Basically everything worth a hill of beans uses HTTPS; that encrypts from your browser, all the way to the server side. Nothing in between (including, interestingly, your OS and its networking stack) can see the contents barring some MITM corporate nonsense. This is why public wifi is "safe." - ThreadSky

quinnypig.com • 103 days ago

Basically everything worth a hill of beans uses HTTPS; that encrypts from your browser, all the way to the server side. Nothing in between (including, interestingly, your OS and its networking stack) can see the contents barring some MITM corporate nonsense.

This is why public wifi is "safe."

Comments

mrlarrieu.bsky.social•103 days ago

I still sometimes get the willies connecting to these networks and have to remind myself of this every time. The PSA push in the early naughties (00s) must have been very effective

logik.al•103 days ago

But I can’t sell esp marauders if people think their passwords and IP address can be stolen!

scott.notmayo.com•103 days ago

I used to arp poison my friends’ routers while hanging out at their houses so I could post on their myspace silly things. We later found out that people did this in public since everything was clear text back then

richih.bsky.social•103 days ago

The OS itself can see the contents. The networking stack in the OS can not.

statictear.bsky.social•103 days ago

@mrr3b00t.bsky.social has some amazing reply guys that always come in to his threads about this and yell how you need a vpn ROFL

mrr3b00t.bsky.social•103 days ago

Yes I manage to ‘find’ insane people who don’t know how computers / the internet work

docwho76.bsky.social•103 days ago

My favorites are the ones who buy the 5g protection wire mesh cages for their home routers

robocoonie.bsky.social•103 days ago

Whut

statictear.bsky.social•103 days ago

robocoonie.bsky.social•103 days ago

But that would stop the signal from... Ugh. I hate people. This is why I'm not IT Help Desk anymore.

danlather.bsky.social•103 days ago

Unbelievable.

(Sorry.)

docwho76.bsky.social•103 days ago

https://a.co/d/hCMH0I0

statictear.bsky.social•103 days ago

There’s also a cream

docwho76.bsky.social•103 days ago

Let me guess hydroxyquloroquine?

bluejosem.bsky.social•103 days ago

A lot of PoS systems surprisingly don't in stuff in between, lol

joop.kiefte.eu•103 days ago

interestingly, that's also the only way VPNs are safe. otherwise a VPN is literally an opt-in MITM.

whitepuffin.bsky.social•103 days ago

DNS traffic is usually unencrypted and it is metadata that tells everything about the user patterns.

Sniff your own traffic, you might be surprised.

rag.pub•103 days ago

tls sni still gets you site names in >99% of cases

natanael.bsky.social•103 days ago

Encrypted SNI is in the works

macemoneta.bsky.social•103 days ago

DNSSEC is used by most DNS servers these days. Don't use a non-DNSSEC server for DNS.

billy.wales•103 days ago

DNSSEC validates the records are created and signed by the zone (i.e. the Cloudflare nameserver did actually set https://billy.wales IN A ), but actual security between a client and server needs DoT/DoH (DNS over TLS/HTTPS)

natanael.bsky.social•103 days ago

DNSSEC + DANE does let you specify cert details in DNS records, but pretty much nobody uses it

simonwillison.net•103 days ago

https://bsky.app/profile/malwaretech.com/post/3ldpfzxdyqs2d

kilpatds.bsky.social•103 days ago

Corey was specifying -> corporate<- MITM things.. Marcus is talking public MITM things. They're slightly different threats, and both peoples statements are true in their own context

kilpatds.bsky.social•103 days ago

Corporate MITM is when corporate puts a trusted root cert into the machine, and MITMs you with custom forged certs signed by that cert. HSTS sees a different valid cert, and doesn't fire

kilpatds.bsky.social•103 days ago

There's a risk of similar nonsense from a malicious VPN, but I'm not aware of any of them doing it, because Google would sue said provider into the ground

dekushrub.bsky.social•103 days ago

HSTS is for protocol enforcement, not certificate validation

kilpatds.bsky.social•103 days ago

It also yells at you if you go from a valid cert to an invalid cert. (Which I know because former employers used corporate MITM, without being able to get the cert out to the Linux boxes in use)

natanael.bsky.social•103 days ago

Your browser will do that even without HSTS, but that spec prevents the browser from accepting no cert

macemoneta.bsky.social•103 days ago

It's the MITM that's the concern, as well as rogue WiFi hotspots that are mimicking common site logins.

