> has not made my life easier nor brought any benefit to my users
So I'm curious, is this appliance on a private network or something? That's they only way I see that it doesn't bring any benefit. If it is going out onto the public internet, I would think encryption and integrity would be a huge concern.
It goes out on the public. It's not a target because it is a library catalog. Nobody is going to man-in-the-middle looking up which shelf a book is on. I mean, I am sure you can come up with a Sneakers-style plot where it is important but no, not realistically. Could it be done? Certainly! Why would they? What's the benefit?
There's just tons of stuff out there that exists where, honest-to-gosh, credit card details and HIPAA compliance do not happen. I know Hacker News leans very heavy toward the Silicon Valley side, but I swear stuff happens in the flyover states that involves computers. It might be pedestrian and unexciting, and nobody will IPO, but they do happen.
> It's not a target because it is a library catalog.
Oh! That's actually a great little encapsulation of the larger problem here.
Before COVID hit, I was a volunteer teacher at a Girls Who Code class at a library. Most of the library's computers were running Windows 7, which of course lost security updates in January.
One of the other volunteers remarked: "Someone needs to update those to Windows 10."
I answered: "Someone should update them, yes. But no one is going to."
I don't even know if those old laptops could run Windows 10. Should the library really spend money on replacing all of them? As opposed to buying books, or teaching more students?
---
There was an article on Hacker News some time back about how the NYC subway system runs OS/2. A lot commenters said this is a huge security risk—sure, it's ostensibly not connected to the internet, but who really knows?
But, what should be done about it? It doesn't make sense to switch out the architecture of a city's subway system every 30 years—I'm not convinced it makes sense even every 50 or 100 years. How do you set up a system like that?
We have some machines that still run Windows 7 at the office, while we don't use Windows 10 for anything beyond isolated testing environments. This is a result of assessing the risks of using Windows 10 as being greater overall than the risks of using Windows 7 in the relevant cases, despite the state of official support and lack of any further security patches. And that in turn is in no small part because Windows 10 has a track record of breaking things that would be important to our business operations. Newer is not always better, and being more secure in some respects is not always being more useful overall.
Yes, we did. The higher editions of Windows 10 do seem to be qualitatively different products that don't have the technical deal-breakers we are concerned about. Unfortunately, as far as we could tell, there was no (legal, properly supported) way to get hold of any of them for small businesses like ours through simple one-off purchases of permanent licences.
I have a lot I experience navigating Microsoft's licensing for small businesses. I have a Customer who needed Windows 10 LTSC for some PCs running expensive laboratory instruments as a recent example of needing to do just what you're looking for.
You can acquire a permanent license for Windows 10 LTSC through Microsoft's Open Business licensing program. There is a minimum initial purchase quantity of 5 SKUs, but any competent reseller will just pad your order with the lowest-price-in-the-catalog SKU to get you up to that minimum.
The Open License Agreement itself expires in two years, meaning that you're subject to the minimum 5 SKU purchase to start a new one at the end of 2 years. During the term of the Agreement you can purchase licenses piecemeal. Regardless of the Agreement's term the software you license thru the program is perpetually licensed.
This won't make it any cheaper, though. Windows 10 LTSC is ridiculously expensive, to me, for what it is. Licenses acquired through this program are transferable to new hardware, at least. That's why I used it a lot over the years. Buying Office and transferring it to a new PC once in the useful life ended up being a cost savings over buying OEM Office with the original and replacement PCs.
The idea that you have to go through a dealer, join some overcomplicated volume licensing programme, possibly buy extra stuff, and probably pay a premium for the privilege just to get a legitimate copy of LTSC to use doesn't sit well with us.
If Microsoft offered LTSC as a one-time, off-the-shelf purchase with no strings attached, I expect we'd buy several copies immediately. It seems to be the only version of Windows 10 we might actually want, other than for having the same as our customers/clients for testing purposes. But as a small business, we have limited time and resources, and we have remarkably little interest in playing big business games.
I don't like it either, but that's proprietary software. Personally, I wish my Customers didn't have business-critical applications that keep them tied to Windows and other proprietary software.
I suppose my point is that it wasn't how proprietary software tended to work until relatively recently. For many years, we (assorted small businesses) were using the Pro editions of Windows with no drama. This only became an issue when Microsoft chose to make the Pro edition of Windows 10 unsuitable for professional use (in our humble opinion) while simultaneously locking the more suitable editions behind Big Organisation Hassle.
