[HamWAN PSDR] Idea for addressing HTTPS on HamWAN - NO-CRYPT

John C. Miller kx7jm at jmit.com
Fri Aug 16 23:00:35 PDT 2019 

For ease of discussion I'll refer to the idea of bypassing encryption on the web for P97 compliance as "NO-CRYPT."



First a couple of general comments:



1) My expectation is that NO-CRYPT would be most useful during times of non-emergency.  During declared emergencies, and assuming a permissive stance by the FCC, NO-CRYPT or equivalent should be immediately disabled.  This would address the issue of "civilians" like hospital employees not having unfettered access to content on the web via HamWAN.



2) Perfection would be nice, but it's not a design requirement.  If NO-CRYPT increases the usefulness of HamWAN even to a modest degree during non-emergency operations by enabling access to additional web content, I would count that as a win. 



3) There's nothing to prevent any particular HamWAN connected sites from simply not using the NO-CRYPT scheme if they choose to.  The main intention is to find a way to make as much web content accessible as possible during non-emergency times, and thereby increase the usefulness of HamWAN for any participants wanting to do so.  Maybe google.com can't be accessed via HamWAN during non-emergency times. If so, I'll still sleep at night.



Echoing Bryan's comment, I too would be concerned that any clarification of Part 97 could be made to the detriment of us all.  As lawyers are apt to say: Never ask a question unless you already know the answer.  That applies well to the FCC.



As to Doug's comment, I would like as much as possible to avoid a user having to do much of any config or tweaking on their browser, such as specifying a web proxy.  That may end up being unavoidable, but I'm starting with goal of not requiring that.  That's why I'm focused (for the moment) on using a transparent proxy.  





I'm aware of Expect-CT, certificate pinning, and HSTS.  There are other obstacles that have not even been mentioned.  But I guess we'll have to see what testing shows.  



I repeat:  Implementing NO-CRYPT for web traffic is very non-trivial, but it may be workable. 



John C. Miller

mailto:kx7jm at jmit.com

(530)873-9005







---- On Fri, 16 Aug 2019 19:13:50 -0700 Jake Visser <visser.jacob at outlook.com> wrote ----





> From reading the draft, it looks like adding a root cert will still allow over
 riding this
 

Your right – that is the intent; but in current implementations, it’s the “it is acceptable” wording that is interpreted.  In all cases so far the “SHOULD NOT” submit a report is honored, but Chrome isn’t going to let you load google using
 any certificate not issued by a google.  There are ways around this for enterprise deployments; and it probably is a fair assessment that hams could deploy a second browser configured in that manner… but for a general user, its going to be a lot harder than
 just installing a new root cert.

 

From: mailto:Bryan at bryanfields.net
 Sent: Friday, August 16, 2019 6:58 PM
 To: mailto:psdr at hamwan.org
 Subject: Re: [HamWAN PSDR] Idea for addressing HTTPS on HamWAN

 

On 8/16/19 9:40 PM, Jake Visser wrote:
 > Much like HSTS; Expect-CT is starting to be deployed too (this replaces
 > certificate pinning). 
 > https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdeveloper.mozilla.org%2Fen-US%2Fdocs%2FWeb%2FHTTP%2FHeaders%2FExpect-CT&data=02%7C01%7C%7Cecd5e4bb42b44a1451f608d722b6550a%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637016038809698674&sdata=kzuM9RFUO816UaYPT%2FpYBwcR1khLM86O1QLIK6PeMj0%3D&reserved=0
 > 
 > This will prevent users from accessing sites that are signed by a
 > certificate that does not appear in the public transparency logs…
 
 From reading the draft, it looks like adding a root cert will still allow over
 riding this.  Is that not what 2.4.1 speaks of in there?  I'll admit I'm not
 up on the newest SSL standards.
 
 > The best option – if this is truly to be used for emergency communications
 > – is to try the proposed FCC path.
 
 I would say we not try that.  The FCC rules can be interpreted a number of
 different ways now, it's likely if we ask for clarification they may do so in
 a way making this all a violation.   Right now the FCC rules are moot on
 encryption, the word doesn't appear in part 97 at all.
 
 -- 
 Bryan Fields
 
 727-409-1194 - Voice
 https://nam02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fbryanfields.net&data=02%7C01%7C%7Cecd5e4bb42b44a1451f608d722b6550a%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637016038809708685&sdata=B5gtHYNuNHid52YmaWu205rclAQzDiRyC5sMXi%2FKix4%3D&reserved=0
 _______________________________________________
 PSDR mailing list
 mailto:PSDR at hamwan.org
 https://nam02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fmail.hamwan.net%2Fmailman%2Flistinfo%2Fpsdr&data=02%7C01%7C%7Cecd5e4bb42b44a1451f608d722b6550a%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637016038809708685&sdata=XPLFa%2FJlJkZanR4uB4CGLo9GAwhvREibuhu3NMnxLZs%3D&reserved=0
 



_______________________________________________

PSDR mailing list

PSDR at hamwan.org

http://mail.hamwan.net/mailman/listinfo/psdr
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.hamwan.net/pipermail/psdr/attachments/20190816/5cce2f54/attachment.html>

More information about the PSDR mailing list