.INTERNAL is now reserved for private-use applications

(www.icann.org)

563 points joncfoo | 1 comments | 09 Aug 24 16:36 UTC | HN request time: 0.214s | source

Show context

8organicbits ◴[09 Aug 24 22:03 UTC] No.41205729[source]▶

>>41203368 (OP) #

My biggest frustration with .internal is that it requires a private certificate authority. Lots of organizations struggle to fully set up trust for the private CA on all internal systems. When you add BYOD or contractor systems, it's a mess.

Using a publicly valid domain offers a number of benefits, like being able to use a free public CA like Lets Encrypt. Every machine will trust your internal certificates out of the box, so there is minimal toil.

Last year I built getlocalcert [1] as a free way to automate this approach. It allows you to register a subdomain, publish TXT records for ACME DNS certificate validation, and use your own internal DNS server for all private use.

[1] https://www.getlocalcert.net/

replies(12): >>41206030 #>>41206106 #>>41206231 #>>41206513 #>>41206719 #>>41206776 #>>41206828 #>>41207112 #>>41208240 #>>41208353 #>>41208964 #>>41210736 #

yjftsjthsd-h ◴[10 Aug 24 00:33 UTC] No.41206513[source]▶

>>41205729 #

Do you mean to say that your biggest frustration with HTTPS on .internal is that it requires a private certificate authority? Because I'm running plain HTTP to .internal sites and it works fine.

replies(6): >>41206577 #>>41206657 #>>41206669 #>>41208198 #>>41208358 #>>41210486 #

lysace ◴[10 Aug 24 00:51 UTC] No.41206577[source]▶

>>41206513 #

There's some every packet shall be encrypted, even in minimal private VPCs lore going on. I'm blaming PCI-DSS.

replies(5): >>41206652 #>>41206686 #>>41206797 #>>41207668 #>>41207971 #

kortilla ◴[10 Aug 24 01:25 UTC] No.41206686[source]▶

>>41206577 #

Hoping datacenter to datacenter links are secure is how the NSA popped Google.

Turn on crypto, don’t be lazy

replies(1): >>41206832 #

otabdeveloper4 ◴[10 Aug 24 02:13 UTC] No.41206832[source]▶

>>41206686 #

Pretty sure state-level actors sniffing datacenter traffic is literally the very last of your security issues.

This kind of theater actively harms your organization's security, not helps it. Do people not do risk analysis anymore?

replies(5): >>41206889 #>>41208432 #>>41208868 #>>41210156 #>>41213945 #

1. kortilla ◴[10 Aug 24 15:23 UTC] No.41210156[source]▶

>>41206832 #

It’s not theatre, it’s real security. And state level actors are absolutely not the only one capable of man in the middle attacks.

You have:

- employees at ISPs

- employees at the hosting company

- accidental network misconfigurations

- one of your own compromised machines now part of a ransomware group

- the port you thought was “just for internal” that a dev now opens for some quick testing from a dev box

Putting anything in open comms is one of the dumbest things you can do as an engineer. Do your job and clean that shit up.

It’s funny you mention risk analysis, plaintext traffic is one of the easiest things to compromise.

↑