new | ask | show | jobs
noirscape 7 days ago  [ - ]

Main reason is that it's hard to get certificates for intranets that all devices will properly trust.

Public CAs don't issue (free) certificates for internal hostnames and running your own CA has the drawback that Android doesn't allow you to "properly" use a personal CA without root, splitting it's CA list between the automatically trusted system CA list and the per-application opt-in user CA list. (It ought to be noted that Apple's personal CA installation method uses MDM, which is treated like a system CA list). There's also random/weird one-offs like how Firefox doesn't respect the system certificate store, so you need to import your CA certificate separately in Firefox.

The only real option without running into all those problems is to get a regular (sub)domain name and issue certificates for that, but that usually isn't free or easy. Not to mention that if you do the SSL flow "properly", you need to issue one certificate for each device, which leaks your entire intranet to the certificate transparency log (this is the problem with Tailscale's MagicDNS as a solution). Alternatively you need to issue a wildcard certificate for your domains, but that means that every device in your intranet can have a valid SSL certificate for any other domain name on your certificate.

antisol 7 days ago  [ - ]

If someone is in your LAN then you have bigger problems than them snooping on you while you talk to your fridge.

MonaroVXR 7 days ago  [ - ]

Like eBay? Slightly different https://nullsweep.com/why-is-this-website-port-scanning-me/

antisol 6 days ago  [ - ]

oh wow, port scanning with websockets! Interesting! Thanks for the link! :)

 7 days ago  [ - ]
[deleted]
dist-epoch 7 days ago  [ - ]

> get a regular (sub)domain name

You can get $2/yr domain names on weird TLDs like .site, .cam, .link, ...

> which leaks your entire intranet to the certificate transparency log

Not necessarily, you don't route the domain externally, and use offline DNS challenge/request to renew the certificate.

noirscape 7 days ago  [ - ]

> You can get $2/yr domain names on weird TLDs like .site, .cam, .link, ...

You can, but as stated - that's not free (or easy). That's still yet another fee you have to pay for... which hurts adoption of HTTPS for intranets (not to mention it's not really an intranet if it's reliant on something entirely outside of that intranet.)

If LetsEncrypt charged 1$ to issue/renew a certificate, they wouldn't have made a dent in the public adoption of HTTPS certificates.

> Not necessarily, you don't route the domain externally, and use offline DNS challenge/request to renew the certificate.

I already mentioned that one, that's the wildcard method.