Could you explain that? I thought that if DNS were spoofed then people could be redirected anywhere else, no matter what the certificate said. I thought that could be mitigated by CAA records, but that too could be spoofed, eg, by your service provider.
How do I prevent the government of China from MITM-ing access to my web site from someone in China, using a Chinese mobile phone with certificates pre-installed and automatically by the local Chinese telco?
"This seems like a very strange semantic argument"
I think you're making the strange argument. If I get a "free" cell phone which has a modified browser that inserted ads when viewing my web site, then from the customer's view those ads are on my site, right?
But of course there's nothing I can do about that. Nor can you.
So why place the responsibility on me?
"if the only broadband provider that serves your area injects ads on non-secured pages"
Have you not seen all of the ads for systems like SecureVPN?
"pervasive passive surveillance"
One of the pervasive passive surveillance attacks mentioned in the ietf link is traffic analysis, which I mentioned earlier. Can you guarantee that if I simply switch to https then the NSA could not use traffic analysis to figure out what users access from my static-pages, public-facing web site?
Do you seriously think the NSA hasn't automated something as simple as remembering download sizes for each page, for a large number of web sites, in order to infer things like this? So do my readers gain any additional security against NSA surveillance by switching to https?
Don't forget that my service provider (in the US) can be forced to reveal details and do tracing without telling me, including providing clear-text access to the logs.
Since I cannot defend against NSA surveillance on my readers, I have to choose a threat model where I can make a difference.
And I can't figure out who I should care to thwart, where https would make a meaningful difference.
Clearly there are web providers which can and should use https to protect privacy against non-nation-state actors. Passwords, money, and the ability to insert code without review are three things which change the balance.
But I don't see any benefit for my basic blog site that's been around for 20 years, and there appears to be a (small?) negative.
> "That's what certificates are for" Could you explain that? I thought that if DNS were spoofed then people could be redirected anywhere else, no matter what the certificate said.
This suggests you are not very familiar with how HTTPS works. I'll give you the short version, but I'd suggest you do a lot more reading into how TLS, public key cryptography, and certificate authorities work.
Every site that wants to use HTTPS (in a way that doesn't trigger massive warnings in the client browser) has to obtain a certificate containing (among other things) the domain names that are authorized to use the certificate, a public cryptographic key, and a cryptographic signature from a certificate authority. The job of the certificate authority is to verify the person they are issuing the certificate for (by signing it) have control over the domains listed in the certificate. (Lets Encrypt's main innovation was to automate this process using the ACME protocol[1].)
When you connect to a site over HTTPS the TLS handshake includes the certificate of the site and the handshake messages are signed using the private key corresponding to the public key in the certificate. This means that the client can verify the certificate is valid for the site they are connecting to (by matching they domain they are attempting to connect to against one of the domains in the certificate's list), the server they are talking to has the private key for that certificate (because the public key is embedded in the certificate which can be used to verify the signature produced using the private key), and that the certificate itself is valid because it is authorized by a certificate authority (by using the public key from the CA's root certificate, in the "root store" of the browser/OS, to verify the signature on the certificate).
Additionally, once the handshake is completed all further traffic is encrypted and authenticated using an ephemeral key negotiated during the handshake. This means that you can trust the data coming over the wire is always coming from the correct server and has not been tampered with. (And as a side benefit it will detect any bit errors that occur during the connection, even those that are not caught by the TCP checksum, so you can be sure that e.g. large file transfers are not corrupt due to network errors.)
In order to carry out a DNS spoofing attack against a site using HTTPS (with a valid certificate issued by a recognized certificate authority), you'd either need to steal the private key associated with the certificate (in which case you've probably compromised the target site deeply enough that you don't need to spoof their DNS) or you'd need to obtain a fraudulent certificate for that site that was nevertheless issued by a recognized certificate authority. Any CA that issued an invalid certificate is supposed to immediately revoke the certificate and if they mess up like that too often they run the risk of being delisted from browser/OS root stores (this has happened in the past). Additionally, Certificate Transparency logs (where a CA maintains a public log of all certificates they have authorized) and DNS CAA records (which restrict which certificate authorities can issue certificates for a given domain name) further make this type of mis-issuance harder to carry out and easier to detect.
