undefined | Better HN

0 pointsxg155y ago0 comments

Without buying a domain. (and continously spending money to keep it owned)

0 comments

Run your own CA internally and handle the CA distribution problem with MDM tools.

xg15OP5y ago

I admit, that's a solution, even if a very unpleasant one: Installing a custom root CA is intentionally complicated, so this is hardly doable as an onboarding experience. The setup must be repreated for every single client device that should access the server.

There remains the question how I would get the CA certificate onto client devices in the first place.

Lastly, with asking consumers to install a CA certificate, I ask for a significantly more powerful permission than if I could just have them trust my certificate. This seems like a step backwards security-wise.

est315y ago

> Lastly, with asking consumers to install a CA certificate, I ask for a significantly more powerful permission than if I could just have them trust my certificate.

CA certificates can be constrained. https://tools.ietf.org/html/rfc5280#section-4.2.1.10

2 more replies

p2t2p5y ago

It is no more complicated than a self signed certificate. Two clicks in Firefox, 4 taps in iOS

1 more reply

lawnchair_larry5y ago

That is also an insane and unrealistic suggestion.

demersb5y ago

~$5/year (US) for a domain, and a one time investment of setting up a few scripts might save you a lot of time in the long run.

xg15OP5y ago

Honestly, my main issue is not even the price, it's that devices cannot be stand-alone anymore. Even if my device is purely for LAN use and wouldn't need the internet at all, I now need to ensure it has an internet connection and I have to keep a domain owned that must be constantly renewed.

The device will also only be accessible if an internet connection is present, even if both the device and the client are in the same LAN - because the client has to access the device through the domain.

This means, should I ever lose the capacity to support the device and renew the domain, the device will become useless, even if technically, it is still completely functional.

p2t2p5y ago

> Honestly, my main issue is not even the price, it's that devices cannot be stand-alone anymore.

That’s not true at all. I’ve created a CA and a script to generate and sign server certificates and I generated them left right and centre now for my very standalone, local network only with no access to the internet whatsoever services. I added my CA to my browsers and my iPhone and everything works perfectly.

1 more reply

hannob5y ago

> Honestly, my main issue is not even the price, it's that devices cannot be stand-alone anymore.

I'm wondering where the impression fo" not any more" comes from. Really the situation hasn't changed much. You can have your HTTP webinterface. You can have HTTPS with a selfsigned cert and click away the warning. The only thing that really has changed is that for your HTTP connection you will get a warning that the connection is not secure.

I don't think the ability of browsers to load HTTP pages will go away any time soon.

1 more reply

gsich5y ago

No. Your DNS can also be locally, so you have no Internet dependence.

dimensi0nal5y ago

A .net is 83 cents a month.

imtringued5y ago

That's usually a limited special offer. Not everyone wants to change domains every year.

dimensi0nal5y ago

https://www.cloudflare.com/products/registrar/

jt21905y ago

There’s always the .local TLD, which is reserved for this use case:

https://en.m.wikipedia.org/wiki/.local

lvh5y ago

That works, but you can't get public certs for it, because you can't prove you own that domain (indeed, you don't :))

jt21905y ago

Please remind me where I said anything about public certificates. ;-)

xg15 is going to have to run a self-hosted Certificate Authority (CA) and generate certificates himself.

Karunamon5y ago

That article goes on to state that .local is reserved by RFC6762 (multicast DNS), which if you use that domain on your network, will cause problems with any services using it, usually Macs or iPhones.

This document specifies that the DNS top-level domain ".local." is a special domain with special semantics, namely that any fully qualified name ending in ".local." is link-local, and names within this domain are meaningful only on the link where they originate. [...] Any DNS query for a name ending with ".local." MUST be sent to the mDNS IPv4 link-local multicast address 224.0.0.251 (or its IPv6 equivalent FF02::FB).

I'd recommend using something like .lan instead.

jt21905y ago

I think you’re talking about running DNS locally (not sure) and resolving .local addresses by DNS. In that case, yes, the devices that do lookups by mDNS will experience a delay caused by first querying mDNS before falling back onto DNS. The solution is to set up mDNS for the internal resources.

Using an unregistered domain like .lan has serious security implications. See here: https://serverfault.com/a/17566

1 more reply

nitrogen5y ago

Why not just use mDNS too and stick with .local?

xg15OP5y ago

I haven't heard about that yet. this sounds interesting indeed. But how would I get a valid certificate for a .local domain?

jt21905y ago

You need to set up your own “chain of trust” to verify your self-generated certificates. You can run your own Certificate Authority for example. (There are other approaches too.)

j / k navigate · click thread line to collapse

0 comments

dharmab5y ago

Run your own CA internally and handle the CA distribution problem with MDM tools.

xg15OP5y ago

There remains the question how I would get the CA certificate onto client devices in the first place.

est315y ago

> Lastly, with asking consumers to install a CA certificate, I ask for a significantly more powerful permission than if I could just have them trust my certificate.

CA certificates can be constrained. https://tools.ietf.org/html/rfc5280#section-4.2.1.10

2 more replies

p2t2p5y ago

It is no more complicated than a self signed certificate. Two clicks in Firefox, 4 taps in iOS

1 more reply

lawnchair_larry5y ago

That is also an insane and unrealistic suggestion.

demersb5y ago

~$5/year (US) for a domain, and a one time investment of setting up a few scripts might save you a lot of time in the long run.

xg15OP5y ago

This means, should I ever lose the capacity to support the device and renew the domain, the device will become useless, even if technically, it is still completely functional.

p2t2p5y ago

> Honestly, my main issue is not even the price, it's that devices cannot be stand-alone anymore.

1 more reply

hannob5y ago

> Honestly, my main issue is not even the price, it's that devices cannot be stand-alone anymore.

I don't think the ability of browsers to load HTTP pages will go away any time soon.

1 more reply

gsich5y ago

No. Your DNS can also be locally, so you have no Internet dependence.

dimensi0nal5y ago

A .net is 83 cents a month.

imtringued5y ago

That's usually a limited special offer. Not everyone wants to change domains every year.

dimensi0nal5y ago

https://www.cloudflare.com/products/registrar/

jt21905y ago

There’s always the .local TLD, which is reserved for this use case:

https://en.m.wikipedia.org/wiki/.local

lvh5y ago

That works, but you can't get public certs for it, because you can't prove you own that domain (indeed, you don't :))

jt21905y ago

Please remind me where I said anything about public certificates. ;-)

xg15 is going to have to run a self-hosted Certificate Authority (CA) and generate certificates himself.

Karunamon5y ago

I'd recommend using something like .lan instead.

jt21905y ago

Using an unregistered domain like .lan has serious security implications. See here: https://serverfault.com/a/17566

1 more reply

nitrogen5y ago

Why not just use mDNS too and stick with .local?

xg15OP5y ago

I haven't heard about that yet. this sounds interesting indeed. But how would I get a valid certificate for a .local domain?

jt21905y ago

You need to set up your own “chain of trust” to verify your self-generated certificates. You can run your own Certificate Authority for example. (There are other approaches too.)

j / k navigate · click thread line to collapse