undefined | Better HN

0 pointsWowfunhappy1y ago0 comments

• It allows retro computers to connect.

• It allows very low power embedded devices to connect without extra overhead.

• It's not a real security concern if you're on a private network.

0 comments

rascul1y ago

> • It's not a real security concern if you're on a private network.

I'm not convinced that private networks should be assumed secure by default.

TeMPOraL1y ago

It's definitely not improving security when, in order for a website to interact with an API that both are hosted on my private network, possibly even on the same machine, I need to set up publicly accessible DNS entries and/or hosting my own resolver. That and CORS makes local-first anything a huge PITA.

Jach1y ago

I setup a photo viewing web service running locally on my home computer, now I can access my photos over HTTP from my phone when I'm out and about. Both devices are on the same Tailscale network. If I can't trust in the security of that, HTTPS isn't going to help me, and the security of viewing my photos is the least of my concerns. But sure, in other contexts (like an enterprise company), some thought should be given to what's possible when the attacker is inside the corporate VPN since that's all too easy.

Control88941y ago

Perhaps, but the other realistic option is a self-signed cert. Since browsers refuse to implement any kind of TOFU or otherwise 'trust history', a self-signed cert is pretty much exactly equivalent to no TLS at all.

zzo38computer1y ago

Yes, I think these are valid reasons.

If you are still concerned, you can make API keys that have been registered by TLS to require TLS, while those that haven't, do not require TLS.

(However, the note about private networks only applies if you run the service yourself. Sometimes this will be the case, though. Even then, the administrators can configure it to use TLS if this is desired.)

j / k navigate · click thread line to collapse