> How do I prevent the government of China from MITM-ing access to my web site from someone in China, using a Chinese mobile phone with certificates pre-installed and automatically by the local Chinese telco?
If the device itself is compromised there's nothing HTTPS can do. However, that scenario is outside of the scope of HTTPS. The threat model for HTTPS is bad actors in between a trusted service and a trusted client wanting to surveil or modify the traffic as it transits their networks. It is extremely effective at that.
> If I get a "free" cell phone which has a modified browser that inserted ads when viewing my web site, then from the customer's view those ads are on my site, right?
Again, if the user's device is compromised that's outside of your control and is not your fault. However, if you do not use HTTPS then anyone in between your site and the end-user's device can monitor or meddle with the connection and you do have a choice to use HTTPS to avoid that.
> Have you not seen all of the ads for systems like SecureVPN?
That still means you have to trust the VPN service and their upstream providers not to do these things. With HTTPS you are guaranteed to have protection all the way from your server to the client device.
> Can you guarantee that if I simply switch to https then the NSA could not use traffic analysis to figure out what users access from my static-pages, public-facing web site?
Obviously the NSA (and other state actors) could almost certainly figure out what any given person was looking at even if they were using HTTPS. The point of HTTPS is to increase the cost of doing such a thing from near 0 to significantly greater than 0. You can no longer just slurp up the bytes as they pass through a middle network, you have to actively catalog the site in question and perform statistical analysis to get that information.
What HTTPS will protect you against are ISPs and other middle networks monitoring your web browsing activity to sell that data to advertisers. This is a serious enough concern that the FTC asked the major US ISPs to provide information on what data they do sell about their customers[2]. And that's on top of the ad injection scenario I've already outlined.
Right, but if DNS is spoofed then you haven't yet connected to the site, you've connected to another site, so none of the security your described is relevant.
How does https prevent DNS spoofing? As far as I know, it doesn't. You need DNS CAA records. Which your ISP can spoof just like it can intercept your unencrypted sessions.
> DNS CAA records (which restrict which certificate authorities can issue certificates for a given domain name) further make this type of mis-issuance harder to carry out and easier to detect.
Earlier you talked about people who couldn't detect that ads were being injected into their browser. When you say "easier to detect", are you meaning easier to detect by people who don't recognize that their ISP injects ads?
Is my readership able to recognize that their ISP is spoofing DNS for a MITM attack?
How do I, right now check if my ISP is spoofing my DNS to MITM my access to my https site? 'Cause I have no clue.
> However, that scenario is outside of the scope of HTTPS.
Which was my point - what is the security threat I should care about?
Look, I don't disagree that https has its place, and I'm fine with https on new systems. But again I ask what are the negatives? If I switch my site to https-only, how many people or devices will be negatively impacted?
Can you answer that question?
> The point of HTTPS is to increase the cost of doing such a thing from near 0 to significantly greater than 0.
Which doesn't require https-everywhere, only https on most/significant number of places.
> to sell that data to advertisers
I've mentioned that that isn't a threat model that I or (I believe) my readership cares about. But let's examine it.
I can ad a tracking pixel to each of my pages, right? And my readership won't notice it? And I could sell that information to advertisers? And I could put Facebook likes and other tracking methods in my pages?
And you're fine with that at a technical level, since https doesn't prevent it.
While it's touching that you what to ensure that I am part of the profit stream from any monetization of the contents of my site, I don't think my readership cares - I certainly don't - so it's not part of my threat model.
> that the FTC asked
This is the same government that allows cable monopolies and doesn't enact laws to prevent the ISPs from injecting ads into their downloads? Call my a crazy leftist, but I can't help but notice that this also strengthens the power of the big advertising companies like Google and Facebook by reducing the amount of competition, and that the FTC is looking at ISP rather than Google and Facebook abuses because the ISPs are relatively weak, making this a politically cheap action on their part.
My post explained in detail how HTTPS prevents DNS spoofing. If you do not understand any of the steps in my argument, please point them out. Otherwise, if you are unable to understand how TLS and certificates work that is not my problem and I ask you to please stop spreading misinformation based on your misunderstanding.
> When you say "easier to detect", are you meaning easier to detect by people who don't recognize that their ISP injects ads?
I mean easier to detect by people who know how HTTPS works, i.e. by technical experts. There are people monitoring the Certificate Transparency logs for domains that have certificates being issued by a different authority than they normally use and/or by an authority that does not match the DNS CAA record.
