this post was submitted on 27 May 2024
855 points (96.6% liked)

Programmer Humor

32003 readers
1094 users here now

Post funny things about programming here! (Or just rant about your favourite programming language.)

Rules:

founded 5 years ago
MODERATORS
AgreeableLandscape@lemmy.ml
cat_programmer@lemmy.ml
855
Lemmy today (i.imgflip.com)
submitted 3 months ago by HowManyNimons@lemmy.world to c/programmerhumor@lemmy.ml
198 comments fedilink hide all child comments
 
you are viewing a single comment's thread
view the rest of the comments
[–] CanadaPlus@lemmy.sdf.org 1 points 3 months ago (1 children)

Man, I thought we were done with this shit when HTTPS became standard.

[–] markstos@lemmy.world 3 points 3 months ago (1 children)

With what? HTTPS has to terminate the encryption somewhere and that place has to have the private key to do so.

CloudFlare is providing the same service here as all other hosts of HTTPS websites do.

[–] CanadaPlus@lemmy.sdf.org 0 points 3 months ago* (last edited 3 months ago) (1 children)

Well, depends. If it's hosted on AWS and HTTPS terminates there like it's supposed to, Amazon could look inside, but a human being would have to personally hack your container and extract the data, so that's a bit better. If it's something more like Wix, though, sure. (Is Wix still a thing?)

[–] markstos@lemmy.world 3 points 3 months ago (1 children)

If you use the AWS load balancer product or their certificates, they have access to the private key, regardless of whether you forward traffic from the LB to the container over HTTPS or not.

If you terminate the SSL with your own certificate yourself, Amazon still installs the SSM agent by default on Linux boxes. That runs as root and they control it.

If you disable the SSM agent and terminate SSL within Linux boxes you control at AWS, then I don’t think they can access inside your host as long as you are using encrypted EBS volumes encrypted with your key.

[–] CanadaPlus@lemmy.sdf.org 1 points 3 months ago (1 children)

Obviously, I've never actually done this. Good to know.

I'm starting to worry that HTTPS is entirely fake - in the sense that it's purely decorative encryption that protects an insignificant part of the transaction. Like, maybe by design. The NSA's been doing something all these years.

[–] markstos@lemmy.world 1 points 3 months ago (1 children)

HTTPS is real and tested.

[–] CanadaPlus@lemmy.sdf.org 1 points 3 months ago

When used as intended, yes. What I mean is that in practice it may have been weakened, by promotion of services that use it in ways far from best security practices.