Main » Discussion » FUCK hsts » New reply
    Alert
    You are about to bump an old thread. This is usually a very bad idea. Please think about what you are about to do before you press the Post button.
    New reply
    Post help

    Presentation

    [b]…[/b] — bold type
    [i]…[/i] — italic
    [u]…[/u] — underlined
    [s]…[/s] — strikethrough
    [code]…[/code] — code block
    [spoiler]…[/spoiler] — spoiler block
    [spoiler=…]…[/spoiler]
    [source]…[/source] — colorcoded block, assuming C#
    [source=…]…[/source] — colorcoded block, specific language[which?]
    [abbr=…]…[/abbr] — abbreviation
    [color=…]…[/color] — set text color
    [jest]…[/jest] — you're kidding
    [sarcasm]…[/sarcasm] — you're not kidding

    Links

    [img]http://…[/img] — insert image
    [url]http://…[/url]
    [url=http://…]…[/url]
    >>… — link to post by ID
    [user=##] — link to user's profile by ID

    Quotations

    [quote]…[/quote] — untitled quote
    [quote=…]…[/quote] — "Posted by …"
    [quote="…" id="…"]…[/quote] — ""Post by …" with link by post ID

    Embeds

    [youtube]…[/youtube] — video ID only please
    Thread review
    kode54 Bonus points regarding TrustedInstaller: If it's a Windows Store app, it will also be using NTFS Encrypting File System (EFS) to protect the files, and the certificate and keys that control that encryption are owned by TrustedInstaller, and also password protected with a key I have yet to determine, be it a static key, a system key, or whatever.

    The only way around this is to run the app, inject a DLL into it somehow, and that DLL dump the filesystem to an unencrypted location. There's a tool for this, too. Just don't expect those UWP or even Centennial apps to run outside of the store mechanism once removed from their encrypted storage. Certainly a handy way to hack at the resources, though. Due to the EFS, Windows Store apps are not likely to use extra encryption on their resources, like some Unreal Engine games have been known to do.
    Kawaoneechan Elevated CMD start in System32 which makes it a bit easier. So I start one up in my Win10 VM and type "del *.*", confirm... and get pages upon pages of "Access denied".

    So yeah, I'm thinking it played by the same rules.

    Posted by funkyass
    would the OS running off of Fat32 make a difference?
    If it has no way of setting permissions and ownership on the filesystem level, it'd have to make do with what 2000 did: refuse to touch the System32 folder itself, and put everything back that you manage to delete.
    funkyass would the OS running off of Fat32 make a difference?
    Kawaoneechan
    Posted by tomman
    Is there a difference if you delete stuff from the shell (Explorer), or from a (elevated) command prompt?
    ... I considered that possibility when I saw one of the KYM examples was a batch file but dismissed it.

    Please hold.
    tomman Is there a difference if you delete stuff from the shell (Explorer), or from a (elevated) command prompt?

    Also, there are ways to run stuff as users higher than TrustedInstaller - IIRC Sysinternals has a tool for that.

    As for files coming back after deletion on Win2K, that's System File Protection kicking in to protect your OS from yourself, which was introduced on that release (and backported somehow to WinME).

    If only somehow I could delete NetMeeting from WinXP - it has no use nowadays, I have small HDDs/disk images for my XP boxes/VMs, and yet there is no official way to get rid of NetMeeting and friends: SFP will get in the way, restoring shit as soon as you delete it. But malware has no problems rendering your shit unbootable (hi Sality!)
    Kawaoneechan I just went through all the Windows VMs I have, in descending order of release, to find the first one that lets you delete System32.

    It's Windows 98. Which barely uses System32 — it uses System. You can't just select the System folder and delete that either, it'll say that's a system folder that Windows requires to run. You can only accept that. So I go into the folder itself and find 1087 files there, not counting more folders. I can delete all but 98 of them (they're in use), and then Windows 98 still runs but won't boot.

    The "delete system32" meme, according to KYM's Google Trends insert, started in 2004, and with Windows 2000.

    Indeed, Windows 2000 also doesn't let you simply select and delete the folder just like Win98 doesn't let you delete the system folder. But it gets better: besides the files it can't delete because they're in use, Windows 2000 put back almost everything I deleted. When I restarted, the only immediately obvious difference was that the startup sound was "ting" instead of the normal one.

    XP does the same, but with more hurdles to get there and see the files.
    CaptainJistuce
    Posted by Nicholas Steel
    Is it still limited to TrustedInstaller if you disable UAC?
    Yes. Because what Kawa said.
    TrustedInstaller is still the only account allowed to tamper with it, the file is not modifiable by administrators.
    UAC just generates the gray-screen "are you SURE you want to change your display resolution" popups.


