[Freedombox-discuss] some thoughts on URI namespaces

Ingo Stock mail at ingostock.de
Tue Mar 24 12:34:28 UTC 2015 

On 29/12/14 07:26, Markus Sabadello wrote:
> Another thing Sunil and I talked about yesterday is https://letsencrypt.org/
> 
> If we add that to fbx, all our SSL problems should go away, right?
> No matter if we use subdomains or not..

Even if letsencrypt.org is trustable, this still leaves freedombox
vulnerable to MITM, if the browser trusts any malicious other CA.

With subdomains, there are three possibilities:
- Confirm the certificate for every subdomain on every device/browser
- Create a CA on freedombox and add it to every device/browser
- Rely on third party CA, which leaves it vulnerable to MITM

With folders/directories there are some benefits:
- Confirm the certificate one time on every device/browser -> Most
trustworthy, best practice from security standpoint
- Have a single point of entry to freedombox which allows other
benefits, as we can have a single login to freedombox and use every
application without having to login again (this would make freedombox a
single user device, which may be intended?)

The folder/directory paradigm can be implemented by having all
applications listening on different ports and the webserver proxying
every request for a directory to this port, like this (apache syntax):

    ReWriteCond %{HTTP_HOST} ^mailpile
    RewriteRule ^/(.*) http://192.168.0.173:8077/$1 [P]
    ProxyPassReverse / http://192.168.0.173:8077/

But this solution has a major drawback: As the applications think they
run in the root directory, they may provide links not relative to their
designated directory, but to the root directory. This can be solved by
hacking the applications or by rewriting the HTML itself on the fly, but
is really dirty and hacky and can lead to hell in the future.

Still, this opens up another very nice opportunity: As freedombox would
have a single point of entry, a shared navigation bar can be injected
into the HTML of each web interface, so we can switch from one
application to another and have a truly integrated freedombox user
experience.

regards, ingo

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/freedombox-discuss/attachments/20150324/7361acab/attachment.sig>

More information about the Freedombox-discuss mailing list