0 users browsing Discussion. | 1 guest | 2 bots  
Main » Discussion » FUCK hsts
Pages: 1 2 Next Last
Posted on 20-01-23, 17:06
Stirrer of Shit
Post: #713 of 717
Since: 01-26-19

Last post: 166 days
Last view: 164 days
I am trying to use the Internet. I am an adult, I know what I am doing. Thus, when I get a HTTPS warning, it's advised I don't visit, but there could have been some error, so I can click through it. I'd rather they just fixed HTTPS, but it's an OK compromise.

Then we get HSTS. I try to visit a website. It says, direct quote, "You can’t add an exception to visit this site ... and there is nothing you can do to resolve it." What an unbelievably smug and disgusting piece of shit attitude. I am a sophisticated user. Fine if I were using Chrome, but this isn't the case.

So I search for the common queries online. "disable hsts firefox", "firefox disable https", "firefox disable cert warnings". There should be an about:config option, right? Haha, nope.

And they told us it's just voluntary, UX is good, etc.

Has anyone solved this problem? Is there a simple tool to fix/disable HTTPS?

(I use Tor for anything interesting, so any alleged "security" concerns are complete bunk)

There was a certain photograph about which you had a hallucination. You believed that you had actually held it in your hands. It was a photograph something like this.
Posted on 20-01-23, 20:23
Not from my cellphone

Post: #618 of 739
Since: 10-30-18

Last post: 23 hours
Last view: 15 hours
Related: My site does not need HTTPS.

It's not late to join Team Seamonkey. If only we could hard-fork Mozilla...

Licensed Pirate® since 2006, 100% Buttcoin™-free
Posted on 20-01-23, 21:43
Stirrer of Shit
Post: #714 of 717
Since: 01-26-19

Last post: 166 days
Last view: 164 days
Posted by tomman
Related: My site does not need HTTPS.

HTTPS there is nothing wrong with, in theory. If they would just skip the whole CA idiocy and add a DNS record "SSL" that has the hash of a public key, we would have no problem. No expired certs, no CAs, and a generally civilized system.
Posted by tomman
It's not late to join Team Seamonkey. If only we could hard-fork Mozilla...

Can I disable HTTPS or HSTS in Seamonkey? If so it is promising, although I don't think my add-ons would work.

I just want a version of Firefox that isn't actively hostile to me as a user. The problem is that this is impossible since you have a monopoly that just so happens to find itself with a negative financial interest in your user experience.

If only you'd find a solution for your hard currency problem you'd have a great arbitrage opportunity here. Work on Seamonkey and get paid in US dollars.

There was a certain photograph about which you had a hallucination. You believed that you had actually held it in your hands. It was a photograph something like this.
Posted on 20-01-23, 23:24
Custom title here

Post: #819 of 890
Since: 10-30-18

Last post: 7 days
Last view: 2 hours
HSTS is functioning as intended. The entire POINT of HSTS is that if there's an issue in the security, the exchange fails instead of providing a way to move forward insecurely.

Arguably, this is the way HTTPS should have been spec'ed from the beginning.

--- In UTF-16, where available. ---
Posted on 20-01-23, 23:29
Stirrer of Shit
Post: #716 of 717
Since: 01-26-19

Last post: 166 days
Last view: 164 days
How is this functioning as intended? You make some trivial mistake in the configuration and your site breaks. How can it ever be acceptable for a piece of software to disregard my explicit wishes?

If I attempt to delete a folder, they're going to ask me "you sure about that man?" to make sure it really is my decision. But in no case do I click yes for them to tell me "I'm sorry Dave, I'm afraid I can't do that".

Even if it's System32. They might ask me twice. "Hey sureanem I know you clicked OK but this is serious stuff mate you sure?" But if I then click yes, it's just going to let out a resigned sigh and say "well OK if you insist then sure whatever".

There was a certain photograph about which you had a hallucination. You believed that you had actually held it in your hands. It was a photograph something like this.
Posted on 20-01-24, 00:06
Secretly, I'm Charles Darwin

Post: #461 of 502
Since: 10-29-18

Last post: 14 days
Last view: 56 min.
User is online
I was not aware files that are in use could be deleted quite so easily. And let's not get into access control, ownership...

