|
|
|
|
|
|
by Joker_vD
491 days ago
|
|
|
TLS is not an end goal in itself, we don't use it simply because "TLS is double-plus-good, raw HTTP is crimethink", sorry, because it's a "best practice" (whatever that term actually means): we use it because it provides us with transport layer security against some specific threats. What threats do your proposed approaches help to secure against, except "developers have mental ability to set up and use a configuration that'd be insecure in prod"? The only even remotely reasonable threat I can think of is the scenario in which your network hardware manufacturer (be it Cisco, or Huawei, or whatever) is wiretapping you. Indeed, it is a valid threat for e.g. Google (PRISM does exist) which is why they've switched to using TLS everywhere. But aside from that? |
|
|
Correct. Can you point out on the dolly where I said otherwise?
> The only even remotely reasonable threat … But aside from that?
You either didn't read what I said properly, or are deliberately misreading it.
I didn't suggest using TLS properly in dev was for specific threat protection in dev environments, but for stopping dumbed down things in dev accidentally getting out into prod, and that it is “practise for best practice in production”.
Unless of course someone has (or thinks they have!) reason to breach commonly accepted good practise and have real data in dev, in which case dev is a de-facto production environment from a security standpoint.
> "best practice" (whatever that term actually means)
It is a well understood term. I'll not spend my time explaining it as you'll easily find that information elsewhere if you care to.