> How do I, right now check if my ISP is spoofing my DNS to MITM my access to my https site? 'Cause I have no clue.
It's extremely simple: does the lock icon in your URL bar have an error symbol? If no, you can be almost[1] 100% certain the site you are connecting to has not been spoofed because it has a valid certificate. If yes, you should assume you have no better (though also no worse) security than unencrypted HTTP. If you want to go further you can view the certificate your browser received and compare it against the certificate presented to other services running on other networks, e.g. the Qualys SSL Labs server test: https://www.ssllabs.com/ssltest/
> Which was my point - what is the security threat I should care about?
To me this is a question of whether you respect and value your user's privacy and security. Enabling HTTPS (and HTTPS-only) is so trivial today that there is no reason not to do it. HTTPS is just basic security hygiene on the modern web regardless of the "importance" of the data. ISPs and other middle networks have proven themselves to be untrustworthy over the years and authenticated encryption (such as that provided by HTTPS) is the only workable defense.
> But again I ask what are the negatives? If I switch my site to https-only, how many people or devices will be negatively impacted?
Virtually none. Even on fairly ancient Android phones (Android 4.1+), which are the least likely to receive software updates, you can install Firefox and get a modern TLS stack and root store. Pretty much every desktop and laptop PC made in the last 10 years can run the latest version of Windows or Linux with the latest version of Firefox or Chrome. Sticking with software so obsolete it cannot interoperate with modern TLS is a choice and the people making that choice should be knowledgeable enough to understand the consequences of that choice (including the workarounds they can do to accommodate that obsolete software, e.g. proxy servers).
> Which doesn't require https-everywhere, only https on most/significant number of places.
If you do not use HTTPS on your site then the cost of surveilling your site is 0 regardless of whether other sites use HTTPS.
> And you're fine with that at a technical level, since https doesn't prevent it.
Yes, I am fine with that because it means that I got exactly what you intended me to receive and I can be confident in ascribing that decision to you and to judge you by that. My point about ad injection was just to show a real-world scenario where an ISP or other middle network has tampered with the data being delivered. You say you are a leftist, what about if someone inject "alt-right" talking points into your blog? What if someone swapped your contact information for a spoofed version so they can intercept e-mails and other private communication intended for you? What if someone replaced code on your site with malware? What if someone injected a script into your site to DDoS Github[2]? These are all things that are possible with unencrypted and unauthenticated connections (i.e. plain HTTP). If you can't generalize from the examples I'm giving you then I ask you to engage your imagination more vigorously.
[1] The "almost" qualification is primarily to account for intentional MITM appliances used by whoever is running your network (which would require them to install their own MITM certificate on your client) or malware running on your client, as well as much more rare scenarios like mis-issued certificates or state actor intervention.
It's taken a while because of work, and trying to research things took time.
I weep for the loss of information. I went to postings of mine from 10+ years ago, to see what would happens in an https-only. Very few of my external links still point to valid resources.
https-only increases link-rot. Of my remaining valid links, many are to non-https sites, because the field I'm in is so specialized and not monetized, so things hang on only because they don't need maintenance. Enforce https-only and they are effectively gone. Here's one - http://www.umass.edu/molvis/francoeur/levinthal/Levinthaltex... . No copies appear anywhere else on a DDG search, though it is in archive.org so not quite perma-death.
Here's a 15 year old code base still going strong http://weblogo.berkeley.edu/ (there's also a v3, also with http).
> If you do not understand any of the steps in my argument, please point them out.
You are correct that I know little about https. Here's the scenario I don't understand, which your explanation doesn't cover:
If I connect to https://MrRadar.server/some/url then at this point my browser knows nothing about it. The MITM server uses a self-signed certificate which expires in one second. My browser will accept it, right? And connect? So the MITM server knows what URL I've tried to connect to?
It then slowly responds with a redirect, taking 1 second, to the same URL (possibly using tricks to prevent the browser from a redirect loop). The self-signed certificate has expired, so the browser doesn't use it, and the second attempt isn't MITM'ed.
This goes through, successfully, right? And there's only a short time where I would see any lock icon? So I have to pay very close attention to see it. And if the attacker times it just right, so the https negotiation is better aligned to the one-second transition, that window is even smaller.