As a direct result of that decision, they have essentially lost our business, just like certain other large software organisations whose names start with A that have adopted similar customer-hostile practices in recent years. There are viable alternatives for almost anything these days when you're a small business with the flexibility to make intelligent policy decisions about your hardware and software purchases on a case by case basis and, if appropriate, to change those policies however you want later on.
I've been pretty displeased with how Microsoft has chosen to alienate Customers the last few years. I've made a good since the late 90's installing and support Microsoft software in small businesses, and the changes in the last few years, particularly with Windows 10 and the associated Server versions, have been distressing.
I will say that I've never found the Open License program to be a tremendous hassle. There was good cost savings to be had using transferable licenses, and the product use rights and other terms and conditions were clearly spelled-out. Dealing with resellers was the worst part of it, but I managed to find good resellers who would mostly just do what I asked for and not hound me with sales-gerbil nonsense. The volume license management website was actually fairly nice, and was useful for keeping track of a Customer's license inventory.
I've had a hard time getting much free/open-source software adoption in my small business Customers. They almost always have a mission-critical application that keeps them locked to Windows (or SQL Server, Office, Exchange, etc), and no budget or desire to finance software development. The value proposition of spending money on the proprietary software is often just good enough to make it worth the cost and draconian licensing.
This is very helpful. I've bought a couple of LTSBs (now LTSC) over the years through oddball means, I strongly favor it, but it seems like Microsoft doesn't want me to be able to buy the licenses. Finding less shady-seeming resellers has not been something I've been able to manage.
The problem is not so much people snooping on your traffic, but injecting their own malicious content. Confidentiality isn't the only security goal of TLS.
Haven’t ISPs been caught MITM’ing literally all traffic and injecting tracking or ad code on every page? They don’t check if it’s a library catalogue or not
A person on the library network runs Wireshark to watch the network traffic, because they're bored. They see a woman sit down at the library terminal and search for "abortion", or "cancer", or "rape". Now they know something about that woman's interests that she probably would not want them to know.
That's why I encrypt everything: you just never know what kind of things are going to catch the attention of the wrong people.
And if our users had ever mentioned this happening once, ever, in decades, it might be important.
I've never seen it happen when I used it from home, I've never heard of it happening. It's a nobody cares situation.
Now, I have had to defend university servers from quite a lot of things, in a large variety of situations. But this? This has never shown up as an issue.
What you are looking up in the library catalog is absolutely of interest to the surveillance state. Are you okay with anyone who looks the Autobiography of Malcolm X being added to a watchlist?
And incidentally, if your ISP decided to collect that information and share it with the government, they could collect that information with a MitM attack that would give you absolutely no indication that a MitM attack, so your assertion that "this has never shown up as an issue" doesn't hold much weight.
Can you say, with confidence, that it will never happen in the future? And if so, how much of your own money are you willing to put down on that? Would you stake your job/career on that claim that it won't happen in the future?
I’m not OP, but I’m willing to claim that there are going to be at least an order of magnitude more reported security vulnerabilities due to overly complex crypto-stacks than there are going to be reported successful internet-scale MITM-attacks.
For many things crypto itself is going to be a bigger security-risk than what it’s defending against.
Many bugs in "overly complex crypto-stacks" are more like "complexity to decrypt was reduced by X%". If it took a regular attacker 1,000,000 years to crack the encryption, it now takes only 900,000 years. So if you are not up against some state sponsored actors, these bugs in crypto stacks should be of no concern. The impact of these bugs is, instead of "nobody can read this data" now "only 10 people on this planet can read the data". That's still better than "anybody can read the data".
And sure there are other kinds of bugs like downgrade attacks but even if an attacker can downgrade you to use RC4 and decrypt data in real time, you are now in the same situation as you were when not using crypto at all. Not even that: to be in the same situation as with no crypto at all, the attacker would need to downgrade/break encryption and signing because breaking only one of both would still not allow modifying the data stream.
Bugs in crypto stacks that allow code execution or memory reads/writes on the server or client are rather rare.
> at least an order of magnitude more reported security vulnerabilities due to overly complex crypto-stacks than there are going to be reported successful internet-scale MITM-attacks.
On the other hand, the overly-complex crypto stacks might be the thing preventing most internet-scale MITM-attacks from being successful.
So, you will be betting your career/job on that assertion? And your money as well?