If it wasn't so late for me and my laptop was still running, I'd try to delete system32 from my Win10 VM just to see if it'd let me.
Posted on 20-01-24, 00:16
Not from my cellphone

Post: #619 of 739
Since: 10-30-18

Last post: 23 hours
Last view: 15 hours
I've always tempted to run rm -rf / on something to see the world burn right in front of my eyes.

I once saw something somewhat similar happen: a faulty HDD developing bad sectors which ended wiping /etc on an old Caldera OpenLinux setup back in my college dorm years. X dies and you end dropped to a "Go away, you don't exist" console. Fun times!

Licensed Pirate® since 2006, 100% Buttcoin™-free
Posted on 20-01-24, 00:23
Full mod

Post: #385 of 408
Since: 10-30-18

Last post: 8 days
Last view: 8 hours
HSTS is when a site administrator says "I am an adult, I know what I am doing, I'm not going to screw up my HTTPS configuration".

So when the site administrator is an adult, and the site user is an adult, who should win?

The ending of the words is ALMSIVI.
Posted on 20-01-24, 00:47
Not from my cellphone

Post: #621 of 739
Since: 10-30-18

Last post: 23 hours
Last view: 15 hours
Posted by Screwtape
HSTS is when a site administrator says "I am an adult, I know what I am doing, I'm not going to screw up my HTTPS configuration".

So when the site administrator is an adult, and the site user is an adult, who should win?

Your mom, naturally.

Licensed Pirate® since 2006, 100% Buttcoin™-free
Posted on 20-01-24, 01:43 (revision 1)
Custom title here

Post: #821 of 890
Since: 10-30-18

Last post: 7 days
Last view: 2 hours
Posted by sureanem
How is this functioning as intended? You make some trivial mistake in the configuration and your site breaks. How can it ever be acceptable for a piece of software to disregard my explicit wishes?

That is LITERALLY the entire point of HSTS. If ANYTHING is wrong, the transaction CANNOT proceed. There are no fallbacks to less-secure encryption, no using known-incorrect credentials anyways JUST BECAUSE. Hence the name. HTTP Strict Transport Security.

It is like XHTML, only people like it because it is no harder to implement and makes Google happy, whereas XHTML is hard for them to implement because they suddenly have to actually know what they're doing and stop pasting broken code for the browser to sort out for them.



It is also notable that you've previously said that end users SHOULDN'T be able to override server-side decisions re: DNS. So why change now?

--- In UTF-16, where available. ---
Posted on 20-01-24, 02:21
Stirrer of Shit
Post: #717 of 717
Since: 01-26-19

Last post: 166 days
Last view: 164 days
Posted by Kawa
I was not aware files that are in use could be deleted quite so easily.

Only on Windows. On Linux, it's a standard way of programming. Also, there do exist tools on Windows to do this IIRC.
And let's not get into access control, ownership...

What about them? I am restricted from doing some stuff to files owned by root but if I type in sudo then I don't have these problems anymore. It's a clear-cut example of my point: "yeah you can't do X but actually you can if you just insist on it".

If it wasn't so late for me and my laptop was still running, I'd try to delete system32 from my Win10 VM just to see if it'd let me.

I do remember doing it in a VM, and I recall they let me do it. I mean why else would the 'delete system32' meme be a thing?
Posted by tomman
I've always tempted to run rm -rf / on something to see the world burn right in front of my eyes.

It stays on but if you try to do anything it will - correctly - inform you the file can't be found.

Posted by Screwtape
HSTS is when a site administrator says "I am an adult, I know what I am doing, I'm not going to screw up my HTTPS configuration".

So when the site administrator is an adult, and the site user is an adult, who should win?

The user controls his browser, the server administrator controls his server. The server administrator shouldn't have the power to compel the USER AGENT to act in contravention of the user's agency, just as I shouldn't be able to tell the server to disregard its configuration. I tried to come up with a good example, but I couldn't, since everyone just accepts that server administrators administer their servers.

Posted by CaptainJistuce

That is LITERALLY the entire point of HSTS. If ANYTHING is wrong, the transaction CANNOT proceed. There are no fallbacks to less-secure encryption, no using known-incorrect credentials anyways JUST BECAUSE. Hence the name. HTTP Strict Transport Security.

