undefined | Better HN

0 pointsalibarber2mo ago0 comments

Also I don't see the point of what TLS is supposed to solve here? If you and I (and everyone else) can legitimately get a certificate for 10.0.0.1, then what are you proving exactly over using a self-signed cert?

There would be no way of determining that I can connecting to my-organisation's 10.0.0.1 and not bad-org's 10.0.0.1.

0 comments

londons_explore2mo ago

Perhaps by providing some identifier in the URL?

ie. https://10.0.0.1(af81afa8394fd7aa)/index.htm

The identifier would be generated by the certificate authority upon your first request for a certificate, and every time you renew you get to keep the same one.

alibarberOP2mo ago

I see what you're getting at - but to me this sounds almost exactly like just using DNS, even if the (A/AAAA) record you want to use resolves to an un-routable address: https://letsencrypt.org/docs/challenge-types/#dns-01-challen... - you just create a DNS TXT record instead of them trying to access a server at the address for verification.

Latty2mo ago

This is assuming NAT, with IPv6 you should be able to have globally unique IPs. (Not unique to IPv6 in theory, of course, but in practice almost no one these days is giving LAN devices public IPv4s).

cpach2mo ago

A public CA won’t give you a cert for 10.0.0.1

alibarberOP2mo ago

Exactly - no one can prove they own it (on purpose because it's reserved for private network use, so no one can own it)

j / k navigate · click thread line to collapse

0 pointsalibarber2mo ago0 comments

There would be no way of determining that I can connecting to my-organisation's 10.0.0.1 and not bad-org's 10.0.0.1.

0 comments

londons_explore2mo ago

Perhaps by providing some identifier in the URL?

ie. https://10.0.0.1(af81afa8394fd7aa)/index.htm

The identifier would be generated by the certificate authority upon your first request for a certificate, and every time you renew you get to keep the same one.

alibarberOP2mo ago

Latty2mo ago

This is assuming NAT, with IPv6 you should be able to have globally unique IPs. (Not unique to IPv6 in theory, of course, but in practice almost no one these days is giving LAN devices public IPv4s).

cpach2mo ago

A public CA won’t give you a cert for 10.0.0.1

alibarberOP2mo ago

Exactly - no one can prove they own it (on purpose because it's reserved for private network use, so no one can own it)

j / k navigate · click thread line to collapse