 24 08:58 UTC] No.41208226{3}[source]
In practice pinning tends to be very "best effort", if not outright disadvantageous.

All our apps had to auto-disable pinning less than a year after the build date, because if the user hadn't updated the app by the time we had to renew all our certs... they'd be locked out.

Also dealt with the fallout from a lovely little internet-of-things device that baked cert pinning into the firmware, but after a year on store shelves the clock battery ran out, so they booted up in 1970 and decided the pinned certs wouldn't become valid for ~50 years :D

15. Too ◴[10 Aug 24 09:04 UTC] No.41208246{3}[source]
This is way overkill, unless you are making a nuclear rocket launch application. If you can not trust the system root CA, the whole internet breaks down.

You will also increase the risk that your already understaffed ops-team messes up and creates even worse exposure or outages, while they are trying to figure out what ssl-keygen does.

16. soraminazuki ◴[10 Aug 24 09:58 UTC] No.41208432{3}[source]
NSA sniffs all traffic through various internet choke points in what's known as upstream surveillance. It's not just data center traffic.

https://www.eff.org/pages/upstream-prism

These kind of risks are obvious, real, and extensively documented stuff. I can't imagine why anyone serious about improving security for everyone would want to downplay and ridicule it.

17. the8472 ◴[10 Aug 24 11:19 UTC] No.41208731{4}[source]
I have seen people disabling all cert validation in an application because SSL was simultaneously required and no proper CA was provided for internal things. The net effect was thus that even the traffic going to the internet was no longer validated.
18. baq ◴[10 Aug 24 11:42 UTC] No.41208794[source]
Echelon was known about before Google was even a thing. I remember people adding Usenet headers with certain keywords. Wasn’t much, but it was honest work.
19. TimTheTinker ◴[10 Aug 24 11:58 UTC] No.41208868{3}[source]
Found the NSA goon.

Seriously, your statement is demonstrably wrong. That's exactly the sort of traffic the NSA actively seeks to exploit.

20. bruce511 ◴[10 Aug 24 13:49 UTC] No.41209487{3}[source]
I agree that setting up a self-signed CA is hard, and harder to keep going.

However DNS challenge allow for you to map an internal address to an IP number. The only real information that leaks is the subnet address of my LAN. And given the choice of that or unencrypted traffic I'll take that all day long.

21. bruce511 ◴[10 Aug 24 13:51 UTC] No.41209507{4}[source]
The App probably not. The server maybe, the data probably.
22. kortilla ◴[10 Aug 24 15:23 UTC] No.41210156{3}[source]
It’s not theatre, it’s real security. And state level actors are absolutely not the only one capable of man in the middle attacks.

You have:

- employees at ISPs

- employees at the hosting company

- accidental network misconfigurations

- one of your own compromised machines now part of a ransomware group

- the port you thought was “just for internal” that a dev now opens for some quick testing from a dev box

Putting anything in open comms is one of the dumbest things you can do as an engineer. Do your job and clean that shit up.

It’s funny you mention risk analysis, plaintext traffic is one of the easiest things to compromise.

23. xp84 ◴[10 Aug 24 22:23 UTC] No.41212678[source]
For most purposes, when wishing for non-HTTPS, we are talking about development or maybe a staging server of some sort. Maybe if we had state secrets people would be trying to plug into the lan to snoop the traffic, but for 99.99% of developers the traffic between a testing instance and them is the most worthless thing ever. Worst case you might find out what features we will release to the app in 2 weeks. The conflation of “SSL” with “cybersecurity” is unfortunate.
24. unethical_ban ◴[11 Aug 24 04:16 UTC] No.41213945{3}[source]
Caring excessively about certain metrics while neglecting real security is harmful.

Encrypting all network traffic between endpoints does nothing to actively harm security.

25. lysace ◴[11 Aug 24 23:18 UTC] No.41219942[source]
This "NSA puppet" is all for encrypting traffic between networks.

;-)