undefined | Better HN

0 pointsjupp0r4y ago0 comments

If it's cheaper for you to run an http than an https server then you are holding it wrong.

0 comments

Internal domains, where getting a certificate to client devices is painful

I've had the same issue, but mostly for home lab type stuff. Even if you set up an internal CA and all the trappings, you still have a root cert problem. For consumer devices without easy access to certificate stores, it gets complicated fast.

Maybe the state of the art has changed since the last time I looked, but it would be really nice to have something as easy as Lets Encrypt for private tools while at the same time not exposing internal network details.

cloudwizard4y ago

It works in secure contexts. internal domains with .localhost name are considered secure.

https://developer.mozilla.org/en-US/docs/Web/Security/Secure... Locally-delivered resources such as those with http://127.0.0.1 URLs, http://localhost and http://*.localhost URLs (e.g. http://dev.whatever.localhost/), and file:// URLs are also considered to have been delivered securely.

xg154y ago

Yes, because they are hardwired to point to your own machine. You cannot use those to deploy an internal webapp.

hhh4y ago

External wildcard cert? Maybe it’s different in smaller shops, but it’s just as easy for me to get an internal cert as it is to get an external cert. Only annoying part about our shop is a hard req fit EV certs, so no ACME.

pests4y ago

You can use a public CA like LetsEncrypt then. Exposes you to the certificate log but you should be secured already anyways. Just have to use the DNS challenge (unless you wanna poke a hole for certbot) to grab it

tedunangst4y ago

And people wonder why ioshit devices are all so cloud dependent. I just want my microwave to talk to my refrigerator (or whatever). But they have to use https, because. And the cert has to expire every 90 days, because. So now I provision a kitchen full of stuff with AWS creds so they can respond to DNS challenges to get those certs.

So much simpler for everything to revert to client only mode and route all messages through a server 3000 miles away. Until they pull the plug and nothing works at all.

eternityforest4y ago

This is why I hate privacy first thinking. The IoT is a big deal. I own basically nothing that has electricity that wouldn't be slightly to majorly improved, at low cost, by IoT.

So... lets... make the tech that powers it not suck, so we can stop with all this analog business.

schwartzworld4y ago

Why would you ever want your microwave to talk to your fridge? Imo the real reason IOT is such a shit show is because it's being crammed into every device without any actual benefit to the end user.

makeitdouble4y ago

Looking at guides for LetsEncrypt on internal IPs/domains, it seems to be as painful as creating and managing your own CA: https://geontech.com/using-letsencrypt-ssl-internally/

jupp0rOP4y ago

DNS challenge is easy to pass and automate if you can programmatically add txt records to your DNS zone. Every major cloud provider supports this with command line tools, so it's a matter of moving the DNS zone there and writing a shell script and a cron item in the worst case.

1 more reply

pests4y ago

I had a chance to skim through the link you posted - they are doing the http challenge verification (in step 6) for some reason which involves forwarding their domain into their internal network.

The DNS methods we already mentioned does not involve any of that - just a simple zone file change or a few clicks in a web UI to add a new record.

ivoc4y ago

Can someone productize this as a service please ?

1 more reply

makeitdouble4y ago

> you are holding it wrong.

For those whooshed by the reference, it's about the iPhone's antenna design flaw that Jobs poopooed on stage, to silently get it fixed on the next version.

It seems we're agreeing it's an actual issue that would merit to be fixed.

j / k navigate · click thread line to collapse

0 comments

arjvik4y ago

Internal domains, where getting a certificate to client devices is painful

jonhohle4y ago

cloudwizard4y ago

It works in secure contexts. internal domains with .localhost name are considered secure.

xg154y ago

Yes, because they are hardwired to point to your own machine. You cannot use those to deploy an internal webapp.

hhh4y ago

pests4y ago

tedunangst4y ago

So much simpler for everything to revert to client only mode and route all messages through a server 3000 miles away. Until they pull the plug and nothing works at all.

eternityforest4y ago

This is why I hate privacy first thinking. The IoT is a big deal. I own basically nothing that has electricity that wouldn't be slightly to majorly improved, at low cost, by IoT.

So... lets... make the tech that powers it not suck, so we can stop with all this analog business.

schwartzworld4y ago

Why would you ever want your microwave to talk to your fridge? Imo the real reason IOT is such a shit show is because it's being crammed into every device without any actual benefit to the end user.

makeitdouble4y ago

Looking at guides for LetsEncrypt on internal IPs/domains, it seems to be as painful as creating and managing your own CA: https://geontech.com/using-letsencrypt-ssl-internally/

jupp0rOP4y ago

1 more reply

pests4y ago

I had a chance to skim through the link you posted - they are doing the http challenge verification (in step 6) for some reason which involves forwarding their domain into their internal network.

The DNS methods we already mentioned does not involve any of that - just a simple zone file change or a few clicks in a web UI to add a new record.

ivoc4y ago

Can someone productize this as a service please ?

1 more reply

makeitdouble4y ago

> you are holding it wrong.

For those whooshed by the reference, it's about the iPhone's antenna design flaw that Jobs poopooed on stage, to silently get it fixed on the next version.

It seems we're agreeing it's an actual issue that would merit to be fixed.

j / k navigate · click thread line to collapse