←back to thread

Just want simple TLS for your .internal network?

(github.com)
246 points nh2 | 1 comments | 18 Oct 24 06:10 UTC | HN request time: 0.214s | source
Show context
ndsipa_pomu ◴[22 Oct 24 08:36 UTC] No.41912342[source]
I prefer to assign an external name to an internal device and grab a free SSL cert from LetsEncrypt, but using DNS challenge instead as internal IP addresses aren't reachable by their servers.
replies(9): >>41912368 #>>41912827 #>>41913126 #>>41913387 #>>41913720 #>>41913826 #>>41916306 #>>41917079 #>>41917804 #
candiddevmike ◴[22 Oct 24 11:09 UTC] No.41913126[source]
Obligatory if DNS validation is good enough, DANE should've been too. Yes, MITM things could potentially ensue on untrusted networks without DNSSEC, but that's perfect being the enemy of good territory IMO.

This would allow folks to have .internal with auto-discovered, decentralized, trusted PKI. It would also enable something like a DNSSEC on/off toggle switch for IoT devices to allow owners to MITM them and provide local functionality for their cloud services.

replies(3): >>41913298 #>>41914996 #>>41916478 #
1. tptacek ◴[22 Oct 24 17:22 UTC] No.41916478[source]
DANE rollout was attempted. It didn't work reliably (middleboxes freak out about DNSSEC), slowed things down when it did, and didn't accomplish any security goals (even on its own terms) because it can't plausibly be deployed DANE-only on the modern Internet. Even when the DANE working group came up with a no-additional-RTTs model for it (stapling), it fell apart for security reasons (stripping). DANE is a dead letter.

It happens. I liked HPKP, which was also tried, and also failed.