-1

My understanding is that there are three ways you could go about setting up a intranet web server (local network only) for HTTPS.

  1. Self signed SSL certificate. Cons: Browsers typically don't likes these. Lots of ugly warnings at the very least.
  2. Create your own SSL Certificate Authority. Cons: You have to manually install the CA on every single device that will be accessing the site (assuming it is even possible on every platform you might encounter.)
  3. Purchase a real (external) domain name and get a SSL cert that covers a subdomain which will only exist in your internal DNS.

Options 1 & 2 are IMO a nonstarter for the fact that the user experience is absolutely horrible at best. Option 3 is also very non-ideal for a few reasons. For one, it requires you to spend money and keep a domain renewed. Lets say hypothetically that this web app was something you envisioned everyone and their mother wanting to use (by use I mean run their own local version on their private network). That would require everyone who wants to run this app to register a domain. That's a fairly huge requirement and barrier for entry.

My real question is this: would it make sense for IANA to reserve a TLD specifically for private networks, and then for web browsers to accept self-signed SSL certificates from domains bearing this TLD if and only if that domain resolves to a private IP address?

Improve this question
8
  • 1
    There is virtually no difference between the first and second option since in both cases the user of the client is manually trusting and installing your certificate. The process of installing a SSL certificate that’s been created for a local intranet domain isn’t that difficult. Something that anyone setting what you describe should be willing to do. There are also free SSL certificates that are trusted by all browsers on all operating systems (Let’s Encrypt)
    – Ramhound
    Commented Dec 1, 2021 at 23:39
  • @Ramhound Ok, so just write up an manual with chapters for every operating system on how to obtain the .PEM file or whatever and give the user instructions on how to install the CA. I'm sure that wont confuse Grandma, I mean she's so good at these kinds of things.
    – Chris_F
    Commented Dec 1, 2021 at 23:42
  • 2
    Sorry, this is a non-starter. the whole reason that browsers no longer trust self-signed certs is that their origins cannot be trusted, and your scenario will lead to exploits. Making it trivial for Grandma to run a webserver is never going to be a priority for web governance and to be honest the barriers to entry are intentional. for instance crime is more common on lower cost TLDs. besides, your scheme relies on the LAN having DNS infrastructure, so the complexity is already built in. The value of HTTPS in this case is pretty minimal anyway. just use HTTP.
    – Frank Thomas
    Commented Dec 2, 2021 at 0:39
  • @FrankThomas and what exactly is the harm if this only works with a specifically designated local TLD? In order to exploit it you would A) need to set up a server on someone's LAN and B) be limited to only providing a local domain. It's not like you could impersonate Google or JPMorgan under what I proposed.
    – Chris_F
    Commented Dec 2, 2021 at 0:46
  • first thought is phishing. for instance a DNSChanger malware repoints the IP address of the local server to a remote server under the attackers control, which then steals your login credentials. HTTPS Certificate infrastructure is designed to ensure that you know when the server you intended to connect to is not the one you are actually connected to, and there is no way to do that when the cert is for an unregistered domain, and there is no way to make sure that the endpoints identified by any given host for your local TLD are in fact local.
    – Frank Thomas
    Commented Dec 2, 2021 at 0:53

1 Answer 1

Reset to default
1

No.

Just because a web server is on a local network does not mean its the one you are intending to visit and has not been compromised.

Further what defines a local network? What is to stop someone abusing a "special local tld"? How do you define local and handle its exceptions? How can you be sure that because something is on the LAN its not been compromised or MITM'd?

BTW, there is already a .local special domain name reserved for local networking.

Improve this answer
7
  • Point of clarification: by "local" IP address I meant to say private IP address. That's not a subjective distinction.
    – Chris_F
    Commented Dec 2, 2021 at 1:46
  • 2
    @ChrisF its absolutely a subjective distinction. Taken to a bit of anextreme its entirely practical to subnet 192.168.0.0/24 further, and its COMMON to connect to networks with RFC1918 (ie private IP space) between multiple networks.
    – davidgo
    Commented Dec 2, 2021 at 1:50
  • "Just because a web server is on a local network does not mean its the one you are intending to visit and has not been compromised." The point is you would only have to worry about a local server on your private network possibly interfering with another local server on your private network. Explain how this somehow opens the door to you compromising something like google.com for a user.
    – Chris_F
    Commented Dec 2, 2021 at 1:50
  • The .local domain is used by Apple for other purposes. It's been tainted and is no longer feely available for this exclusive use.
    – Chris_F
    Commented Dec 2, 2021 at 1:51
  • Where do I start? A local server on a "private network" could be a local server on a private network belonging to someone else (common if you connect with related businesses without going across the wider Internet, or using a VPN. A domain name is not fundamentally associated with an IP address, and there is no easy and secure way to implement this (just for a start different levels of the OSI model, problems with remote nameservers and DOH). Even assuming a private network, if it has WIFI a hacker can breach it and plant a device and MITM/redirect stuff...
    – davidgo
    Commented Dec 2, 2021 at 1:55

Not the answer you're looking for? Browse other questions tagged .