Ask HN: Is Security Possible?

10 点作者 pc2g4d将近 3 年前

I've been working on a web app for the past two years and keep having the uneasy feeling that security-wise all I'm doing is adding a few "rooms" to the house of cards that is today's software and network security.Would it be possible to host a single _bit_ on the web that I KNEW could not be hacked, exploited, MITM'd?So much of civilization is now networked, critical infrastructure, even nuclear power plants. With the state of our security capabilities, this seems unconscionable.I'd like to be part of building something that has actual security---not the whack-a-mole that is de facto for every major operating system, library, database, API, service, device, CPU architecture, programming language, etc.Is security even possible?I've learned Rust, which can solve or seriously reduce the risk of _one_ class of security holes. But that's at best a constant-factor improvement---even if all software were competently written in memory-safe languages, the threat surface would still be unfathomably vast.What are we even doing here?P.S. I know this is a bit hyperbolic but... there's got to be a better way?P.P.S. The lack of security also seems to be the main threat to the Internet's end-to-end principle, which has previously been the most empowering thing about this global network.

10 条评论

dane-pgp将近 3 年前

A helpful way to think about security is with a threat model, where you consider who the threat actors are, what they're trying to achieve, and what their resources are.Your aim shouldn't be perfect security, but just security which is good enough that an attacker would have to spend more money on breaching your defences than the value of whatever they would gain from doing so.Another way of looking at it is the through the analogy of the two hikers who see a tiger, and one of the hikers decides to change into some running shoes. "You can't outrun a tiger!" "I don't have to, I just have to outrun you".In a sense, security improves one hack at a time, and as long as you are doing your due diligence and being more secure than your peers/competitors, you will be doing your bit towards improving the average security of the internet.

评论 #31556067 未加载

sanxiyn将近 3 年前

Bitcoin Piñata hosted 10 BTC for three years, so I think substantial security is possible. It had one known vulnerability (in network device driver) patched before exploited in its life, and zero exploited vulnerability (BTC is still there). Obviously we can't know about unknown unexploited vulnerability.<a href="https://hannes.nqsb.io/Posts/Pinata" rel="nofollow">https://hannes.nqsb.io/Posts/Pinata</a>

评论 #31555736 未加载

E2EEd将近 3 年前

It's all broken, but a purist will go off grid and live in the woods.Perhaps you'd find passion in pursuing a PhD (or other avenue of professional R&/D) that focuses on resolving the fundamental issues with much of software development methodology, endpoint arch, and networking.Barring that, the MO is to devise more robust bandaids.The proprietary and secret nature of big tech security creates a playing field of fortified castles vs. self reliant survival in the wilderness. Tail end participants such as Google's core infra security will outmatch any independent actor. And, still, both google and apple consumer endpoints seem to have fundamental security flaws, entrenched due to being built on many billions in investment over decades.Something like CHERI may take decades to bear fruit, hopefully turning over and pruning any insecure legacy systems sooner rather than later. Telecom is an example of why this will likely never occur anytime soon, and that we may be stuck with current security paradigms for many, many decades.

评论 #31555104 未加载

avianes将近 3 年前

It all depends on your definition of "secure".- What kind of attack do we need to prevent?- What do we need to be protected from?- What do we not need to be protected from?All of this (and more) must be defined in your threat model. A threat model precisely defines what "security" means for you in your context. Without that the concept of "security" remains extremely vague and therefore it can always be called imperfect against an incredibly intrusive attack

PenguinCoder将近 3 年前

> Would it be possible to host a single _bit_ on the web that I KNEW could not be hacked, exploited, MITM'd?If you don't accept or deal with any user input, third party websites or state maintenance; EG entirely static content. Then yes it is possible. But as soon as you start incorporating content that isn't static, like ads or scraping from another website/content, or user input or a database, then no. There are certainly ways to keep your security high and prevent most types of run of the mill exploits. It's a very broad area and entirely different methods of protection, based on say a cross site scripting exploit, server side forgery, or man in the middle attack. OWASP top ten - <a href="https://owasp.org/www-project-top-ten/" rel="nofollow">https://owasp.org/www-project-top-ten/</a> is a great resource to learn about website risk and how to improve your security.

评论 #31554681 未加载

mikewarot将近 3 年前

>Would it be possible to host a single _bit_ on the web that I KNEW could not be hacked, exploited, MITM'd?Yes... you need an offline host, public key crypto, a data diode, and the web host.The offline host contains all the stuff you want to be actually read-only, and signs it. Then spools it as a stream through the data diode out to the web server, which checks the stream for errors, and makes it available to the outside world.Everything in the offline host CAN'T have ingress of control thanks to the data diode. Signing prevents MITM. You'll still be vulnerable to denial of service.

night-rider将近 3 年前

Put simply: if the network can talk to the public facing Internet, it’s vulnerable. You can solve this with airgaps but even those are vulnerable to side channel attacks. One thing you could do is remove any ‘radios’ from the machine that can be used for exfiltration and thoroughly vet and audit all your hardware. Bonus points for placing the machine in a giant Faraday cage.

devit将近 3 年前

For perfect security, the biggest problem is that you can't buy any hardware and can't use any third-party software because it could be malicious (and can't hire/delegate anything).To serve anything via HTTPS you pretty much need a general purpose computer, which is going to be very challenging to build by hand from scratch starting from raw materials.

MattGaiser将近 3 年前

I am not a security expert, but we accept imperfection in everything.We do not know that the bridge we are on will not fall down. We do not know that the aircraft we are on will not fall out of the sky. We do not know that we will not be misdiagnosed by a doctor. Most "obvious" processes and procedures had to have a body count behind them to get implemented.

netstorm将近 3 年前

Nothing is truly secure, if you realised how insecure everything really was you may not ever be the same again

评论 #31555526 未加载