Basically, yes. Browser vendors have had an agreement for some time now to only expose new APIs in secure contexts in order to encourage HTTPS adoption.
I am in agreement with wyager, this feature looks like it could be heavily beneficial to a shipping company's internal web app for instance, or other applications that could be running completely isolated from the global network (or running on the machine itself for that matter).
Forcing https in these applications is a waste of time and money for orthogonal purposes. I guess it could be seen as a cost of dev. for any web based application from now on, but it's sad to me to see the barrier to entry get higher for these reasons.
I've had the same issue, but mostly for home lab type stuff. Even if you set up an internal CA and all the trappings, you still have a root cert problem. For consumer devices without easy access to certificate stores, it gets complicated fast.
Maybe the state of the art has changed since the last time I looked, but it would be really nice to have something as easy as Lets Encrypt for private tools while at the same time not exposing internal network details.
External wildcard cert? Maybe it’s different in smaller shops, but it’s just as easy for me to get an internal cert as it is to get an external cert. Only annoying part about our shop is a hard req fit EV certs, so no ACME.
You can use a public CA like LetsEncrypt then. Exposes you to the certificate log but you should be secured already anyways. Just have to use the DNS challenge (unless you wanna poke a hole for certbot) to grab it
And people wonder why ioshit devices are all so cloud dependent. I just want my microwave to talk to my refrigerator (or whatever). But they have to use https, because. And the cert has to expire every 90 days, because. So now I provision a kitchen full of stuff with AWS creds so they can respond to DNS challenges to get those certs.
So much simpler for everything to revert to client only mode and route all messages through a server 3000 miles away. Until they pull the plug and nothing works at all.
This is why I hate privacy first thinking. The IoT is a big deal. I own basically nothing that has electricity that wouldn't be slightly to majorly improved, at low cost, by IoT.
So... lets... make the tech that powers it not suck, so we can stop with all this analog business.
Why would you ever want your microwave to talk to your fridge? Imo the real reason IOT is such a shit show is because it's being crammed into every device without any actual benefit to the end user.
DNS challenge is easy to pass and automate if you can programmatically add txt records to your DNS zone. Every major cloud provider supports this with command line tools, so it's a matter of moving the DNS zone there and writing a shell script and a cron item in the worst case.
I had a chance to skim through the link you posted - they are doing the http challenge verification (in step 6) for some reason which involves forwarding their domain into their internal network.
The DNS methods we already mentioned does not involve any of that - just a simple zone file change or a few clicks in a web UI to add a new record.
For those whooshed by the reference, it's about the iPhone's antenna design flaw that Jobs poopooed on stage, to silently get it fixed on the next version.
It seems we're agreeing it's an actual issue that would merit to be fixed.
I'm not sure I feel great about gating feature A behind completely unrelated feature B just because manufacturers like feature B. Even if feature B is concretely pretty good (which is debatable for https as it exists now), this seems bad on principle.
It's not always necessary. Think fully offline networks that can't/won't use a CA anyway, or networks where physical/machine access is the intended layer of security (a web server running on localhost).
In these scenarios a self-signed certificate will rarely improve security because most users will click through the warning anyway in case of an MITM attack.
Users should not have to rely on the network being isolated for security.
Even when I have an offline network, I still use SSH whenever possible.
Yes, I don't benefit from initial verification, but I pin the certificate from then on.
I don't think that the current "all or nothing" paradigm that we use with SSL in browsers makes any sense.
I have been really disappointed over the last few years deploying network connected devices and trying to make their services available in a secure way.
It is not really possible for ipcams, routers, etc to offer services in HTTPS in a semi-online network. There should be a kind of 'encrypted but unverified' mode.
Even the worst failure mode is no worse than a plaintext connection.
Let’s say I sell a physical device that allows you to use a browser as its UI. You just plug an Ethernet cable and point your browser to its web server.
Security is done by physical access. Anything else is just extra complexity and points of failure, and if an attacker can get physical access to the LAN cable, he can just as well walk to the machine directly and change the settings on the control panel.
HTTPS, with its current UX, would be a net negative in this case.
> HTTPS, with its current UX, would be a net negative in this case.
I would just replace "HTTPS" with "SSH", and see if that statement is still reasonable.
Even though SSH is not perfect when you can't verify the initial connection to a host on a local network, using TELNET instead is not a solution.
I have yet to hear a reason why HTTP is better than self signed and pinned HTTPS; why possibly insecure is worse than insecure.
The only justifications I have heard are UX justifications, and those are really just a critique of the UX, not the protocol.
> Security is done by physical access. Anything else is just extra complexity and points of failure, and if an attacker can get physical access to the LAN cable, he can just as well walk to the machine directly and change the settings on the control panel.
That is an extremely fragile solution.
By default ethernet is very open. It is very easy to bridge it with other devices or routers to announce themselves and start routing. It happens all the time on what are supposed to be closed networks, I've seen it.
And many networks are semi-offline. You may need to have limited internet access. Or the network configuration may change in the future.
Browsers make an exception for localhost and treat it as a secure context.
It's also possible to get a certificate from a CA using any public IP address, and then reuse that cert for LAN. Certs are bound to domain names, not IP addresses.
Why should an org expose details of private infrastructure publicly? For anyone with more than a few internal tools this becomes untenable or unreasonable quickly and sharing a wildcard cert has diminishing returns as its shared between apps, teams, etc.
If it helps, it really doesn’t care what certificate the page it signed with, whether that be localhost, Mozilla CA participants, or maybe even a future CA fork for Russia if that happens. Plaintext HTTP is just not advisable even on a private network when some inline network device like LAN turtle could be passively exfiltrating traffic.
The browser security model is trivially defeated without the usage of https. IT is not an orthogonal or unrelated feature.
Making all new API development available only when content is delivered via a mechanism that provides the foundation for the rest of web security is good engineering practice.
Forcing https in these applications is a waste of time and money for orthogonal purposes. I guess it could be seen as a cost of dev. for any web based application from now on, but it's sad to me to see the barrier to entry get higher for these reasons.