←back to thread

Just want simple TLS for your .internal network?

(github.com)
246 points nh2 | 1 comments | 18 Oct 24 06:10 UTC | HN request time: 0s | source
Show context
ndsipa_pomu ◴[22 Oct 24 08:36 UTC] No.41912342[source]
I prefer to assign an external name to an internal device and grab a free SSL cert from LetsEncrypt, but using DNS challenge instead as internal IP addresses aren't reachable by their servers.
replies(9): >>41912368 #>>41912827 #>>41913126 #>>41913387 #>>41913720 #>>41913826 #>>41916306 #>>41917079 #>>41917804 #
DandyDev ◴[22 Oct 24 08:42 UTC] No.41912368[source]
I do this as well, but be aware that these external names you're using for internal devices become a matter of public record this way. If that's okay for you (it is for me), then this is a good solution. The advantage is also that you run no risk of name clashes because you actually own the domain
replies(7): >>41912424 #>>41912505 #>>41912544 #>>41912570 #>>41912671 #>>41912732 #>>41919325 #
ndsipa_pomu ◴[22 Oct 24 09:15 UTC] No.41912544[source]
> be aware that these external names you're using for internal devices become a matter of public record this way

Yes, I sometimes think about that, but have come to the conclusion that it's not likely to make any difference. If someone is trying to infiltrate my home network, then it's not going to really help them to know internal IP addresses as by the time they get to use them, they're already in.

replies(3): >>41912767 #>>41912874 #>>41922694 #
dspillett ◴[22 Oct 24 10:19 UTC] No.41912874[source]
> If someone is trying to infiltrate my home network

I don't think the publishing of host names was mentioned as a concern for small home networks, but more for larger organisations that might be subject to a coordinated break-in or simply have trade secrets¹² that might be hinted at by careless naming of resources.

----

[1] Their next big product/enhancement, as yet unannounced even within the company, for instance.

[2] Hmm, checking what is recorded against one of DayJob's domains I see clues as to who some of our clients are. Not really a significant issue for security at all, but I know at least some of our contracts say we shouldn't openly talk about that we provide services to that client³ so I'll drop a message to the ISC to suggest we discuss if we need to care about the matter…

[3] Though that is mostly in the form of not using their logos in our advertising and such.

replies(1): >>41913199 #
xena ◴[22 Oct 24 11:23 UTC] No.41913199{3}[source]
That's why you have an internal domain that's not related to the company. Something like "packet-flinging.ninja". Everything's a tradeoff though.
replies(1): >>41914129 #
deltaburnt ◴[22 Oct 24 13:37 UTC] No.41914129{4}[source]
It seems really easy to associate a company with its internal domain though? Unless the company treats it as a secret only known between machines.
replies(1): >>41917487 #
1. dspillett ◴[22 Oct 24 18:57 UTC] No.41917487{5}[source]
> It seems really easy to associate a company with its internal domain though?

Especially as people will talk about it as a “you'll never guess what…” when talking about places they work or have worked.