(github.com)

246 points nh2 | 1 comments | 18 Oct 24 06:10 UTC | HN request time: 0.248s | source

Show context

ndsipa_pomu ◴[22 Oct 24 08:36 UTC] No.41912342[source]▶

I prefer to assign an external name to an internal device and grab a free SSL cert from LetsEncrypt, but using DNS challenge instead as internal IP addresses aren't reachable by their servers.

replies(9): >>41912368 #>>41912827 #>>41913126 #>>41913387 #>>41913720 #>>41913826 #>>41916306 #>>41917079 #>>41917804 #

candiddevmike ◴[22 Oct 24 11:09 UTC] No.41913126[source]▶

>>41912342 #

Obligatory if DNS validation is good enough, DANE should've been too. Yes, MITM things could potentially ensue on untrusted networks without DNSSEC, but that's perfect being the enemy of good territory IMO.

This would allow folks to have .internal with auto-discovered, decentralized, trusted PKI. It would also enable something like a DNSSEC on/off toggle switch for IoT devices to allow owners to MITM them and provide local functionality for their cloud services.

replies(3): >>41913298 #>>41914996 #>>41916478 #

ndsipa_pomu ◴[22 Oct 24 11:40 UTC] No.41913298[source]▶

>>41913126 #

I hadn't heard of DANE, so looked it up and found the wikipedia entry: https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Na...

According to that, it's not supported by Chrome, nor Firefox.

replies(2): >>41916498 #>>41917893 #

1. tptacek ◴[22 Oct 24 17:24 UTC] No.41916498[source]▶

>>41913298 #

It was, once, and then got pulled.

↑

Just want simple TLS for your .internal network?