How does https prevent this sort of information leakage?
NOT THAT IT MATTERS, because my corporate site, with https, has only a couple of dozen pages and they are all public so simple traffic analysis lets anyone in the middle know what you are reading from my site. So I "ask you to engage your imagination more vigorously" and wonder if sometime switching to https gives people a false sense that people in the middle can't know which pages they access.
> then the cost of surveilling your site is 0
I believe you mean minuscule, since carrying out the surveillance and storing the data have a cost. Making use of the data has an additional cost.
> negatively impacted
As it turns out, I was negatively impacted yesterday. I made a typo in an email pointing them to my web site (think 'ycombintor.com' instead of 'ycombinator.com'). The quick response was that the site wasn't working. I tried, and got the "Warning: Potential Security Risk Ahead" because that alternate site's certificate was invalid. I spent 5 minutes trying to figure out if my hosting site had messed things up, before I got the followup email pointing out the typo.
Without https, it would have been clear that I got the wrong web site.
(While https, of course, doesn't protect against typo-squatting.)
> Sticking with software so obsolete it cannot interoperate with modern TLS is a choice
Shrug. Forcing everyone to use https is also a choice.
I also mentioned old software stacks. I work with scientific code, some dating back decades, and with little funding for maintenance.
I'm dreading what's going to happen at the end of this month when pip drops support for Python 2.7 causing link-rot to make some old projects no longer work, causing the associated papers to no longer be so easily reproducible.
Part of my work today was to get Docker containers set up with Python 2.7, etc., as a sort of refuge, so those tools would be at hand 5 years from now.
Your 'basic security hygiene' is my archival headache.
> what about if someone inject "alt-right" talking points into your blog?
You've already derided my objection to your characterization. I don't know why you think I've changed my opinion.
> What if someone swapped your contact information
I've already pointed out that I don't see that as a valid security threat.
I mean, someone could break down your door and attack you in the middle of the night - does that threat cause you sleep in a safe room?
Do I also have to worry about them bribing the ops people at my hosting provider?
> What if someone injected a script into your site to DDoS Github[2]?
You mentioned that before. Your [2] says: "in order to execute such an attack, the perpetrator has to create a persistent [cross-site-scripting] DDoS scenario on a very popular website, or ... have control over a very high-traffic proxy - in this case ... the Chinese government's network equipment,"
That is obviously outside of my threat model, in the same way I don't have a safe to store my wallet.
If someone could control the Chinese government's network equipment, couldn't they reroute a lot of https traffic to GitHub to DDoS it?
Could you explain that? I thought that if DNS were spoofed then people could be redirected anywhere else, no matter what the certificate said. I thought that could be mitigated by CAA records, but that too could be spoofed, eg, by your service provider.
How do I prevent the government of China from MITM-ing access to my web site from someone in China, using a Chinese mobile phone with certificates pre-installed and automatically by the local Chinese telco?
"This seems like a very strange semantic argument"
I think you're making the strange argument. If I get a "free" cell phone which has a modified browser that inserted ads when viewing my web site, then from the customer's view those ads are on my site, right?
But of course there's nothing I can do about that. Nor can you.
So why place the responsibility on me?
"if the only broadband provider that serves your area injects ads on non-secured pages"
Have you not seen all of the ads for systems like SecureVPN?
"pervasive passive surveillance"
One of the pervasive passive surveillance attacks mentioned in the ietf link is traffic analysis, which I mentioned earlier. Can you guarantee that if I simply switch to https then the NSA could not use traffic analysis to figure out what users access from my static-pages, public-facing web site?
Do you seriously think the NSA hasn't automated something as simple as remembering download sizes for each page, for a large number of web sites, in order to infer things like this? So do my readers gain any additional security against NSA surveillance by switching to https?
Don't forget that my service provider (in the US) can be forced to reveal details and do tracing without telling me, including providing clear-text access to the logs.
Since I cannot defend against NSA surveillance on my readers, I have to choose a threat model where I can make a difference.
And I can't figure out who I should care to thwart, where https would make a meaningful difference.
Clearly there are web providers which can and should use https to protect privacy against non-nation-state actors. Passwords, money, and the ability to insert code without review are three things which change the balance.
But I don't see any benefit for my basic blog site that's been around for 20 years, and there appears to be a (small?) negative.