undefined | Better HN

0 pointsst3fan2y ago0 comments

Because you wrote HTTPS in italic .. HTTPS doesn't mean anything. Both the good and bad actors can have perfectly valid HTTPS configured. It is not a good indicator of trustworthiness of the actual thing you download.

0 comments

hn_throwaway_992y ago

> HTTPS doesn't mean anything.

That's not accurate at all. HTTPS should mean "we've validated that the content you're receiving comes from the registered domain that you've hit". Yes, it's possible that the domain host itself was compromised, or that the domain owner himself is malicious, but at the end of the day you have to trust the entity you're getting the content from. HTTPS says, importantly, "You're getting the content from whom you think you're getting it from."

st3fanOP2y ago

Yes but we abandoned that idea a while ago. There are no more green locks in browsers. Nobody buys those expensive certificates that proof ownership. When you curl something it doesn't show anything unless it is an actual invalid certificate.

You are correct that it _should mean_ but reality today is that it doesn't mean anything.

yjftsjthsd-h2y ago

No, it still means that you've connected to the domain that you wanted to connect to and the connection is reasonably resistant to MITM attacks. It doesn't say anything about who controls the domain, but what it provides still isn't nothing.

1 more reply

funcDropShadow2y ago

But by using GPG to check the authenticity of the actual files that are downloaded, we can remove the web site -- whether https is sufficienctly secure or not -- from the trust chain all together. The shorter the trust chain, the better.

electroly2y ago

> HTTPS says, importantly, "You're getting the content from whom you think you're getting it from."

You need certificate pinning to know this for sure, due to the existence of MITM HTTPS spoofing in things like corporate firewalls. HTTPS alone isn't enough; you have to confirm the certificate is the one you expected. (You can pin the CA cert rather than the leaf certificate if you want, if you trust the CA; that still prevents MITM spoofing.)

brirec2y ago

I’m not aware of any HTTPS MITM that can function properly without adding its own certificate to the trusted roots on your system (or dismissing a big red warning for every site), so I don’t think certificate pinning is necessary in such an environment (if the concern is MITM by a corporate firewall).

An attacker would still need to either have attacked the domain in question, or be able to forge arbitrary trusted certificates.

yjftsjthsd-h2y ago

If an attack requires compromising my operating system certificate store, I'm reasonably comfortable excluding it from most of my threat models.

1 more reply

j / k navigate · click thread line to collapse

0 comments

hn_throwaway_992y ago

> HTTPS doesn't mean anything.

st3fanOP2y ago

You are correct that it _should mean_ but reality today is that it doesn't mean anything.

yjftsjthsd-h2y ago

1 more reply

funcDropShadow2y ago

electroly2y ago

> HTTPS says, importantly, "You're getting the content from whom you think you're getting it from."

brirec2y ago

An attacker would still need to either have attacked the domain in question, or be able to forge arbitrary trusted certificates.

yjftsjthsd-h2y ago

If an attack requires compromising my operating system certificate store, I'm reasonably comfortable excluding it from most of my threat models.

1 more reply

j / k navigate · click thread line to collapse