Sunday, 17 January 2016

The Last Bastion of Port 80?

It's good to see the wane of plain HTTP traffic, and the rise of almost ubiquitous HTTPS. Indeed the 30 or so tabs I happen to have open today comprise 24 HTTPS and 6 plain HTTP (3 of these belonging to a large organisation that should know better). We can't trust the transmission media in the way we did in those carefree days of the 90s, so everything sensitive must be encrypted. Of course, we know the perils of mixing plaintext delivered content within supposedly secure pages, and likewise the issues around moving from one realm to the other. As such, we have no option: HTTPS is everywhere.

There is one last place, however, where plain ol' HTTP reigns supreme - home network appliances. Things like the new NAS I treated myself to the other day to replace an aging linux server. What do I need to bother with keeping that running - all I really need is a DLNA server, Samba... case closed, the NAS is perfect. Trouble is, these devices all encourage us to administer them over port 80. I can see why, as well. Because of all the issues secure sites have had being spoofed, it is more and more difficult to visit a site with no "real" certificate. You need to click through 101 warnings and find the "advanced" section to allow the transaction to continue. This is a good thing for the Internet at large, but it brings difficulties in cases like this.

What's the answer? Well, there's not a good one - at least not yet. I appreciate the efforts Buffalo have gone to in allowing me to upload a certificate for my NAS. That's a start. I'd like to see HSTS as an option: so that once I have either sorted the cert, or added it as an exception I don't accidentally go back to plaintext.

Is there room for an extension to HTTP/2 that can help us set up these home devices, where we've got no infrastructure? Perhaps. It sounds like something that could be exploited, however - so would need careful thought. If the "Internet of Things" is going to be a reality, though, we must do better (perhaps the "everything has it's own webserver" paradigm is what needs to die?)

In the meantime,  make sure you give each of these devices a unique password, so if it is sniffed off your network by the cat (my cat's not that into hacking, so I'm ok), she can't log into your amazon account.

No comments:

Post a Comment