Tailscale / Wireguard. Never leave home without them.

toolz.bsky.social•103 days ago

Maybe first try a networking course in the nearby future.

eahrend.dev•103 days ago

But...that would mean $youtuber took a sponsorship without understanding what they were promoting...

kiloqubit.com•103 days ago

Pretty much any state actor could issue a valid cert (through control of one of the CAs in their country) that your browser or app will accept as valid without any corporate CA stuff. Combine that with control over DNS or routing, and a MITM attack is not very hard. The defense is to pin SPKI.

standalonesa.bsky.social•103 days ago

Domains are still leaked, FWIW, even if the paths aren’t.

macemoneta.bsky.social•103 days ago

Use DNSSEC. Most major sites and clients support it these days.

rag.pub•103 days ago

DNSSEC is not encrypted dns. You want DoT/DoH for that, but even then we don’t have ECH yet so most domains are still leaked in TLS SNI

opliko.dev•103 days ago

We do! Since last year all major browsers support and enable ECH by default and Cloudflare (I think Fastly too) have also had it deployed globally for around that long.

You can even confirm that it works here: https://tls-ech.dev/

opliko.dev•103 days ago

Admittedly, OpenSSL doesn't officially support it yet - it's slated for 3.5.0 in 2025. So to run your own server you need to use a fork (https://github.com/defo-project/openssl) or something else that supports it like BoringSSL.

macemoneta.bsky.social•103 days ago

That's a good reason to click the "Block all traffic without VPN' option.

tdnewton.bsky.social•103 days ago

Increasingly not, with the advent of ech and doh

boblord.bsky.social•103 days ago

https://bsky.app/profile/boblord.bsky.social/post/3ldpjcwqaks26

pkem.bsky.social•103 days ago

What about app traffic, dns or automatic sync services on your phone. Not everything is secure by default.

billy.wales•103 days ago

https://www.thesslstore.com/blog/reminder-apple-app-store-ats/
“On Jan 1st, 2017, Apple will expect that any new apps submitted to the App Store, and updates to existing apps, will meet ATS requirements.”

I can’t find as concrete a source, but Google also seems to require apps use TLS by default now.

pkem.bsky.social•103 days ago

Shows how long it's been since I looked at the Android framework. The idea still makes me nervous .

natanael.bsky.social•103 days ago

Under data protection policies

xeiaso.net•103 days ago

The only reason you'd need a VPN at this point is if you are accessing private resources behind it (like pods on your k8s cluster) or something needs an IP address in a country you're not in for things like tax authorities. Using a VPN on public wifi ironically makes you stand out.

mcheshkov.bsky.social•103 days ago

> IP address in a country you’re not in
Also that, but with a twist: it’s not “something needs”, like tax authorities, but “something interferes”, like a state firewall

joekiller.bsky.social•103 days ago

Buttt my TLS VPN!

kmagnacca.bsky.social•103 days ago

Depends on what you define as "worth a hill of beans". The website of the museum I work at, hosting a tremendous amount of critical scientific literature, still doesn't have HTTPS. No payment info of course (not sure about logins, I don't have access), but still not great.

gingerjet.net•103 days ago

Museum?
Scientific data?

Based on that I assume it’s just public data. So why would one care?

orthanc.nz•103 days ago

Https also provides assurance the data wasn't tampered with in flight.

So it's not just to protect the data you submit.

People have been known to inject ads and worse things into http traffic that's passing through their network.

thoth.ptnote.dev•103 days ago

This is why I always took objection to anti-HTTPS stances. Even if you don't accept input, I still want to know that your text wasn't tampered with in transit.

thoth.ptnote.dev•103 days ago

Given, the only true anti-https stance I've seen was from n-gate, one of the most unbelievably insufferable people on the internet, so I'm pretty sure having his site be tampered with in transit would strictly be an improvement lol.

orthanc.nz•103 days ago

I've been arounf long enough that we did used to have genuine cost benefit discussions about https or not for health data (on a lan, but still) and didn't assume it.

But since 2013 or so, yeah, just send it over tls so you don't have to think about it

digitalenvoy.bsky.social•103 days ago

Public Wi-Fi is safer with HTTPS, but metadata like DNS isn't encrypted (unless using DoH). MITM attacks via rogue hotspots or corporate certs still pose risks.

jamesbromberger.bsky.social•103 days ago

"Corporate" certs only work if the user device has already been compromised with a Corporate CA cert being previously added to the trust store (eg during imaging or via boot scripts/policy that user agrees to).

escamoteur.bsky.social•103 days ago

If you manage to I stall a proxy on the user's device you can compromise it otherwise there is no way.

Comments

Posting Rules

Reply