←back to thread

543 points gslin | 1 comments | | HN request time: 0.212s | source
Show context
pests ◴[] No.42191619[source]
It feels like just yesterday I was paying for certs, or worst, just running without.

Can't believe its been ten years.

replies(1): >>42191666 #
ozim ◴[] No.42191666[source]
Can’t believe there are still anti TLS weirdos.
replies(7): >>42191688 #>>42191718 #>>42191893 #>>42192714 #>>42192733 #>>42193057 #>>42193614 #
Pannoniae ◴[] No.42191893[source]
TLS is not panacea and it's not universally positive. Here are some arguments against it for balance.

TLS is fairly computationally intensive - sure, not a big deal now because everyone is using superfast devices but try browsing the internet with a Pentium 4 or something. You won't be able to because there is no AES instruction set support accelerating the keyshake so it's hilariously slow.

It also encourages memoryholing old websites which aren't maintained - priceless knowledge is often lost because websites go down because no one is maintaining them. On my hard drive, I have a fair amount of stuff which I'm reasonably confident doesn't exist anywhere on the Internet anymore.... if my drives fail, that knowledge will be lost forever.

It is also a very centralised model - if I want to host a website, why do third parties need to issue a certificate for it just so people can connect to it?

It also discourages naive experimentation - sure, if you know how, you can MitM your own connection but for the not very technical but curious user, that's probably an insurmountable roadblock.

replies(7): >>42191942 #>>42192026 #>>42192088 #>>42192426 #>>42192479 #>>42193243 #>>42203762 #
ozim ◴[] No.42192426[source]
*It also discourages naive experimentation* that's the point where if you put on silly website no one can easily MitM it when its data is sent across the globe and use 0-day in browser on "fluffy kittens page".

Biggest problem that Edward Snowden uncovered was - this stuff was happening and was happening en-mass FULLY AUTOMATED - it wasn't some kid in basement getting MitM on your WiFi after hours of tinkering.

It was also happening fully automated as shitty ISPs were injecting their ads into your traffic, so your fluffy kittens page was used to serve ads by bad people.

There is no "balance" if you understand bad people are going to swap your "fluffy kittens page" into "hardcore porn" only if they get hands on it. Bad people will include 0-day malware to target anyone and everyone just in case they can earn money on it.

You also have to understand don't have any control through which network your "fluffy kitten page" data will pass through - malicious groups were doing multiple times BGP hijacking.

So saying "well it is just fluffy kitten page my neighbors are checking for the photos I post" seems like there is a lot of explaining on how Internet is working to be done.

replies(1): >>42192545 #
account42 ◴[] No.42192545[source]
> It also discourages naive experimentation that's the point where if you put on silly website no one can easily MitM it when its data is sent across the globe and use 0-day in browser on "fluffy kittens page".

Transport security doesn't make 0-days any less of a concern.

> It was also happening fully automated as shitty ISPs were injecting their ads into your traffic, so your fluffy kittens page was used to serve ads by bad people.

That's a societal/legal problem. Trying to solve those with technological means is generally not a good idea.

> There is no "balance" if you understand bad people are going to swap your "fluffy kittens page" into "hardcore porn" only if they get hands on it. Bad people will include 0-day malware to target anyone and everyone just in case they can earn money on it.

The only people who can realistically MITM your connection are network operators and governments. These can and should be held accountable for their interference. You have no more security that your food wansn't tampered with during transport but somehow you live with that. Similarly security of physical mail is 100% legislative construct.

> You also have to understand don't have any control through which network your "fluffy kitten page" data will pass through - malicious groups were doing multiple times BGP hijacking.

I don't but my ISP does. Solutions for malicious actors interfering with routing are needed irrespective of transport security.

> So saying "well it is just fluffy kitten page my neighbors are checking for the photos I post" seems like there is a lot of explaining on how Internet is working to be done.

Not at all - unless you are also epecting them to have their fluffy kitten postcards checked for Anthrax. In general, it is security people who often need to touch grass because the security model they are working with is entirely divorced from reality.

replies(3): >>42192804 #>>42193262 #>>42193846 #
ozim ◴[] No.42192804[source]
All I got from your explanation is:

I am going to cross the street in front of that speeding car because driver will be held liable when I get hit and die.

If there is not even a possibility to hijack the traffic whole range of things just won’t happen. And holding someone liable is not the solution.

replies(2): >>42192863 #>>42192864 #
1. wizzwizz4 ◴[] No.42192863[source]
Technological measures don't make things impossible: they make them harder. And they rarely solve all the consequences of a problem: only the ones that have been explicitly identified.