Follow

HTTPS-only is problematic 

Eric Meyer published an article about how HTTPs disallows the caching that enables internet access in places that depend on satellite internet. It's yet another unforeseen consequence of choices made that aim to make the web safer and why diversity matters in tech.

In addition, I've always felt that this new push for HTTPs only depends on a free service - Let's Encrypt, and that's inherently problematic. What if LetsEncrypt shuts down? (SPOF)

meyerweb.com/eric/thoughts/201

HTTPS-only is problematic 

Before someone says "LetsEncrypt is not the only free SSL provider anymore," I want to say that I know that. I'm saying that, what if some legislation is passed in some country that doesn't allow their citizens to use free SSL providers. Hypothetically. It could happen. That would mean that the only way to create websites in that country would be to pay. Before LetsEncrypt SSL certs cost $36-over $200 dollars yearly. That's a big, big barrier to entry.

Show thread

HTTPS-only is problematic 

I'm by no means a network expert and I have a lot to learn about this topic
Thanks for those offering insight Nx information that I can follow up on later. For me the concern is very much, how can we make information more available for people with minimum access and training. How can we reduce barriers to entry. My comment about LetsEncrypt is somewhat hypothetical but Eric Meyers article is about something real affecting people today. I want equal access to information

Show thread

Center equity of access to information 

Thanks to those who provided avenues of research. I agree we should move away from CAs and towards decentralization. However I'm more concerned with promoting equity of access to information than I am with adhering to a principle of decentralization. If proposed solutions to security and networking problems don't center or even address global inequitable access to information, how can they end up being anything but inequitable? End

Show thread

HTTPS-only is problematic 

@stephen

But that's true (SPOF) for all certs certified by a CA.

And really things should be HSTS only and quite a bit stricter about key management, transport, and ciphers and key length. Also should expire regularly.

HTTPS-only is problematic 

@stephen assuming you have users that agree to the loss in privacy involved, this particular problem - local caching - can be fixed by installing a local cert (self-signed ok) in browsers and having the proxy do ssl interception using that cert.

Users need to have full trust in the proxy operator, tho, since there's no way to say "this connection is really important and shouldn't be intercepted".

Apps using pinned keys are still problematic.

HTTPS-only is problematic 

@stephen We could have HTTPS without AC, with DANE. Then, Let's Encrypt would no longer be relevant.

HTTPS-only is problematic 

@stephen another problem is that HTTPS is family of protocols and encryption mechanisms and they always change. Sites start to block the oldest protocols. So there is no "one" HTTPS.

There is

Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256

But there is also TLSv1.0 DES-CBC3-SHA

HTTPS-only is problematic 

@saper @stephen It will be very hard today, even in the most remote place of Ugunda, to find a TLS client or server which cannot do better than DES :-)

HTTPS-only is problematic 

@bortzmeyer @stephen Try to connect somewhere with IE6 on XP or older Android ....

HTTPS-only is problematic 

@saper @stephen I know the problem with my old Fairphone 1, stuck with Android 4.2. But DES.. This is a bit exaggerated.

HTTPS-only is problematic 

@bortzmeyer @stephen No, I am not talking about DES in particular here. Many sites want to have now "A" in SSLabs test and disable old and broken protocols. I understand the reasons, but that breaks connectivity (combined with forced HTTPS) COMPLETELY, and there is no fallback to unsecure HTTPS or plain HTTP. Unfortunately unsecure HTTPS has to be avoided due to downgrade attacks (those can hurt everyone), but alternative HTTP could be made available in many cases.

HTTPS-only is problematic 

@saper @stephen I'm afraid it's the cost of security. Countries with poor connectivity (Africa) are also countries where the ISP routinely hijack HTTP to add ads.

HTTPS-only is problematic 

@bortzmeyer @stephen It's all relative and a question of priorities. I was once traveling somewhere and was stuck with some old Android device and it was much more important to find critical information to get out of trouble (contacts, travel information, etc.) than security. I just needed *any bits* of information *fast*.

HTTPS-only is problematic 

@saper @stephen The problem is that as soon as you allow insecure connections, you open the way to downgrade attacks. There is no way to limit the downgrade to cases like yours.

HTTPS-only is problematic 

@bortzmeyer @stephen The only thing that would worry me is downgrade from port 443 to 80...

HTTPS-only is problematic 

@bortzmeyer

I can only speak to my experiences, and that is only Verizon and Comcast have injected unwanted ads & JavaScript. Never once have I experienced that over four providers in Somaliland, DjibTel, either Du or Etisalat (essentially the same) in UAE, or the three providers I used in Malawi.

This ad injection and DNS query mining is very much a developed Western telecom thing, IME.

@saper @stephen

HTTPS-only is problematic 

@aag @bortzmeyer @stephen

I can add Safaricom (superb provider!) to this list.

HTTPS-only is problematic 

@stephen Why bashing HTTPS and not the ads (also non-cachable since they are customized for each user)?

HTTPS-only is problematic 

@stephen while I agree that HTTPS everywhere is counterproductive in some areas, there does exist a solution to the problems of CAs. DANE

HTTPS-only is problematic 

@stephen TLS 1.3 has many ways to improve the latency, and QUIC will probably do even better. Of course, deployment will take time...

@stephen imo https and tls aren't the problem per se--tcp is

I would love to see evaluations of quic over satellite links

HTTPS-only is problematic 

@stephen as a side note, the latest push also tends to crap on devices that are unable to support the latest encryption standards... in some cases that's a feature, not a bug, but i still run into it when certain sites only allow the latest and greatest and i'm rockin a win 98 browser

HTTPS-only is problematic 

@Xkeeper I think there's not enough focus on making web content accessible to people who don't have the latest and greatest. I appreciate this a lot. ^^^

HTTPS-only is problematic 

@stephen
The article doesn't seem valid. It doesn't even specify which caching is implied. Browsers cache HTTPS content the same way they do with HTTP, and caching proxies are easily set up as well, you just need to add a certificate to your browser. Service workers have no relation to the issue at all.

And regarding possible LE shut down, that's probably the best thing to happen eventually, as it would make switch from CAs to fully decentralized solution inevitable.

HTTPS-only is problematic 

@stephen I've got 4:1 that LetsEncrypt shuts down in another two years' time.

Center equity of access to information 

@stephen does https offer anything in read-only sites? Privacy? ISP doesn't already know the requests made?

HTTPS-only is problematic 

@stephen What also if we don't trust Let's Encrypt at all, not any more than all the weird governmental CAs in the root authorities of our browsers ? No, let's all hail Let's Encrypt, they're doing such a fine job at making our Internet a better place. Still don't understand why the certificate of my own root CA didn't make it to mozilla's list 🤔

@stephen I only partially agree with the sentiments: HTTPS surfaces a problem, but it is one of proxies not making /reasonable/ cert- and trust- forwarding straightforward.

With easy and sane configs, the problem would (largely) resolve.

HTTPS-only is problematic 

@stephen what I still don’t get about that article is: when did browser caches stop existing??

HTTPS-only is problematic 

@stephen
MonkeySign is a pretty good solution for the SPOF thing.

A similar method could also solve caching. A line might get added to the HTTP headers containing a signature of the content. This makes it possible to ditch HTTPS for certain traffic but still ensure data integrity. But then again, there must be a way to verify such signatures.

HTTPS-only is problematic 

@stephen Eric Meyer is extremely diverse I guess.

Sign in to participate in the conversation
Octodon

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!