from Hacker News

Mediocre Engineer's Guide to HTTPS

by MediumD on 5/26/24, 3:17 PM with 35 comments

  • by jessriedel on 5/26/24, 5:35 PM

    Tangential question from a layman: when I lose access to a particular website, or the internet as a whole, why is it so hard to tell where in the chain the failure is occurring? Like it’s often unclear whether

    * I’ve got a network misconfiguration on my local machine;

    * My wifi connection to the router is down;

    * The cable between my router and ISP is cut;

    * My ISP is having large scale issues; or

    * The website I’m trying to reach is down.

    I’ve been given the vague impression that it has something to do with a non-deterministic path by which requests are routed, but this seems unconvincing. If some link on the path breaks, why doesn’t the last good link send a message backward that says “Your message made it to me, but I tried to send it the next step and it failed there.”

  • by StrLght on 5/26/24, 9:55 PM

    Might be relevant: there's also detailed and somewhat interactive byte-by-byte example of TLS for TLSv1.2[0] and TLSv1.3[1]. I absolutely love it and highly recommend checking it out if you want to learn more about TLS.

    [0]: https://tls12.xargs.org/

    [1]: https://tls13.xargs.org/

  • by jonwest on 5/26/24, 9:43 PM

    Does anyone have more examples of articles written in this perspective? Regardless of my experience level I love diving through “ELI(a mediocre engineer)” type explanations as I either learn another piece that wasn’t completely clear, or gives me another set of examples to help explain it to other people. Either way they’re generally very helpful.

  • by Snawoot on 5/26/24, 6:32 PM

    > The client generates a premaster secret, encrypts it with the server’s public key, and sends it to the server.

    It's already not true for, like, ages.

  • by debo_ on 5/26/24, 8:02 PM

    > aka. Writing HTTP requests from San Francisco for $300K/year

    Best part of the article!

  • by raxxorraxor on 5/27/24, 9:46 AM

    > Current version of TLS (>1.3) do not support RSA (and various other cipher suites) for security reasons.

    That is true for the key exchange part because RSA does not offer forward security. For signatures RSA is still used and probably still the most widely spread type of x509 certs.

    I know Safari just upped the requirements to 2048bit keys for RSA not too long ago (for signatures).

  • by wonnage on 5/26/24, 7:19 PM

    This reads like an AI summary of an actual HTTPS explainer. Terms get introduced with no context - no explanation of what a certificate is or how the chain of trust works, assumes the reader knows about public key cryptography, describes six out of the seven OSI layers (RIP presentation layer) without mentioning that term at all, etc.

    TBF it is titled as mediocre!

  • by pietrod on 5/27/24, 6:30 AM

    I'm unable to find some code where it shows how to verify the signature of SHA256(client_hello_random + server_hello_random + curve_info + public_key) I know the theory but somehow there is some issue to implement it, anybody can link an actual toy program showing practically how to do this?

  • by deathanatos on 5/27/24, 5:16 AM

    > By agreeing on all these algorithms, exchanging random seeds, and the server’s SSL certificate containing the private key;

    I sure hope not. But I suppose it is titled "Mediocre Engineer".

    > $300K/year

    … I'll undercut you by $50k/y; where do I apply?

    (There are just more and more errors. TLS <1.3 doesn't even work the way it describes, even though it tries to throw newer stuff into 1.3. The DNS section describes a recursive resolver, but the client isn't going to do that. It is probably talking to a stub resolver, too. "Internet Layer". The implication of "brotli" being a widely used algorithm in a ciphersuite/in TLS's compression, "Current version of TLS (>1.3) do not support RSA" …

    … these sorts of blogspam are why I wish sometimes that there was a downvote. The advert isn't so obnoxious as to make me want to flag is low enough. I guess I should write the less mediocre article and make the HN frontpage. If only I made $300K/y, I'd have more time.)

  • by _ache_ on 5/26/24, 6:06 PM

    Everything in that article is a little outdated, 30% of web request are in HTTP3 now a day with CORS. There is no date of publication.