Following that, there must be a crypto-averse bank you're using to deposit your paychecks, right? And if so, can I have the URL to their public and unencrypted site?
Shouldn't the fact that there are exploitation frameworks for that specific attack vector (e.g. https://beefproject.com/) be motivation enough to not leave that vector unpatched?
> I know Hacker News leans very heavy toward the Silicon Valley side, but I swear stuff happens in the flyover states that involves computers.
Yep, I live and work in one too! That's why I asked what it was. This is an edge case where I agree, it would add little utility. However, like you said, there are a lot of cases where there should be this sort of compliance but is not.
I actually thought you were referring to PLCs for public infrastructure or something similar to that. Sadly, I have gotten in arguments for people who do not want to even add encryption to talking to a PLC on the public internet.
That's definitely a case where I would find some way to lock that down in at least two ways. PLCs seem to be in that "interesting/terrifying/lucrative" triangle to me, with the middle part being the kind of thing I would protect with layers of security.
Overall, I have had to support some very odd security situations, back in the day. As an example: someone's philosophical position somehow got translated to an org-wide policy forbidding firewalls. I'll repeat that: they forbid firewalls. Because we were "open." And I had to support FTP sites. On Windows NT. I managed it without incident through layers of security and care, with watchfulness and compliance.
What does that has to do with https? https does not fix your server side bugs. Nor https prevents anyone from connecting to your server. Only(in general) thing that it provides is content encryption which is going through internet. If you hosting public website, this content is already publicly available.
>Only(in general) thing that it provides is content encryption which is going through internet. If you hosting public website, this content is already publicly available.
Why are you confusing https encryption with private vs publicly available information?
Let's unpack your concepts a bit using COVID-19 as an example[0]. The information that Wikipedia displays about COVID-19 is public information instead of top-secret classified files. But you'll notice that wikipedia serves its pages as "https". Think about why they do that.
Even if you manually type "http" without the "s" in your web browser url bar[1], Wikipedia will still redirect you to "https". Why do they do that if COVID is public information?
As a web surfer, I also want wikipedia to serve its pages with "https". Think about why I would want that.
Lots of content is publicly available but detailed information about which people are accessing exactly which parts of the content in which patterns is something else altogether and is potentially more valuable and private. https doesn’t fully protect this information but it helps.
> Niche stuff where you had one or two vendors in the whole arena
Seeing that tells me it is not just some sort of public website, and not something you just want any random person to access. Think like PLCs controlling public infrastructure (this is a real scenario in places) If it is on the public internet, I imagine the first thing you go is login to it. If it is HTTP, those credentials are going over the internet in the clear.
No, the first thing you do is not log in to it. That's the one size fits all mindset that is part of the problem. It says "Everything is running on these two webservers, therefore we just have to cover those two use cases. Everything is super-critical top secret, so of course we will want to do it."
The first thing you do is see if the book exists. Logins go to a different system, for something else.
If you stop thinking of the Internet as a place where people put in login information and credit card details to get products shipped to them, it becomes a great deal wider and more complex. Sometimes websites are just ... present to provide information. It might be backed up by a database but that is it.
>Sometimes websites are just ... present to provide information.
The wikipedia.org website just provides information instead of data input of private sensitive information such as credit-cards. But this doesn't mean high-value targets like Wikipedia should serve plain http.
Fortunately, I am not saying that Wikipedia should serve plain HTTP. "That which is not mandatory is forbidden" is what I am trying to avoid; I am moving toward options and choices. HTTP should be an option for people depending on what their needs are and how comfortable they feel with various threat models.
>; I am moving toward options and choices. HTTP should be an option for people depending on what their needs are and how comfortable they feel with various threat models.
That's fine and I agree with "http" sometimes being a valid choice.
I disagree with how you argued it using phrases like "sometimes a website just provides information instead of credit-cards". The "provides information" is a flawed mental model to base a decision tree on and just confuses people about why https is also important for non-credit-card data.
Your later qualifications specifying "threat models" is much better argued. Yes, my internal git web server doesn't need https and I don't want the hassle of getting LetsEncrypt certificate for it. And a toy website on my Raspberry Pi on my local private firewalled NAT'd LAN doesn't need https either.
It's not about "public information"; it's about "threats".
So I'm curious, is this appliance on a private network or something? That's they only way I see that it doesn't bring any benefit. If it is going out onto the public internet, I would think encryption and integrity would be a huge concern.