←back to thread

Should you use Let's Encrypt for internal hostnames?

(shkspr.mobi)
238 points edent | 3 comments | 05 Jan 22 12:42 UTC | HN request time: 0.631s | source
Show context
nimbius ◴[05 Jan 22 15:43 UTC] No.29810343[source]
you should not use wildcards or letsencrypt for internal authentication as its insecure for a few reasons.

0. implicit reliance on a network internet connection means any loss of ACME to the letsencrypt CA makes renewal of the cert or OCSP problematic. if the internet goes down, so does much of the intranet nonreliant upon it.

1. wildcard certs make setting up an attack on the network easier. you no longer need an issued cert for your malicious service, you just need to find a way to get/use the wildcard. you should know your services and SANs for the certs. these should be periodically audited.

replies(3): >>29810446 #>>29810610 #>>29811791 #
Macha ◴[05 Jan 22 15:51 UTC] No.29810446[source]
1. Renewal is scripted to try every day for 30 days in advance with most common utilities. If lets encrypt and all other acme hosts are down for 30 days, I think you have bigger issues.

2. If you can't secure a wildcard cert, how does the same problem not apply to a root CA cert, which could also then do things like sign google.com certs that your internal users trust, which feels strictly worse. (I know there are cert extensions that allow restricting certs to a subdomain, but they're not universally supported and still scoped as wide as a wildcard cert).

replies(3): >>29810533 #>>29810679 #>>29812834 #
cassianoleal ◴[05 Jan 22 16:06 UTC] No.29810679[source]
If an organisation I work for requires me to trust their CA, that trust will go into a VM where the only things allowed to run are internal to the org. This will hamper my productivity, but only for a short time until my notice period runs out, at which point I will be working for another, saner organisation.
replies(2): >>29811036 #>>29812016 #
1. Macha ◴[05 Jan 22 16:28 UTC] No.29811036[source]
I don't go that extreme - my employer is free to install their own root CA on devices they own and supply.

I understand some startups are a bit more "Go get your own computer". I think if they paid for it, it's still their device, but once you pay for it out of your own cash, yeah, mdm or root certs are a no go.

replies(1): >>29812014 #
2. cassianoleal ◴[05 Jan 22 17:31 UTC] No.29812014[source]
Right.

I should note that I'm a contractor and I always bring my own tools, which includes the computer. That said, I still prefer to use my own device where I can. It's got the tools I use, configured how I like them, and I'm very familiar with all its quirks which means I have less context switching.

I have worked for clients with tighter regulation controls where I was required to use designated devices for certain tasks but that's been pretty much all of it.

I would rather not have to carry 2 computers around just because an organisation can't trust me to use my own computer, despite having hired me for a substantial amount of money to operate their production infrastructure.

replies(1): >>29813070 #
3. ClumsyPilot ◴[05 Jan 22 18:37 UTC] No.29813070[source]
I find having a separate machine has it's advantages, the problem is when IT start managing it they typically so not udnerstand developers and 'standard users' like accountant has totally different needa