undefined | Better HN

0 pointstialaramex6y ago0 comments

This is probably a bad idea and I'd recommend migrating off such names as a background task.

Realistically you can't entirely deconflict these names. So you always have a risk of shadowing names from the public Internet.

The public CAs spent years in denial over this (yes they used to sell publicly trusted certs for "private" names, this is now prohibited). Create internal.example.com and things get easier. To the extent security by obscurity is worth trying it's just as available this way (split horizon DNS etcetera)

0 comments

lixtra6y ago

> Realistically you can't entirely deconflict these names. So you always have a risk of shadowing names from the public Internet.

It's totally save and legitimate for ycombinator to use secret.ycombinator.com on their intranet without telling anything about it to the outside internet.

tialaramexOP6y ago

Those are names you own, and a CA will happily issue you certs for those names (but Let's Encrypt won't without a DNS record saying the name at least exists)

The grandparent was, as I understand it, talking about names they don't own, for which you've no assurance somebody else won't own them (on the public Internet) tomorrow. This used to be very common, decades ago Microsoft even advised corporations to do it for their AD, but it's a bad idea.

kuschku6y ago

What's with domains such as blubb.mysystem.local or foo.invalid?

.invalid and .local are reserved domains and guaranteed to never be in use on the public internet - yet I can't get certificates for them

zurn6y ago

If you could get certificates for them, so could anyone else including your adversaries, since there is no system of ownership for them. It would be like issuing certs for https://192.168.1.1

kuschku6y ago

Actually that's why browsers already treat http://127.0.0.1/ and certain other local IPs as if it was via https.

For all local IP and domain space - that is 192.168/16, 10/8 and so on - it should automatically treat them as if they were safe anyway.

1 more reply

j / k navigate · click thread line to collapse

0 pointstialaramex6y ago0 comments

This is probably a bad idea and I'd recommend migrating off such names as a background task.

Realistically you can't entirely deconflict these names. So you always have a risk of shadowing names from the public Internet.

0 comments

lixtra6y ago

> Realistically you can't entirely deconflict these names. So you always have a risk of shadowing names from the public Internet.

It's totally save and legitimate for ycombinator to use secret.ycombinator.com on their intranet without telling anything about it to the outside internet.

tialaramexOP6y ago

Those are names you own, and a CA will happily issue you certs for those names (but Let's Encrypt won't without a DNS record saying the name at least exists)

kuschku6y ago

What's with domains such as blubb.mysystem.local or foo.invalid?

.invalid and .local are reserved domains and guaranteed to never be in use on the public internet - yet I can't get certificates for them

zurn6y ago

If you could get certificates for them, so could anyone else including your adversaries, since there is no system of ownership for them. It would be like issuing certs for https://192.168.1.1

kuschku6y ago

Actually that's why browsers already treat http://127.0.0.1/ and certain other local IPs as if it was via https.

For all local IP and domain space - that is 192.168/16, 10/8 and so on - it should automatically treat them as if they were safe anyway.

1 more reply

j / k navigate · click thread line to collapse