Email or username:

Password:

Forgot your password?
Johannes's posts Post Back to profile
Johannes Ernst

It’s practically impossible to use #https for devices on home networks, such as #iot devices — the #certificate system simply isn’t made for servers behind firewalls.

Why?

E.g. why can’t I easily get an intermediate (and official) CA cert for my home gateway, which then could issue certs for my devices, maybe in the same breath as assigning local dns names?

Is it that simply nobody cares about this use case, and everybody is happy enough with going through vendor clouds? Or why is that?

23 Oct 2023 at 18:15 | Open on social.coop
9 comments
Ingo

@J12t That’s a use case that have always bothered me about https in particular and SSL in general.

I wish Let’s Encrypt could provide something here.

23 Oct 2023 at 18:32 | Open on mas.to
Terence Eden

@J12t
I've been thinking about this for a while - shkspr.mobi/blog/2017/11/there

The only good answers are:
* Accept a self-signed certificate on your devices.
* Use the cloud.
* Get a domain name for your home IP address and do a lot of port-forwarding.
* Go IPv6 on everything and expose your internal devices to the Internet.

It is probably a very bad idea to have certificates for local addresses.

@J12t
I've been thinking about this for a while - shkspr.mobi/blog/2017/11/there

The only good answers are:
* Accept a self-signed certificate on your devices.
* Use the cloud.
* Get a domain name for your home IP address and do a lot of port-forwarding.
* Go IPv6 on everything and expose your internal devices to the Internet.

23 Oct 2023 at 18:35 | Open on mastodon.social
Johannes Ernst

@Edent variety of ways to solve this. Personally, I want to be my own local CA for my own network. So I would get an official domain name, say home.example, get a cert for it (eg letsencrypt) for my gateway device, but that cert would have the flag set that allows it to issue its own certs. I use that to issue CERTs die the devices on my network, all which get a dns name like temperature.home.example.

Lots of pieces would have to be made to work, but doable I think.

23 Oct 2023 at 18:45 | Open on social.coop
pieceofthepie :coffefied:

@J12t This is possible. I have a real domain and I use DNS verification with letsencrypt.

I use Cloudflare (I know) and Traefik, my ingress, supports that directly to just make the magic happen.

23 Oct 2023 at 20:06 | Open on social.n8e.dev
2swu35 // TCPup

@J12t I do have SSL for a lot of the stuff, but in a kinda cheaty way since I have external resolving DNS which enables generating let’s encrypt certs, and internally I point to the private IP and that enables me to speak https with valid certificates…

Yeah not the best solution but works 🤷‍♂️

23 Oct 2023 at 20:42 | Open on rubber.social
Ben Francis

@J12t There's a W3C Community Group for this w3.org/community/httpslocal/

(They haven't come up with a solution yet).

23 Oct 2023 at 23:07 | Open on mastodon.social
Johannes Ernst

@benfrancis It says "This group was closed on 2023-04-07 ".

23 Oct 2023 at 23:09 | Open on social.coop
Ben Francis

@J12t Oh, that's news to me! The W3C have been cracking down on closing inactive community groups recently.

The Web of Things Working Group also talk about this issue a lot, so I'll ask if they or the WoT CG might look at this.

24 Oct 2023 at 9:29 | Open on mastodon.social
Steve Atkins

@J12t If you own a domain it’s pretty simple to get real certs from letsencrypt for non-Internet machines using dns-01 authentication. I use “lego” as a client, but most of the decent acme clients support it.

24 Oct 2023 at 7:37 | Open on deliverabilit.ie
Go Up