Comment by codetrotter
3 years ago
> for HTTPS, they usually can only support transparent byte relaying anyway.
On my LAN I run Squid on a Raspberry Pi, and have my personal laptop configured to use that as a HTTP and HTTPS proxy.
All TLS HTTP connections going through the Squid proxy are intercepted.
This only requires that my laptop trusts a self-signed TLS certificate that Squid uses.
Someone could easily run the same kind of thing on the internet, providing free proxy service and telling their users to trust a certificate signed by them, without properly explaining the consequences of that. And a lot of novice users would likely use that proxy service. Gleefully unaware that even the “encrypted” traffic is completely visible to the proxy.
In fact, I would be extremely surprised if there aren’t a whole gazillion of services out there doing exactly that.
But in many jurisdictions running a service like that would likely be cybercrime. And even if it wasn’t illegal, it’s still not nice. So, you know, don’t go and actually create a service like that.
> This only requires that my laptop trusts a self-signed TLS certificate that Squid uses.
The word "only" is doing a lot of work there.
Not really. I do the same thing, but I do not use squid. Learning how to operate a localhost proxy is not particularly difficult compared to, say, learning programming languages. The later is a topic people on HN discuss ad nauseum. No one questions when someone lists the computer languages they know and claims they can learn a new language in X minutes or a weekend or whatever.
Just because someone does not know how to do something does not mean it is difficult. It just means they did not try to learn how to do it. This is very common comment on HN. It's quite silly.
Learning how to set up a localhost proxy on a laptop is far easier than learning a programming language. But it is not something that many people on HN want to learn, cf., e.g., programming languages.
>Just because someone does not know how to do something does not mean it is difficult. It just means they did not try to learn how to do it. This is very common comment on HN. It's quite silly.
Honestly, whats even more common and more silly are these kinds of comments:
"blah blah blah its easy, i did it blah blah i don't understand the problem"
Ever consider that other people are somehow different than you? Have different strengths, weaknesses and abilities? Have different needs from software? It's like, why do we even make software, you could just learn binary duh.
1 reply →
I'm not talking about how difficult it is to set up a proxy. I meant that getting someone else's computer to accept a rogue root CA is a big deal, so saying an attack "only" needs that to happen is misleading.
2 replies →
Yeah, I've thought about having a CA for my home LAN services, and then have my phone and laptop trust that CA, but I'm terrified of the possibility that my CA could be compromised, and then someone could intercept my traffic to my bank or whatever.
So I just put up with clicking through the TLS cert errors every now and then.
I have a CA for home services and was worried about this, so I use name constraints to limit the domains that it is allowed to sign certs for.
This blog (not mine) goes into how to do it: https://systemoverlord.com/2020/06/14/private-ca-with-x-509-...
4 replies →
A DIY CA is pretty easy to airgap: keep it on hardware that isn't your daily driver and only has a minimal/secure OS with no network connectivity. Anything you have lying around can do it: like an outdated laptop or SBC.
Even just using a VM for the CA would likely be sufficient. Only fire it up for signing, then keep its storage encrypted. I do this on my Proxmox server.
This, to me, is worth it for local stuff. The trusted self CA certs are better than blindly trusting an invalid cert, and some browsers require trusted certs to autofills passwords.
I used to do the same, but these days, getting TLS certificates for local services is actually not that hard anymore.
If you have local DNS, you can e.g. request a wildcard subdomain Letsencrypt certificate and then distribute the corresponding key and certificate to your LAN hosts.
maybe just use LAN as it was intended? wired!? sounds as stupid as it get's to have something that can replace valid certs on your system.
>Someone could easily run the same kind of thing on the internet, providing free proxy service and telling their users to trust a certificate signed by them, without properly explaining the consequences of that.
Somebody already did do this, except as a paid service, and had their special 'client' simulate user clicks to install the self-signed root CA cert in your OS' cert store for you.
Interesting, it would have to be a pretty invasive client to do that. Usually installing a cert is accompanied by a lot of very loud warnings on modern OSes. So the end user would have to first give this software the permission to click around on their desktop for them without fully understanding the implications. Which does seem plausible
Adding trusted certificates in Firefox directly, instead of at the OS level, is very straightforward. Requires few clicks and does not shout too much.
I prefer using Firefox on my laptop so I didn’t check to see what the process is like for Chrome-based browsers to add trusted certificates (or if Chrome-based browsers only use OS-level certs).
But at least with Firefox, the user doesn’t have to go fiddling with OS level stuff.
OSes weren't always so modern.
no. you put it public, get public domain > valid cert from a trusted list of CA that google and mozzila treat as trustworthy, look et em. there are more problematic then unproblemtic