Disabling cert checks: we have not learned much
23 comments
·February 11, 2025hypeatei
Somewhat related is a recently discovered bug in the qBittorrent client where SSL checks had been disabled for a long time before someone noticed:
ghusto
Kind of related, but a little off-topic: I think tying name checking to encrypting traffic was a mistake. They are two different use cases, and shouldn't have been so tightly coupled.
Sometimes I care only about my traffic being encrypted, and resent having to jump through hoops to ignore the name mismatch. Sometimes I care only about assurances that the name is correct, and don't care about having the traffic encrypted.
Jasper_
Encryption without authentication is not very useful; if unauthenticated, your ISP could middle-man your connection and effectively decrypt everything while making you think you're encrypted.
If that's not in your threat model, and you want encryption for another purpose, then I could understand that, but currently, protecting the endpoints against malicious attackers in the middle is the big value of TLS.
SahAssar
> Sometimes I care only about my traffic being encrypted, and resent having to jump through hoops to ignore the name mismatch.
Why do you care about encryption without authentication? Without TOFU, PKI or a preshared key what is the value?
> Sometimes I care only about assurances that the name is correct, and don't care about having the traffic encrypted.
So signing?
clbrmbr
I just today reviewed a PR with a default insecure option. But here we’re working on local networks where there’s no way to get a certificate because there’s not a domain name that points to the local IP address.
At least with HTTPS over the local network, it can frustrate attempts to break into it. That said we are sure to call it “https-insecure”.
dspillett
> But here we’re working on local networks where there’s no way to get a certificate because there’s not a domain name that points to the local IP address.
There are options for this, that needn't cost.
In a company with controlled workstations, have your own CA and push the trust of that through GP or in your standard OS build, point whatever domain you like (“real” or just a local-only DNS entry) at your host and sign a cert for that with the internal CA. Generating keys & certs for each workstation can be automated. You could sign a wildcard subdomain and key+cert for each machine or person, .pc101.devteam.internal/.johndoe.devteam.internal, so each user can setup multiple dev/test services on their box without requiring support from the infrastructure team.
Or get a wildcard from LE or similar for some [sub]domain, point *.[sub.]domain to 127.0.0.1 and let everyone have the keys for that. You need to renew every 3 months or less and redistribute the cert, but that isn't massive hardship and can be automated. Also make sure this is only for dev/test though, not internal tooling that might handle read data/controls, or having multiple (potentially many) people with access to the private key is a massive security issue.
Using proper names & certs and not encouraging disabling checks for local dev/test, reduces the risk of code that doesn't do proper verification getting let out into the wild later when someone forgets to switch checks back on.
SahAssar
>There are options for this, that needn't cost.
> In a company with controlled workstations, have your own CA and push the trust of that through GP or in your standard OS build
I'd be surprised if this did not cost when done properly. Securing a (even internal) CA is a whole thing that is not trivial.
dspillett
Hence the second option.
If you are already maintaining a CA for any other reasons then use that or the same process to maintain another, otherwise the second option is probably the path of least extra work/cost.
vel0city
Its free if you value the time for a few skilled employees to spend maintaining it at $0.
Joker_vD
Or you can do none of that razzle dazzle which, if you stop to actually think about it, doesn't really bring in any security. Yeah, "let everyone have the keys for that", that's sure much more secure against some vaguely imagined threat connected with people already running arbitrary stuff on your internal network.
dspillett
I'm not sure why the level of snark is so high there, given I'd already mentioned the potential security implications meaning those keys should not also be used for non- dev/test resources.
A key reason for maintaining secure connections for everything in local dev environments is to practise for best practice: keeping your dev environments close to production configuration without doing that by lowering production's level of doing-stuff-right accidentally (or intentionally) through insecure settings (like not verifying certificates) leaking out of dev into other environments.
At least this thread isn't full of people complaining that UAs (and related libraries) should still just trust self-signed certs, and not accepting any explanation of why that is a bad idea, which used to be the norm…
null
firesteelrain
Except in airgap environments where there is no CA available to check against.
orf
This makes no sense. Do you believe TLS is somehow impossible on “airgap environments”?
firesteelrain
If the root CA is in a place that is inaccessible then there are no CRLs to check against for example. Root CA may exist outside of the airgapped env. Especially if the root CA is one that produces self signed certs. You are back to insecure TLS
orf
None of this makes any sense.
A lack of CRL doesn’t make TLS insecure.
A root doesn’t produce “self-signed certificates”. That especially doesn’t make any sense. What do you think the “self” references in “self-signed” certificate?
Add the root to your trust store, if you trust it, and you’re done.
What’s more concerning is someone working on (assumingly) secure, sensitive, air-gapped networks knows this little about TLS?
jedisct1
Create a local root CA.
ghusto
You mean create a root CA, install it as a trusted CA on _every single_ client that will interact with the client, manage revocations (whole thing in itself), and handle all the other management that goes along with being an authority (local or otherwise, it makes little difference).
firesteelrain
I can't be a CA for a root cert I don't own
Sohcahtoa82
There's nothing stopping you for creating your own root CA and using it to sign certificates for any other domain. You can create a certificate for google.com if you wanted and be signed with your own CA.
Now, obviously, you couldn't actually use that certificate publicly. If you were to try to MitM someone, their client wouldn't accept the certificate because your root CA's certificate won't be in their trusted list.
But add that root CA to your own system, and it'll work fine.
I think that many instances are disabling checks in order to troubleshoot something and then never enabling it again. And we see this on all levels - development, devops and also sysops of course. Just quickly disabling something without leaving a TODO, disabling a MSDeploy certificate check because a proper PKI has never been set-up, just ignoring any certificate errors in LAN management tools because installing a certificate is so hard.