Yeah but that doesn't make it any less of a stupid idea. Lighting a million dollars on fire is a stupid idea, but pointing out that the intent was to make a lot of money go up in smoke doesn't solve this problem.

Like, if the idea was that if you use HTTPS and get a warning you can click through it, but with HSTS you have to click through it really hard, or go to about:config or whatever, I wouldn't have a problem. Then we still preserve the user-agent property of the browser. It should follow my orders, not smugly tell me how it's a broken piece of shit by design.

It is also notable that you've previously said that end users SHOULDN'T be able to override server-side decisions re: DNS. So why change now?

I do not believe I have suggested DoH should not be disableable in about:config. That would be absurd. As much of the browser as reasonably possible should be configurable in there. I just believe it's a bad idea for applications to use the OS' settings, when the only reason for such settings is to perform reprehensible acts.
With that being said, I don't understand why Firefox doesn't respect /etc/hosts. Like, dude, it's one file query. This should not be hard. You're 200 megabytes of code deep already. Just add an about:config switch to parse /etc/hosts in the browser level.

There was a certain photograph about which you had a hallucination. You believed that you had actually held it in your hands. It was a photograph something like this.
Posted on 20-01-24, 03:42
Custom title here

Post: #824 of 890
Since: 10-30-18

Last post: 7 days
Last view: 2 hours
Posted by sureanem

Posted by CaptainJistuce

That is LITERALLY the entire point of HSTS. If ANYTHING is wrong, the transaction CANNOT proceed. There are no fallbacks to less-secure encryption, no using known-incorrect credentials anyways JUST BECAUSE. Hence the name. HTTP Strict Transport Security.

Yeah but that doesn't make it any less of a stupid idea. Lighting a million dollars on fire is a stupid idea, but pointing out that the intent was to make a lot of money go up in smoke doesn't solve this problem.

Like, if the idea was that if you use HTTPS and get a warning you can click through it, but with HSTS you have to click through it really hard, or go to about:config or whatever, I wouldn't have a problem. Then we still preserve the user-agent property of the browser. It should follow my orders, not smugly tell me how it's a broken piece of shit by design.

The idea is that this is a transaction that absolutely needs to be secure. There needs to be as much assurance as possible there are no TLS downgrade attacks, no man-in-the-middle eavesdropping, no suspicious behavior at all. Any suspicious activity is immediate grounds for terminating the connection, because if the connection cannot be trusted, then no transaction should take place. Surely, someone as security-minded as you profess to be would be GRAVELY CONCERNED that there are HTTPS errors in the first place.


The problem is not "HSTS works as advertised", it is misuse of a good feature. Google is punishing EVERYONE for not enabling HTTPS when their website does not need HTTPS, then punishing them AGAIN for not enabling HSTS when their website does not need HSTS.


I'd also argue that browsers are moving towards preventing ANY overrides of HTTPS issues. They've already placed big scary doom warnings and hid the option to override so you have to click more buttons to show the option before you can begin the override. So place your flag not in "HSTS works as advertised", but at "all HTTPS transactions are moving towards being treated as if they were HSTS transactions"




And to be blunt, I question why HTTPS errors were ever allowed to be ignored at all. If you believe your connection needs to be secure, you should refuse to allow an insecure connection.
Were I writing the spec, I would require both ends of the transaction to terminate the connection if there was an HTTPS error. If the client software is out of spec and attempts to continue the transaction anyways, it doesn't matter because the server software slammed the door in their face. HSTS wouldn't even exist, because regular HTTPS would already do more.

--- In UTF-16, where available. ---
Posted on 20-01-24, 06:25 (revision 1)
Full mod

Post: #386 of 408
Since: 10-30-18

Last post: 8 days
Last view: 8 hours
I think I've come up with a hypothetical workaround:

1. The user requests the user agent to go to Facebook

2. The user agent resolves www.facebook.com, and initiates a TLS connection

3. Through acquired knowledge (such as the Certificate Authority database and HSTS database), the user agent discovers that on the current network, "www.facebook.com" is not part of Facebook, and presents an error page to the user.

