Most active commenters
  • Arch-TK(4)
  • wkat4242(3)
  • TeMPOraL(3)

←back to thread

.INTERNAL is now reserved for private-use applications

(www.icann.org)
563 points joncfoo | 20 comments | 09 Aug 24 16:36 UTC | HN request time: 0.917s | source | bottom
Show context
8organicbits ◴[09 Aug 24 22:03 UTC] No.41205729[source]
My biggest frustration with .internal is that it requires a private certificate authority. Lots of organizations struggle to fully set up trust for the private CA on all internal systems. When you add BYOD or contractor systems, it's a mess.

Using a publicly valid domain offers a number of benefits, like being able to use a free public CA like Lets Encrypt. Every machine will trust your internal certificates out of the box, so there is minimal toil.

Last year I built getlocalcert [1] as a free way to automate this approach. It allows you to register a subdomain, publish TXT records for ACME DNS certificate validation, and use your own internal DNS server for all private use.

[1] https://www.getlocalcert.net/

replies(12): >>41206030 #>>41206106 #>>41206231 #>>41206513 #>>41206719 #>>41206776 #>>41206828 #>>41207112 #>>41208240 #>>41208353 #>>41208964 #>>41210736 #
1. wkat4242 ◴[10 Aug 24 01:37 UTC] No.41206719[source]
The problem with internal CAs is also that it's really hard to add them on some OSes now. Especially on android since version 7 IIRC, you can no longer get certs into the system store, and every app is free to ignore the user store (I think it was even the default to ignore it). So a lot of apps will not work with it.
replies(2): >>41207082 #>>41208303 #
2. Terr_ ◴[10 Aug 24 03:25 UTC] No.41207082[source]
Speculating a bit out of my depth here, but I'm under the impression that most of those sometimes-configurable OS-level CA lists are treated as "trust anything consistent with this data", as opposed to "only trust this CA record for these specific domain-patterns because that's the narrow purpose I chose to install it for."

So there are a bunch of cases where we only want the second (simpler, lower-risk) case, but we have to incur all the annoyance and risk and locked-down-ness of the first use-case.

replies(1): >>41208549 #
3. thaumasiotes ◴[10 Aug 24 09:19 UTC] No.41208303[source]
> The problem with internal CAs is also that it's really hard to add them on some OSes now. Especially on android since version 7 IIRC

That's because the purpose of certificate pinning is to protect software from the user. Letting you supply your own certificates would defeat the purpose of having them.

replies(3): >>41208737 #>>41208743 #>>41210474 #
4. 8organicbits ◴[10 Aug 24 10:28 UTC] No.41208549[source]
Yes! Context specific CA trust would be great, but AFAIK isn't possible yet. Even name constraints, which are domain name limitations a CA or intermediate cert place on itself, are slowly being supported by relevant software [1].

As a contractor, I'll create a per-client VM for each contract and install any client network CAs only within that VM.

[1] https://alexsci.com/blog/name-non-constraint/

5. okanat ◴[10 Aug 24 11:21 UTC] No.41208737[source]
Protect the software from the user? Why are you giving them the software then?
replies(3): >>41208848 #>>41208936 #>>41208942 #
6. Arch-TK ◴[10 Aug 24 11:22 UTC] No.41208743[source]
Certificate pinning and restricting adding custom certificates to your OS except if you're using MDM are two completely unrelated things. Overriding system trust doesn't affect certificate pinning and certificate pinning is no longer recommended anyway.
replies(1): >>41209950 #
7. TeMPOraL ◴[10 Aug 24 11:56 UTC] No.41208848{3}[source]
Most software is tools of control and exploitation, and remains in an adversarial relationship with its users. You give software to users to make them make money for you; you protect the software from users so they don't cut you out, or use software to do something you'd rather they don't do.

Software that isn't like that is in a minority, and most of it is only used to build software that is like that.

replies(2): >>41209321 #>>41213802 #
8. evandrofisico ◴[10 Aug 24 12:13 UTC] No.41208936{3}[source]
For example, to make it harder to reverse engineer the protocol between the app and the server.
9. noirscape ◴[10 Aug 24 12:14 UTC] No.41208942{3}[source]
A lot of mobile software is just a UI around an external web API. The main reason why Android makes it difficult to get the OS to accept an external certificate (you need root for it) is because without it, you can just do a hosts hack through a vpn/dns to redirect it to your own version of that API. Which app manufacturers want to prevent since it's a really easy way to snoop on what endpoints an app is calling and to say, build your own API clone of that app (which is desirable if you're say, selfhosting an open source server clone of said software... but all the official applications are owned by the corporate branch and don't let you self-configure the domain/reduce the experience when you point it to a selfhosted domain).