    If I recall, it is possible to go in and add Administrator access rights to TrustedInstaller files and directories. THEN the file is touchable by administrators.
    But that's a definite case of "not given enough rope to hang yourself, so you went out and bought more".
    Kawaoneechan Disabling UAC does not change file permissions, if that's what you were implying.
    Nicholas Steel Is it still limited to TrustedInstaller if you disable UAC?
    Kawaoneechan You don't get to specifically call out "even system32" and then argue when I cast doubt on deleting folders on specifically Windows systems. That's just bad form.

    Edit:
    I do remember doing it in a VM, and I recall they let me do it. I mean why else would the 'delete system32' meme be a thing?

    I have several Windows VMs, and I just tried it on the Win10 one. I have very fresh memories, short term even, of starting with 4288 files inside System32 (not counting the folders), and ending with 4274 and an apparently no less stable system on reboot. It wouldn't even begin to delete anything when I selected System32 itself, the very first file found being in use or TrustedInstaller's, and not giving me a "skip" option.

    I have no Win7 VM, that's my actual system, but I did just confirm that it too has a TrustedInstaller, and this random System32 file can't be altered by anyone but TrustedInstaller, so it'd likely be about as effective to try it on the other Windows still in use by regular people as it is on 10.
    funkyass maybe try putting a www infront of the domain.
    CaptainJistuce Sounds reasonable to me.
    Screwtape I think I've come up with a hypothetical workaround:

    1. The user requests the user agent to go to Facebook

    2. The user agent resolves www.facebook.com, and initiates a TLS connection

    3. Through acquired knowledge (such as the Certificate Authority database and HSTS database), the user agent discovers that on the current network, "www.facebook.com" is not part of Facebook, and presents an error page to the user.

    4. The error page should have a button with a label like "I am OK with connecting to a site that is not actually Facebook".

    5. If the user clicks that button, the user-agent should choose a URL at random from the user's browsing history whose hostname component is not www.facebook.com, and connect to that instead.

    Someone file an issue on Bugzilla!
    CaptainJistuce
    Posted by sureanem

    Posted by CaptainJistuce

    That is LITERALLY the entire point of HSTS. If ANYTHING is wrong, the transaction CANNOT proceed. There are no fallbacks to less-secure encryption, no using known-incorrect credentials anyways JUST BECAUSE. Hence the name. HTTP Strict Transport Security.

    Yeah but that doesn't make it any less of a stupid idea. Lighting a million dollars on fire is a stupid idea, but pointing out that the intent was to make a lot of money go up in smoke doesn't solve this problem.

    Like, if the idea was that if you use HTTPS and get a warning you can click through it, but with HSTS you have to click through it really hard, or go to about:config or whatever, I wouldn't have a problem. Then we still preserve the user-agent property of the browser. It should follow my orders, not smugly tell me how it's a broken piece of shit by design.

    The idea is that this is a transaction that absolutely needs to be secure. There needs to be as much assurance as possible there are no TLS downgrade attacks, no man-in-the-middle eavesdropping, no suspicious behavior at all. Any suspicious activity is immediate grounds for terminating the connection, because if the connection cannot be trusted, then no transaction should take place. Surely, someone as security-minded as you profess to be would be GRAVELY CONCERNED that there are HTTPS errors in the first place.


    The problem is not "HSTS works as advertised", it is misuse of a good feature. Google is punishing EVERYONE for not enabling HTTPS when their website does not need HTTPS, then punishing them AGAIN for not enabling HSTS when their website does not need HSTS.


    I'd also argue that browsers are moving towards preventing ANY overrides of HTTPS issues. They've already placed big scary doom warnings and hid the option to override so you have to click more buttons to show the option before you can begin the override. So place your flag not in "HSTS works as advertised", but at "all HTTPS transactions are moving towards being treated as if they were HSTS transactions"




    And to be blunt, I question why HTTPS errors were ever allowed to be ignored at all. If you believe your connection needs to be secure, you should refuse to allow an insecure connection.
    Were I writing the spec, I would require both ends of the transaction to terminate the connection if there was an HTTPS error. If the client software is out of spec and attempts to continue the transaction anyways, it doesn't matter because the server software slammed the door in their face. HSTS wouldn't even exist, because regular HTTPS would already do more.
    ‮strfry("emanresu")
    Posted by Kawa
    I was not aware files that are in use could be deleted quite so easily.

