Would it be possible for routers to run Let's Encrypt? Should they? Connections to 192.168.1.1 should be secure too, especially if browsers are going to become more strict about TLS adoption.
For further actions, you may consider blocking this person and/or reporting abuse
Top comments (7)
Good question, especially if widened to 'how do I secure services in my local private network?' The article @nektro links to below regarding localhost (letsencrypt.org/docs/certificates-...) provides a lot of good advice while making some assumptions that readers understand how certificates work, so let's recap those assumptions :)
So what can we do for private networks? The LetsEncrypt article has a few suggestions, as does the ASUS article linked by @bgadrian with varying levels of hacky-ness vs. complexity:
Hope this helps!
Thanks for the amazing response!
I'm not really sure how that would work. The router would need to request an address for 192.168.1.1, but the LetsEncrypt servers would require proof that you own that address, but since it's a local address, they can't do a dns lookup, or send an http request to do the veriication.
I've since seen here that they aren't able to produce certificates that aren't a part of public DNS. So names like
localhost
and192.168.x.x
are currently not possible for Let's Encrypt. Do you think they'll add this in the future? Or potentially create "global" certs that any service running on a local network could use?Breaking this down:
Do you think they'll add this in the future
How would you propose that Let's Encrypt validate my ownership of
192.168.1.1
? They need to contact that IP address to check I own it - but their192.168.1.1
doesn't refer to the same machine as mine.Does that make sense?
Or potentially create "global" certs that any service running on a local network could use
So now, I open
192.168.1.1
in my browser, or let's say10.45.214.12
. I get back a valid Let's Encrypt TLS certificate for that IP. I'm certain that I'm talking to the machine on my LAN, or corporate WAN, with that IP address, right?Not quite - how do I know someone hasn't rerouted the traffic to a machine they control - say some kind of hacker who already has a foothold in the network.
If Let's Encrypt publicly post private keys and certificates for all the private IP addresses in existence, I can never be sure if I'm talking to the machine I want to talk to, or another machine that happens to have the same private key downloaded from Let's Encrypt!
LetsEncrypt have revoked around 3 million certs last night due to a bug that they found. Are you impacted by this, Check out ?
DevTo
[+] dev.to/dineshrathee12/letsencrypt-...
GitHub
[+] github.com/dineshrathee12/Let-s-En...
LetsEncryptCommunity
[+] community.letsencrypt.org/t/letsen...
If the attacker is connected to your network, and intercept your traffic then is too late :))
Some routers already have this option asus.com/us/support/FAQ/1034294/
I think that by exposing the router admins to the internet is a bigger threat than not using a secure connection in your LAN.