It's extremely user-hostile since Android has a separate user store for self-signed CAs, but apps are free to ignore the user store and only accept the system store. I think by default only like, Chrome accepts the user store?

replies(1): >>41214844 #
10. cobbal ◴[10 Aug 24 13:29 UTC] No.41209321{4}[source]
It's interesting that cert pinning cuts both ways though. It can also be a tool to give users power against the IT department (typically indistinguishable from malware)
replies(1): >>41210412 #
11. freedomben ◴[10 Aug 24 14:54 UTC] No.41209950{3}[source]
They are certainly different things, but they're not unrelated. The inability of the user to change the system trust store is part of why certificate pinning is no longer (broadly) recommended.
replies(1): >>41213279 #
12. TeMPOraL ◴[10 Aug 24 16:05 UTC] No.41210412{5}[source]
Cert pinning often annoyingly works against both - software devs are a third party to both the organizational users and their IT dept overlords.

Trusted computing is similar, too. It's a huge win for the user in terms of security, as long as the user owns the master key and can upload their own signatures. If not, then it suddenly becomes a very powerful form of control.

The more fundamental issue is the distinction between "user" and "owner" of a computer - or its component, or a piece of software - as they're often not the same people. Security technologies assert and enforce control of the owner; whether that ends up empowering or abusive depends on who the owners are, and why.

replies(1): >>41213787 #
13. kbolino ◴[10 Aug 24 16:14 UTC] No.41210474[source]
Isn't certificate pinning on the way out? e.g. https://blog.cloudflare.com/why-certificate-pinning-is-outda...
14. Arch-TK ◴[11 Aug 24 00:59 UTC] No.41213279{4}[source]
Certificate pinning is mainly an obstacle to using an intercepting proxy to inspect and modify the traffic of an application. If you're doing that kind of stuff you already know how to bypass the annoying OS level certificate store restrictions or how to modify an application to disable certificate pinning. The reason certificate pinning is no longer broadly recommended is because of how it makes it more difficult to rotate certificates in the case of necessity, and has nothing to do with the restrictions certain operating systems place on easy installation of your own certificates.
15. wkat4242 ◴[11 Aug 24 03:21 UTC] No.41213787{6}[source]
> The more fundamental issue is the distinction between "user" and "owner" of a computer - or its component, or a piece of software - as they're often not the same people.

Often? Only really in the case of a corporate computer. But Android locks these things down for everyone. In fact corporate owners can do things normal users can't.

For example I've heard (not confirmed) that with a Knox license you can add root CAs on Samsung. I don't think it's still possible with other MDMs or other vendors.

replies(1): >>41214231 #
16. wkat4242 ◴[11 Aug 24 03:26 UTC] No.41213802{4}[source]
True. It's almost never to the benefit of the user. The same with "attestation" technologies.
17. TeMPOraL ◴[11 Aug 24 05:51 UTC] No.41214231{7}[source]
> Often? Only really in the case of a corporate computer.

On the contrary, that's the more common case. It's the case with any computer at work (unless you're IT dept), in any work - there's hardly a job now that doesn't have one interacting with computers in some form or fashion, and those computers are very much not employee-owned. Same is the case in school setting, and so on. About the only time you can expect to own a computer is when you bought it yourself, with your own cash. The problem is, even when you do, everything is set up these days to deny you your ownership rights.

18. Arch-TK ◴[11 Aug 24 08:43 UTC] No.41214844{4}[source]
Android locking the system certificate store has nothing to do with preventing people from intercepting app traffic for the purpose of inspecting an application and everything to do with preventing people from accidentally installing a malicious certificate which allows part or all their traffic to be MITM-ed.
replies(1): >>41215815 #
19. thaumasiotes ◴[11 Aug 24 12:56 UTC] No.41215815{5}[source]
Those are literally the same thing.
replies(1): >>41221384 #
20. Arch-TK ◴[12 Aug 24 05:36 UTC] No.41221384{6}[source]
No, there are legitimate reasons to install a certificate to intercept traffic as an owner of a device. But the same tools can be abused by malware and by malicious actors to intercept traffic. Its the same in a strictly technical sense but not the same in the intent sense. The intent is to prevent malicious abuse of the feature, not justified non-malicious use. It helps make it harder to intercept application traffic but this is not the intent of the restriction, merely an unintended consequence.