    Only on Windows. On Linux, it's a standard way of programming. Also, there do exist tools on Windows to do this IIRC.
    And let's not get into access control, ownership...

    What about them? I am restricted from doing some stuff to files owned by root but if I type in sudo then I don't have these problems anymore. It's a clear-cut example of my point: "yeah you can't do X but actually you can if you just insist on it".

    If it wasn't so late for me and my laptop was still running, I'd try to delete system32 from my Win10 VM just to see if it'd let me.

    I do remember doing it in a VM, and I recall they let me do it. I mean why else would the 'delete system32' meme be a thing?
    Posted by tomman
    I've always tempted to run rm -rf / on something to see the world burn right in front of my eyes.

    It stays on but if you try to do anything it will - correctly - inform you the file can't be found.

    Posted by Screwtape
    HSTS is when a site administrator says "I am an adult, I know what I am doing, I'm not going to screw up my HTTPS configuration".

    So when the site administrator is an adult, and the site user is an adult, who should win?

    The user controls his browser, the server administrator controls his server. The server administrator shouldn't have the power to compel the USER AGENT to act in contravention of the user's agency, just as I shouldn't be able to tell the server to disregard its configuration. I tried to come up with a good example, but I couldn't, since everyone just accepts that server administrators administer their servers.

    Posted by CaptainJistuce

    That is LITERALLY the entire point of HSTS. If ANYTHING is wrong, the transaction CANNOT proceed. There are no fallbacks to less-secure encryption, no using known-incorrect credentials anyways JUST BECAUSE. Hence the name. HTTP Strict Transport Security.

    Yeah but that doesn't make it any less of a stupid idea. Lighting a million dollars on fire is a stupid idea, but pointing out that the intent was to make a lot of money go up in smoke doesn't solve this problem.

    Like, if the idea was that if you use HTTPS and get a warning you can click through it, but with HSTS you have to click through it really hard, or go to about:config or whatever, I wouldn't have a problem. Then we still preserve the user-agent property of the browser. It should follow my orders, not smugly tell me how it's a broken piece of shit by design.

    It is also notable that you've previously said that end users SHOULDN'T be able to override server-side decisions re: DNS. So why change now?

    I do not believe I have suggested DoH should not be disableable in about:config. That would be absurd. As much of the browser as reasonably possible should be configurable in there. I just believe it's a bad idea for applications to use the OS' settings, when the only reason for such settings is to perform reprehensible acts.
    With that being said, I don't understand why Firefox doesn't respect /etc/hosts. Like, dude, it's one file query. This should not be hard. You're 200 megabytes of code deep already. Just add an about:config switch to parse /etc/hosts in the browser level.
    CaptainJistuce
    Posted by sureanem
    How is this functioning as intended? You make some trivial mistake in the configuration and your site breaks. How can it ever be acceptable for a piece of software to disregard my explicit wishes?

    That is LITERALLY the entire point of HSTS. If ANYTHING is wrong, the transaction CANNOT proceed. There are no fallbacks to less-secure encryption, no using known-incorrect credentials anyways JUST BECAUSE. Hence the name. HTTP Strict Transport Security.

    It is like XHTML, only people like it because it is no harder to implement and makes Google happy, whereas XHTML is hard for them to implement because they suddenly have to actually know what they're doing and stop pasting broken code for the browser to sort out for them.



    It is also notable that you've previously said that end users SHOULDN'T be able to override server-side decisions re: DNS. So why change now?
    tomman
    Posted by Screwtape
    HSTS is when a site administrator says "I am an adult, I know what I am doing, I'm not going to screw up my HTTPS configuration".

    So when the site administrator is an adult, and the site user is an adult, who should win?

    Your mom, naturally.
    Screwtape HSTS is when a site administrator says "I am an adult, I know what I am doing, I'm not going to screw up my HTTPS configuration".

    So when the site administrator is an adult, and the site user is an adult, who should win?
    tomman I've always tempted to run rm -rf / on something to see the world burn right in front of my eyes.

    I once saw something somewhat similar happen: a faulty HDD developing bad sectors which ended wiping /etc on an old Caldera OpenLinux setup back in my college dorm years. X dies and you end dropped to a "Go away, you don't exist" console. Fun times!
    Kawaoneechan I was not aware files that are in use could be deleted quite so easily. And let's not get into access control, ownership...

    If it wasn't so late for me and my laptop was still running, I'd try to delete system32 from my Win10 VM just to see if it'd let me.
      Main » Discussion » FUCK hsts » New reply
      Yes, it's an ad.