The tiny green lock is one of the most important security measures in your home office.
Now, when it comes to intranet, especially in your home office or at a smaller company, most people (and IT) don’t care about proper TLS (Transport Layer Security, HTTPS, SFTP, etc.) I went ahead and identified what I think are the top 3 reasons, why this happens, and for the most part, probably will continue to happen – and: How to fix it.
Myths and beliefs:
1.) „There’s no security benefits, because self-signed is insecure“
On the public web nowadays almost everyone seems to understand, that the green lock left of the address bar in their browser means „secure“. In the early days of TLS, I’m not talking about the years after invention and first implementation of TLS, but say around 2005, most website owners didn’t care. Except they had a good reason, like a login or checkout page and often times they did’t bother to properly install TLS even on the later. What’s left from these days is the message: „You’re being redirected to our SECURELY ENCRYPTED checkout“ – of course today 99.9% of websites, which still displaying a similar statement, already have all pages of their web application secured via TLS, and not only the „secure checkout“ you’re being redirected to.
On the intranet however it’s a different story. People run small home servers, media centers, database servers, connect everything to anything, over Wifi where it’s fast enough, using IP address instead of domain names. sometimes even disabling additional protection mechanisms like DNS rebind („it didn’t work otherwise“), poking wholes into their NAT, disabling additional firewalls and most importantly: They don’t use TLS.
Because, why bother?
If I use TLS in my Intranet it means I have to either use self-signed client certificates and „accept“ these in the browser (thus effectively disabling TLS, which a lot of professionals don’t clearly know) or create my own Certificate Authority, sign each new certificate using that CA and distribute this Root-CA to each device, which of course is not an easy process – and my guess is that the mayority of users don’t understand the difference between the two ways. The difference is, using your own Root-CA will give you properly working TLS, the real thing, without your browser complaining or asking to „accept anyway“, while the first option will give you a „bypass“ to some application’s security check mechanisms, that ask for TLS. So what’s the answer then?
=> Use your own Root-CA, et voila, you have security!
2.) „For using TLS certificates I need to have my own DNS“
…and that of course brings a huge amount of overhead, a neverending source for strange networking problems, for example. If you get things right, and it’s not particulary easy to get things right with your own DNS, it takes away a bit of that „lab feeling“: Running a service on localhost:31423 just feels like home and not like the more and more professional, sterile public web. Waiting for the solution?
=> Certificates do work on IP addresses as well! Yes, you can sign a cert on 192.168.178.34 instead of a domain name, that really works! Didn’t know that, huh?
3.) „TLS only protects me against man-in-the-middle (MitM) attacks and nothing else“
„I heard these are hard to pull of and the adversay must be inside my infrastructure. If that’s the case, then isn’t it too late already and TLS won’t protect me anyway?“
First of all, MitM attacks are extremely easy to pull of. Unlike the name suggests, an adversay doesn’t literally have to be „in the middle“, plugging in into your lan cable. Due to the way modern networks operate, a MitM attacker can be on almost any device that you can put into promiscuous mode (even a smart lightbulb) when it has linux and networking. Wifi makes it easier, and MitM attacks are not only enabling evesdropping but open the gate WIIIDEEE [squeeky noise] to all sorts of attacks: Giving an adversay the option to manipulate (we call it spoofing) ANY data package in your home, to the point that he / she / x can redirect your requests to an attacker-controlled, identically looking website, like online banking, your Email Provider or even a Server Panel Login on the public internet. With a bit more skill that spoofed page may also have the shiny green lock to boost your trust, while it will grab your credentials or just switches out the target account number with the attackers bank account number. Having set up TLS will significantly reduce these risks, make it much harder for an attacker to spoof internal pages (like your Router Login), cause you can now identify the spoofed page in the first stage of the attack: It has either no shiny green lock at all or at least if you check the certificate it will not be signed by your CA. If you went all in and set up your own DNS properly, configured your clients statically or via DHCP it will completely disable an attackers possibility to set up his own DNS and redirect your requests. Of course, there are more advantages, the ones people usually think of in terms of TLS: The attacker cannot read credentials or other sensitive data from your network data stream. Now extend your picture of MitM attacks to an attacker being able to do these things over Wifi – without DNS, TLS or the fact that you’re using good old (fast) Ethernet cables.
If you take care of disabling protocol downgrade and unencrypted connections you may suddenly (what? how did that happen) arrive close to a zero trust network where services simply refuse to talk to other devices not having valid certs, but I admit that is not an easy setup and may require additional components like putting services behind a reverse proxy and configuring mutual TLS everywhere.
An attacker get MitM in your TLS-unprotected environment it’s game over for you big time – while you may not even notice. For this one, there’s not really a single, technical advice:
=> Instead you need to understand the implications of missing TLS and the severity of MitM attacks.
On top, TLS not only protects against above: It’s in general the best way to IDENTIFY which page you’re actually visiting, what your browser is talking to right now. Is that really YOUR wifi router? It may also be the identical model from your neighbor (where you just entered your login password or tried to store data on a NAS) That’s within your network, where you’re the most vulnerable as well as taking the lowest amount of precausion (Password Post-It anyone?).
A selfade Root-CA doesn’t cost anything, except for a bit of work and willingness to learn, how stuff works!
I hope this short article did help you a bit to get another perspective on TLS in your intranet. Have fun, stay safe!
(MG) – Article was written late and very tired, so mistakes are probably plentiful. I’ll try to update when I can.