Comment by lxgr

Comment by lxgr 2 days ago

7 replies

View on Hacker News

Any malicious website can access my gamepad, since it can trivially get a Letsencrypt certificate – the only requirement for getting "secure origin" API access.

What exactly is this restriction preventing me from, then? (And what does a malicious website do with my gamepad data anyway?)

> Not never, but the total amount of users doing it is probably high tens or low hundreds at most

Yes, I'm fully aware that local hosting is rare in the grand scheme of things, but I think you're vastly underestimating the potential. It's currently not even possible to do much better even as a commercial NAS provider, and these are somewhat popular.

A big part of that also seems like a chicken and egg problem: Fewer and fewer users do it because it's getting harder and harder, thanks to browser standards and OS defaults being largely driven by stakeholders that have no interest in it becoming easier.

Yes, none of this is an evil conspiracy; it's just a question of incentives and priorities in the end. I just find it so sad how willingly even a "hacker" audience here embraces the move towards more and more centralization, on more than one dimension. (Peer-to-peer vs. client-to-server, "trusted CA only" vs. trust on first use, cloud vs. self-hosting etc.)

stephenmac98 2 days ago

Allowing self-signed certificates creates a higher risk for MITM attacks. Sure you can trivially get a letsencrypt certificate once you register a DNS entry, but you can't trivially get a letsencrypt certificate which validates google.com

If you control the local network it's trivial to redirect traffic intended for elsewhere, like "google.com", and trivial to have the server it redirects to present a certificate with "google.com" in it's subject or SAN.

What would happen on a laptop is you would be hit with a certificate validation error because it was self signed, and on the laptop you have the ability to bypass it, but that ability to bypass is very dangerous. Most users will not properly check a certificate before clicking to trust it.

As far as what could be done, "this is a low value device to an attacker" is not a security measure, but beyond that I'm sure that people have bought games on a gamepad, and anything which involves financial transactions has the potential for malicious behavior with severe consequences

Reply View 6 replies
  • lxgr 2 days ago

    Then only allow self-signed certificates for literal IPs or those on .local (and other private/reserved TLDs).

    Right now, .local is completely impossible to encrypt, as well as impossible to use “secure origin” APIs on, which is a shame.

    Reply View 5 replies
    • stackskipton 2 days ago

      .local also hasn't been best practice since 2005. Current recommendation, because of Certificates is to use internal only subdomain of domain you have control over.

      Reply View 4 replies
      • lxgr a day ago

        What? .local is the dedicated TLD for Zeroconf/Bonjour/mDNS! How is that deprecated?

        And you’re just reconfirming my point: All of these recommendations are great for publicly hosted sites or corporate environments, but largely impracticable for home users that don’t know how to, or don’t want to, have a second job as sysadmins.

        Reply View 3 replies