4. The error page should have a button with a label like "I am OK with connecting to a site that is not actually Facebook".

5. If the user clicks that button, the user-agent should choose a URL at random from the user's browsing history whose hostname component is not www.facebook.com, and connect to that instead.

Someone file an issue on Bugzilla!

The ending of the words is ALMSIVI.
Posted on 20-01-24, 06:29
Custom title here

Post: #825 of 890
Since: 10-30-18

Last post: 7 days
Last view: 2 hours
Sounds reasonable to me.

--- In UTF-16, where available. ---
Posted on 20-01-24, 07:21
Post: #127 of 144
Since: 11-01-18

Last post: 7 days
Last view: 4 hours
maybe try putting a www infront of the domain.
Posted on 20-01-24, 10:46 (revision 1)
The Brickshitter™

Post: #462 of 502
Since: 10-29-18

Last post: 14 days
Last view: 56 min.
User is online
You don't get to specifically call out "even system32" and then argue when I cast doubt on deleting folders on specifically Windows systems. That's just bad form.

Edit:
I do remember doing it in a VM, and I recall they let me do it. I mean why else would the 'delete system32' meme be a thing?

I have several Windows VMs, and I just tried it on the Win10 one. I have very fresh memories, short term even, of starting with 4288 files inside System32 (not counting the folders), and ending with 4274 and an apparently no less stable system on reboot. It wouldn't even begin to delete anything when I selected System32 itself, the very first file found being in use or TrustedInstaller's, and not giving me a "skip" option.

I have no Win7 VM, that's my actual system, but I did just confirm that it too has a TrustedInstaller, and this random System32 file can't be altered by anyone but TrustedInstaller, so it'd likely be about as effective to try it on the other Windows still in use by regular people as it is on 10.
Posted on 20-01-24, 10:59
Post: #331 of 367
Since: 10-30-18

Last post: 14 days
Last view: 2 days
Is it still limited to TrustedInstaller if you disable UAC?

AMD Ryzen 3700X | MSI Gamer Geforce 1070Ti 8GB | 16GB 3600MHz DDR4 RAM | ASUS Crosshair VIII Hero (WiFi) Motherboard | Windows 10 x64
Posted on 20-01-24, 11:17
20% cooler

Post: #463 of 502
Since: 10-29-18

Last post: 14 days
Last view: 56 min.
User is online
Disabling UAC does not change file permissions, if that's what you were implying.
Posted on 20-01-24, 11:31
Custom title here

Post: #827 of 890
Since: 10-30-18

Last post: 7 days
Last view: 2 hours
Posted by Nicholas Steel
Is it still limited to TrustedInstaller if you disable UAC?
Yes. Because what Kawa said.
TrustedInstaller is still the only account allowed to tamper with it, the file is not modifiable by administrators.
UAC just generates the gray-screen "are you SURE you want to change your display resolution" popups.


If I recall, it is possible to go in and add Administrator access rights to TrustedInstaller files and directories. THEN the file is touchable by administrators.
But that's a definite case of "not given enough rope to hang yourself, so you went out and bought more".

--- In UTF-16, where available. ---
Posted on 20-01-24, 13:02
Board Programmer

Post: #464 of 502
Since: 10-29-18

Last post: 14 days
Last view: 56 min.
User is online
I just went through all the Windows VMs I have, in descending order of release, to find the first one that lets you delete System32.

It's Windows 98. Which barely uses System32 — it uses System. You can't just select the System folder and delete that either, it'll say that's a system folder that Windows requires to run. You can only accept that. So I go into the folder itself and find 1087 files there, not counting more folders. I can delete all but 98 of them (they're in use), and then Windows 98 still runs but won't boot.

The "delete system32" meme, according to KYM's Google Trends insert, started in 2004, and with Windows 2000.

Indeed, Windows 2000 also doesn't let you simply select and delete the folder just like Win98 doesn't let you delete the system folder. But it gets better: besides the files it can't delete because they're in use, Windows 2000 put back almost everything I deleted. When I restarted, the only immediately obvious difference was that the startup sound was "ting" instead of the normal one.

XP does the same, but with more hurdles to get there and see the files.
Pages: 1 2 Next Last
Main » Discussion » FUCK hsts
Kawa's Github