|
|
Subscribe / Log in / New account

disabling HSTS

disabling HSTS

Posted Apr 24, 2017 15:46 UTC (Mon) by gerv (guest, #3376)
In reply to: disabling HSTS by linuxrocks123
Parent article: Tor exit node operator arrested in Russia (TorServers.net blog)

Well... did you know that the cert could be revoked, but even if you check the CA won't tell you because expired certificates are not required to be on any revocation lists? So this cert could have been misissued a couple of years ago, then revoked, but now it's expired the attacker is trying to use it again.

Also, did you know that when you override a cert error, you allow that cert for any SAN in it, not just the one you are connecting to? So if that cert is for www.securityblog.example.com and also www.paypal.com, you just allowed them to MITM you for paypal.com. This is more of a risk for self-signed than for expired, but I bet you didn't know it, nevertheless.

Overriding SSL cert errors, particularly with the permanent flag checked, is a _bad_ idea.


to post comments

disabling HSTS

Posted Apr 24, 2017 21:43 UTC (Mon) by nix (subscriber, #2304) [Link] (2 responses)

Except if it's your own self-signed cert, or a cert generated by some embedded box or software you own and necessarily trust. I definitely trust my ADSL router -- I have to even though it is a horrible closed lump, since *everything* flows through it and it can change everything. It has a self-signed cert for its admin pages. There is no point not accepting that... it can already MITM me if it wants to in a much simpler fashion.

disabling HSTS

Posted Apr 24, 2017 22:38 UTC (Mon) by nybble41 (subscriber, #55106) [Link]

> I definitely trust my ADSL router -- I have to even though it is a horrible closed lump, since *everything* flows through it and it can change everything. It has a self-signed cert for its admin pages. There is no point not accepting that... it can already MITM me if it wants to in a much simpler fashion.

The router may be able to change any of the traffic passing through it, but that does not imply that it can present itself as an arbitrary properly authenticated HTTPS site... unless you accept its self-signed certificate without first checking that the certificate is limited to the router's admin domain. TLS is specifically designed to thwart MiTM attackers with exactly that ability to intercept and modify any of the participants' traffic.

disabling HSTS

Posted Apr 29, 2017 19:32 UTC (Sat) by flussence (guest, #85566) [Link]

My router's UI optimizes for "not terrorizing the user": it uses HTTP Authenticate, which just pops up a modal username/password box and bypasses all this warning fatigue. Completely insecure, and yet it's the least awful option browsers give us.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds