It really feels like you're throwing in the towel. The internet is designed specifically to allow federation between forests of hosts. That's what routers do. Browser vendors need to get their heads out of the fucking cloud and stop coercing people into relying solely on global TLS. I think TLS is wildly misunderstood. The whole global certificate thing only works for global communication. Global hosts should be your first point of contact and from there you should be able to leverage global TLS to bootstrap more intimate trust relationships... to make informed decisions about the trust relationships you want to establish. Browsers need to facilitate this not do everything possible to prevent you from owning your trust. If your browser is only able to communicate globally that's not the internet's fault. It's not TLSs fault (TLS is designed to allow clients to choose who they trust). That a failure of your browser to support your diverse use case.
If you like tilting at windmills then go ahead. Since forever people have written software that assumes a global internet.
However today the situation is much worse. The global internet is a very hostile environment. Everybody who writes software that has to work on the internet has to assume the worst.
If there are modes in a piece of software that assume the network can be trusted, then you can be sure that some attacker will try to activate that mode.
You cannot assume that the users of a piece of software have any idea how the internet works. If they can solve an immediate problem by disabling security, they will.
So, over time just about any piece of software that wants to support secure use on the internet will come with built-in trust anchors that are very hard to change.
In browsers this trend is quite visible. But the same trend, though less visible is going on in DNS.
E-mail is a bit of a mess. But the basic features are there. Just not a lot of adoption.
To sum it up, users don't want to know about internet security. They want their devices to work securely at a random open wifi network. Devices have a hard time figuring out if they are in a trusted environment. So the best way forward is to assume all environments are untrusted and require encryption everywhere.
My issue was with you suggesting people abandon security if they don't want a public internet connection.
I think the global TLS system works great when you're in a global context. But now the internet has proliferated and it's infecting people's homes. It turns out people _don't want_ to be in that hostile global context when they're at home. They want a context that is private. They want to isolate their home from the firehouse of global bullshit out there.
I think we've passed an inflection point and we're seeing a revival of attention to home networking. Sure for the last 15 years all I connected to my wifi was my laptop and that's pretty useless without the global internet. But now people have IoT things. Door locks, ovens, toilet paper, you name it. Why the hell would anyone want those things phoning home to a remote server all the time? Why does it even need to be publicly routable? Maybe it does need limited connectivity so strong interactive controls allowing you to federate whatgoes in and out are necessary. More than ever the _integrity_ of your home is also the integrity of your network. Your network is an appliance now. It is the lifeblood of your home.
People deserve to be able to administrate their personal enclaves as they see fit and do it securely. The best way to prevent someone from remotely unlocking my doors is to eliminate the remote path to the door lock. Did you forget that we've come rather far in securing later 2? People _can_ and _should_ trust their home network. Not wrecklessly, but private networks are not a fairy tale.
Finally finally, don't patronize users. The users of today are tomorrow's grandmas. It's not unreasonable to expect we can slowly adapt user expectations and understanding surrounding the security of their software. I'm not saying you don't have a point, but I think it's a disservice to users to treat them all like idiots.
> They want a context that is private. They want to isolate their home from the firehouse of global bullshit out there.
With all due respect, over the past fifteen years of trying to secure corporate networks, we've learned the hard way that this simply isn't a realistic goal. Having a hard outer shell and a squishy center just leaves the entire network vulnerable, because it's simply not possible to isolate yourself from the badness of the outside world. As soon as you let anyone in who's ever spoken to the hostile outside world, they bring the hostile outside world in with them.
We can't keep pretending that we can keep home networks isolated from the rest of the world when many of the computers in those networks move freely between the global Internet and the private home intranet. All connected devices are part of the global Internet whether or not we want them to be, and whether or not their connections are persistent.
I think we're arguing similar things. I'm not saying we only need a hard outer shell. I'm arguing that we _need_ security in depth. And that depth should include all scopes of the internet protocol, not just global. You _should_ be able to run TLS locally so that if some global thing does get in, it now has to penetrate another security/application layer too. I should be able to tell my browser to trust these certificates for global IPs and these other ones for my home site. Why not run IPSEC in you home while you're at it too so it's even harder for a remote thing to pivot.
People can administrate their personal enclaves as they see fit. There are a number of operating systems that you can rebuild from source. You can just create your own root CA and add it to your browsers. You can run your own root DNS zone.
Most people have no clue about computer security and don't want to get one. Tomorrow's grandmas will know as little about how their computers are attacked as today's grandmas.
And they don't want to know. They want technology that is safe to use.
We know from experience that a network where devices trust each other is a disaster waiting to happen. So let's kill that model. All devices have to survive in the open internet. Because if they don't, somebody will figure a way to attack them.
I think we're talking past each other at this point. I want security both globally and locally. I want to be able to tell my browser who it should trust and what level of paranoid it should be in each context. If I go through the work of recompiling a bunch of software with custom trust anchors, I don't want it to all be for naught because in the last mile my browser says "I'm lost I only understand global TLS".
I LOVE the idea of NAT-less global internet. It's why I love IPv6. At that level anything that wants to participate should be secure and "go Chrome" for leading the charge. I even think firewalls for global IPv6 are stupid. If you're global you're global no amount of silly packet filtering rules is gonna change that.
But that's not the end all. I don't want my entire house to stop working because I got a new ISP and I have a few days of down time. Or more like because my ISP went down because they oversell bandwidth and haven't updated their routing hardware in 15 years. Maybe I don't want my file server with all my family photos globally addressable. Maybe I don't want my kids on the global internet at certain times. The point is I know what's best for my house. Im sick of the old IPv4 mindset where the only reasonable model is centralized global trust (see we agree that's been the status quo).
> Global hosts should be your first point of contact and from there you should be able to leverage global TLS to bootstrap more intimate trust relationships... to make informed decisions about the trust relationships you want to establish.
Part of setting up an account with a web service or iot device provider or whatever should be acquiring their certificate authority. However, instead of having a single bucket OS level root trust store, browsers empower users to whitelist the sites they trust that authority to well have authority over. You trust googles ca for google.com. Or maybe you don't.
At the application level, trust should be managed by the application provider and the user. Their certificate authority can issue whatever certificates it wants for whatever kind of network topology or application use cases or whatever else they need to support. As a user you're either still using a browser or you've at this point switched to their native app or you've got their JS helpers loaded or whatever. Their application logic can manage all the certificate crap so that users are minimally encumbered by it. If you're talking to local network devices their application logic would issue certificates for whatever scope of IPv6 addresses you're using. Maybe your fancy device is running dns, their thing issues certs for your scope's site, etc.
You can even do mutual TLS now because their authority can issue installs of their app their own certificates. Browsers should support client certs too. Navigating to foo.com using a scoped IPv6 address? You're prompted to select the identity you wish to use. Your browser remembers your choice for that scope. The CA is only valid for your blessed names, scope aware.
> Their certificate authority can issue whatever certificates it wants for whatever kind of network topology or application use cases or whatever else they need to support.
But that means that other customers can get a trusted certificate for the exact same ip address, right?
