|
|
Log in / Subscribe / Register

disabling HSTS

disabling HSTS

Posted Apr 24, 2017 21:43 UTC (Mon) by nix (subscriber, #2304)
In reply to: disabling HSTS by gerv
Parent article: Tor exit node operator arrested in Russia (TorServers.net blog)

Except if it's your own self-signed cert, or a cert generated by some embedded box or software you own and necessarily trust. I definitely trust my ADSL router -- I have to even though it is a horrible closed lump, since *everything* flows through it and it can change everything. It has a self-signed cert for its admin pages. There is no point not accepting that... it can already MITM me if it wants to in a much simpler fashion.

to post comments

disabling HSTS

Posted Apr 24, 2017 22:38 UTC (Mon) by nybble41 (subscriber, #55106) [Link]

> I definitely trust my ADSL router -- I have to even though it is a horrible closed lump, since *everything* flows through it and it can change everything. It has a self-signed cert for its admin pages. There is no point not accepting that... it can already MITM me if it wants to in a much simpler fashion.

The router may be able to change any of the traffic passing through it, but that does not imply that it can present itself as an arbitrary properly authenticated HTTPS site... unless you accept its self-signed certificate without first checking that the certificate is limited to the router's admin domain. TLS is specifically designed to thwart MiTM attackers with exactly that ability to intercept and modify any of the participants' traffic.

disabling HSTS

Posted Apr 29, 2017 19:32 UTC (Sat) by flussence (guest, #85566) [Link]

My router's UI optimizes for "not terrorizing the user": it uses HTTP Authenticate, which just pops up a modal username/password box and bypasses all this warning fatigue. Completely insecure, and yet it's the least awful option browsers give us.


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds