NASA guy to White House: Be really careful with that HTTPS stuff A webserver and database administrator at NASA has penned an epic plea on the White House's GitHub repository to include a waiver process as part of the HTTPS-Only project, which is intended to improve security for citizens visiting federal websites, but may interfere with niche services. Joe Hourclé has taken to GitHub to …
HTTPS had its place and time, but for general use it is now almost obsolete given that:
1. It doesn't offer deniability. This means, anyone can see that A is connecting to B.
2. It is trivial to defeat by subverting the certification process, as shown by Lenovo and a number of network equipment manufacturers.
Even though there are perfectly adequate uses for it (e.g., in RESTful APIs), given that the biggest challenge to privacy and security emanates these days from institutional actors, who are most interested on 1. and perfectly capable of 2., HTTPS for the sake of HTTPS borders on the pointless.
before you get as far as HTTP or HTTPs, the computer will do a DNS lookup which will tell you what website the user is trying to access.
the http connection is to an IP address, so that doesn't say too much, although SNI can occur in which case someone snooping learns something about what website the user is accessing.
Just wait until all the whining brings the advent of the "Personal Security Certificate"
which you will have to purchase every year in order to be allowed to use the Internet. It will be as difficult to get as a new Social Security Number, get melded into a "National Identity Card", give the alphabet agencies your real identity immediately, and automatically stamps "666" into the back of your head in the middle of the night.
All that and it will cost at least $100.00 annually. And it still won't be enough identification to allow online voting as it would prevent dead people from voting.
Papers please!
> Just wait until all the whining brings the advent of the "Personal Security Certificate"
I have the impression you may know this already, but HTTPS does allow client authentication, and it is not infrequently used, e.g., in banking, government services, intranets, APIs, etc.
It is in fact very common in Baltic countries, but not only. I have two government issued X.509 certificates from countries where I used to live that were used in exactly the way you describe (the physical tokens double as ID cards). It works OK for those limited cases where authentication really is necessary, such as filing taxes or requesting personal records, or banking, but one needs to remember to pull the card out of the reader as soon as one is finished (also, configuring your browser to ask you every time which certificate to present) as otherwise nothing prevents https://allyourdataarebelongto.us from sucking that information as soon as you navigate to their site to check the latest cat pictures.
Presumably the people behind this are bureaucrats rather than techies, hence the fatuous bollocks.
TeeCee, I will go you one further: there will be a waiver process, but the only waivers that will be granted are to the very government web sites that the process originally was meant to address because it would cause too much disruption to the customers and it entails a lot of work for the developers to implement HTTPS. After that, there will be an audit which will precipitate the immediate and ill-planned roll-out of the protocol resulting in many government portals going dark for weeks.
So Google Ads all delivered via HTTPS. Web browsing slows down because of all those HTTPS connects. And - guess who - Google have just the answer: QUIC. How fortunate for ... Google.
HTTPS-only is a mixed blessing, since it protects the bad as well as the good: it will be all the easier for barbed Ads to reach their targets.
of the terrifying prospect of somebody, somewhere, knowing I sometimes visit static pages about such esoterica as computing history or steam engines, those sites should just disappear for want of willingness or ability to pay the right bribes to the right gate-keepers. Right.
Yes, I know "it will all get better and eventually be sorted out". A dollar for for every time I've heard _that_ from a techno-hustler and I'd be able to retire. Oh, I am retired
What the Internet really needs is widely supported digital signature standards. Most content is not private - you just don't want anyone altering the content during transport. A really, really simple way to do this for HTTP 1.1 content would be to add a digest field to chunked encoding headers. You'd get backwards compatibility, streaming support, and an insignificant protocol overhead.
With a clear text protocol it's then trivial to alter the digest in flight.
To make this work, you need to establish a cryptographic chain of trust to ensure that the server you think is sending you data actually is.
Establishing that trust is the key, and is what ssl certs are used for. You delegate trust to a central authority that acts as a mediator. That they are also used to establish a fully encrypted transport is a separate thing to my mind.
All the financial and operational costs will still be there. The minimal runtime overhead of always on encryption on't be, but it's really small.
While I get where he's coming from, through his own arguements he's shot himself in the foot.
"Due to many institutions having policies against FTP and peer-to-peer protocols, HTTP has become the de facto standard in sharing scientific data."
So, the arguements is that some organisations need a waiver policy to permit FTP and peer-to-peer (and any other traffic type) depending on the requirements of the application (and I mean proper requirements like time critical delivery and minimal packet size, not just lazy coders who can't be arsed to learn about security when it's actually important). p.s. Those protocols may be secured on dedicated networks or in many other ways
>So, the arguements is that some organisations need a waiver policy to permit FTP and peer-to-peer
No. That isn't his argument. His argument is that many computers (libraries, schools, etc.) are locked down to forbid FTP & peer-to-peer, HTTP is the only viable transport for these computers to use.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
