←back to thread

Should you use Let's Encrypt for internal hostnames?

(shkspr.mobi)
238 points edent | 3 comments | 05 Jan 22 12:42 UTC | HN request time: 0.423s | source
Show context
ChrisMarshallNY ◴[05 Jan 22 14:58 UTC] No.29809728[source]
This is an interesting topic, for me.

I write iOS apps, and iOS requires that all internet communications be done with HTTPS.

It is possible to use self-signed certs, but you need to do a bit of work on the software, to validate and approve them. I don't like doing that, as I consider it a potential security vector (you are constantly reading about development code that is compiled into release product, and subsequently leveraged by crooks).

I am working on a full-stack system. I can run the backend on my laptop, but the app won't connect to it, unless I do the self-signed workaround.

It's easier for me to just leave the backend on the hosted server. I hardly ever need to work on that part.

replies(3): >>29809863 #>>29810001 #>>29810540 #
1. tzs ◴[05 Jan 22 15:57 UTC] No.29810540[source]
> I write iOS apps, and iOS requires that all internet communications be done with HTTPS

What if the app is on the same network as the server?

I've got a Denon A/V receiver that has an HTTP interface and the Denon iOS app is able to talk to it. I've watched this via a packet sniffer and it definitely is using plain HTTP.

replies(2): >>29810860 #>>29811081 #
2. ChrisMarshallNY ◴[05 Jan 22 16:16 UTC] No.29810860[source]
> I've got a Denon A/V receiver that has an HTTP interface and the Denon iOS app is able to talk to it. I've watched this via a packet sniffer and it definitely is using plain HTTP.

That's interesting. I wonder why Apple let that go by. I've had apps rejected, because they wouldn't use HTTPS. Maybe it's OK for a local WiFi connection. Even then, Apple has been fairly strict.

That said, I think that there are ways to register for exceptions.

3. prashnts ◴[05 Jan 22 16:31 UTC] No.29811081[source]
Yeah same with a couple of apps I use, WLED, and HomeAssistant both work on HTTP.