Comment by josephcsible
3 years ago
> This only requires that my laptop trusts a self-signed TLS certificate that Squid uses.
The word "only" is doing a lot of work there.
3 years ago
> This only requires that my laptop trusts a self-signed TLS certificate that Squid uses.
The word "only" is doing a lot of work there.
Not really. I do the same thing, but I do not use squid. Learning how to operate a localhost proxy is not particularly difficult compared to, say, learning programming languages. The later is a topic people on HN discuss ad nauseum. No one questions when someone lists the computer languages they know and claims they can learn a new language in X minutes or a weekend or whatever.
Just because someone does not know how to do something does not mean it is difficult. It just means they did not try to learn how to do it. This is very common comment on HN. It's quite silly.
Learning how to set up a localhost proxy on a laptop is far easier than learning a programming language. But it is not something that many people on HN want to learn, cf., e.g., programming languages.
>Just because someone does not know how to do something does not mean it is difficult. It just means they did not try to learn how to do it. This is very common comment on HN. It's quite silly.
Honestly, whats even more common and more silly are these kinds of comments:
"blah blah blah its easy, i did it blah blah i don't understand the problem"
Ever consider that other people are somehow different than you? Have different strengths, weaknesses and abilities? Have different needs from software? It's like, why do we even make software, you could just learn binary duh.
Every user is different. But software developers commenting on HN like to assume one size fits all. Perhaps this makes sense if they are getting paid from advertising. If every user is doing something different instead of all looking at the same website, using the same app, watching the same video, repeating the same meme, using the same few browsers on the same few operating systems, etc., then advertisers are less interested in throwing money away on "advertising services" from so-called "tech" companies.
I'm not talking about how difficult it is to set up a proxy. I meant that getting someone else's computer to accept a rogue root CA is a big deal, so saying an attack "only" needs that to happen is misleading.
> getting someone else's computer to accept a rogue root CA is a big deal
IMO not necessarily. See this part of what I said:
> telling their users to trust a certificate signed by them, without properly explaining the consequences of that. And a lot of novice users would likely use that proxy service. Gleefully unaware that even the “encrypted” traffic is completely visible to the proxy.
But in addition to that, note that where I was using the word “only” was specifically in the part of my comment where I was talking about how I set up Squid for myself using my own Raspberry Pi and my own personal computer.
I guess I misunderstood.
Yeah, I've thought about having a CA for my home LAN services, and then have my phone and laptop trust that CA, but I'm terrified of the possibility that my CA could be compromised, and then someone could intercept my traffic to my bank or whatever.
So I just put up with clicking through the TLS cert errors every now and then.
I have a CA for home services and was worried about this, so I use name constraints to limit the domains that it is allowed to sign certs for.
This blog (not mine) goes into how to do it: https://systemoverlord.com/2020/06/14/private-ca-with-x-509-...
That's a neat idea! I looked into name constraints many years ago, and at the time, no common browser or TLS library supported it; glad to see that that has changed.
With ubiquitous support, I hope that one day we'll be able to routinely get "subdomain CA certificates" issued by something like Letsencrypt, just like it's already possible to get wildcard certificates.
3 replies →
A DIY CA is pretty easy to airgap: keep it on hardware that isn't your daily driver and only has a minimal/secure OS with no network connectivity. Anything you have lying around can do it: like an outdated laptop or SBC.
Even just using a VM for the CA would likely be sufficient. Only fire it up for signing, then keep its storage encrypted. I do this on my Proxmox server.
This, to me, is worth it for local stuff. The trusted self CA certs are better than blindly trusting an invalid cert, and some browsers require trusted certs to autofills passwords.
I used to do the same, but these days, getting TLS certificates for local services is actually not that hard anymore.
If you have local DNS, you can e.g. request a wildcard subdomain Letsencrypt certificate and then distribute the corresponding key and certificate to your LAN hosts.
maybe just use LAN as it was intended? wired!? sounds as stupid as it get's to have something that can replace valid certs on your system.