[yjftsjthsd-h]

So for RFC 1918 addresses (10/8, 192.168/16, 172.16/12) I would argue that it is unsafe, or at least the browser/machine can't tell that it's safe; AIUI there's generally nothing on a standard home wifi network that would stop one device (coffee maker, visiting cousin's cheap unbranded tablet) from watching all local traffic (definitely recording, not sure about spoofing). So it's an unlikely threat model for most people, but it is real.

Actual localhost traffic that never leaves your machine.... yeah, I can't think of a case where that would ever matter. If something can intercept that you have bigger problems:)

[Thorrez]

>Actual localhost traffic that never leaves your machine

Unless you run

ssh servera -L 8080:serverb:80

I sometimes do this if there's a firewalled serverb that I can't access that's running a webserver, and a non-firewalled servera that I have ssh access and can access serverb.

Then you can open http://localhost in your browser and talk to serverb. If you want HTTPS to work, then ideally you'll map serverb to 127.0.0.1 in your /etc/hosts so that its HTTPS certificate matches the host, or use --host-resolver-rules="MAP serverb 127.0.0.1" as a Chrome commandline flag. Of course then you're no longer using localhost in the host.

[2Gkashmiri]

come on. by that point you are explaining something weird. my question is this. if i set up nginx/apache2 on my local network to serve a webpage, or i have a plex server or something similar or say nextcloud or whatever people self host these days, why should i be forced to have https?

that data wont be leaving my subnet if at all anything more so whats the threat model for a local only service?

also, i am not talking about "critical infra"

[jeroenhd]

You don't need to enable HTTPS for those use cases. Your Plex and Nextcloud will work just fine.

If you configure your server to send a HSTS header, though, you're telling your browser to only trust HTTPS connections for that domain from then on. That's what's happening here, and that's something you just… shouldn't do, I guess? If I tell my browser to permanently redirect localhost to Google.com, there's no reason why I should be mad at my browser for listening to my perma redirect.

HTTP traffic is a bigger problem in huge, flat, corporate networks, running intranet services with routes spanning several locations. At any time a hacker could be listening in an exfiltrating company logins. Also think about the Snowden slides, where the NSA intercepted unencrypted traffic over Google's internal network. Local network encryption is essential in those use cases and relatively easy to set up.

[Thorrez]

>my subnet

That's not localhost. One threat model is some IoT device you have attached to your wifi gets hacked. Or your wifi has a weak password and it gets hacked. Or a guest that you let onto your wifi has a devices that's been hacked.

[2Gkashmiri]

look, isnt the responsibility of preventing coffee maker from accessing your local data on the admin?

>So it's an unlikely threat model for most people, but it is real.

today, what kind of local network service can a person set up that people can intercept and snoop on? its not like i am talking about accessing payment gateways or anything, just local services. if there is something that "needs" security, dont you think the technically inclined would have it on that and leave the rest as is because its a bit more effort for what benefit?