←back to thread

Just want simple TLS for your .internal network?

(github.com)
246 points nh2 | 9 comments | 18 Oct 24 06:10 UTC | HN request time: 0.397s | source | bottom
1. Wowfunhappy ◴[22 Oct 24 12:52 UTC] No.41913728[source]
Is there really any benefit of this over just using HTTP?

What is the threat model in which an attacker could MitM your internal network?

replies(5): >>41913783 #>>41913784 #>>41915125 #>>41915370 #>>41915882 #
2. 8organicbits ◴[22 Oct 24 12:58 UTC] No.41913783[source]
I travel between networks with my phone and laptop. Software will ping out using whichever network I'm on, trying to connect to its backend. If I connect to hostile/compromised WiFi, those connections are at risk.
3. feirlane ◴[22 Oct 24 12:58 UTC] No.41913784[source]
On use-case I hit just recently is web apps hosted in my internal network, without https, Firefox won't allow me to click the "copy to clipboard" buttons on those pages
4. poincaredisk ◴[22 Oct 24 15:16 UTC] No.41915125[source]
>What is the threat model in which an attacker could MitM your internal network?

Police raid on your home/company. Malware on a router. Malicious actor in the server room. Possibilities are endless.

SSL added and removed here ;-)

(this is a reference, look it up if you don't recognize it)

replies(2): >>41915343 #>>41916818 #
5. cesarb ◴[22 Oct 24 15:35 UTC] No.41915343[source]
> Malware on a router.

It doesn't even have to be on the router, just the same network segment plus some ARP spoofing tricks (assuming your switch doesn't have ARP spoofing protections or they haven't been enabled) could be enough to MitM a connection.

6. NotPractical ◴[22 Oct 24 15:37 UTC] No.41915370[source]
* Some functionality is off-limits for sites loaded via HTTP. (Another commenter mentioned clipboard access.)

* Browsers will display annoying warning symbols whenever you try to access sites via HTTP.

* If you live in a shared living space such as an apartment you probably don't have control over your home network.

* Even if you have control over your network, a single compromised IoT device is enough to sniff your internal network traffic, assuming WPA2. (Probably not super likely tbh.)

7. yjftsjthsd-h ◴[22 Oct 24 16:20 UTC] No.41915882[source]
Can't any client on the same wifi read your traffic by just putting their wifi card into promiscuous mode? Obviously depends on who uses your wifi and your threat model, but that seems like a problem.
replies(1): >>41918180 #
8. marginalia_nu ◴[22 Oct 24 17:51 UTC] No.41916818[source]
Router malware is the one thing out of those thing that seem plausible.

If you have physical access, TLS isn't much protection against eavesdropping. At that point they can just compromise your hardware instead.

9. NotPractical ◴[22 Oct 24 20:10 UTC] No.41918180[source]
Yes, on WPA2. WPA3 introduced per-client encryption keys.