Corey QuinnDec 28, 2022
It’s a complete failure of infosec-meets-user-psychology that “this TLS certificate is issued for your bank and the server is sneaky hackerman dot com” and “this otherwise valid certificate expired a day ago” have the EXACT SAME USER EXPERIENCE.
Show threadVissDec 28, 2022

@Quinnypig i still think its kinda silly that browsers lose their shit over self-signed certs for rfc1918 addresses.

as if all the people who work on browsers have never bought a nas, or a router, or anything else thats an embedded device that lives on the lan which will likely never ever see a cert update.

Show threadDaniel MartinDec 29, 2022

@Viss @Quinnypig

On a related point: it is *absolutely shameful* that I can't set up a CA locally for devices on my own rfc1918 network (using a .home DNS name) and have https "just work" without having each client trust a CA key that then can MITM *any* https content.

Why can't I say "trust this cert only to sign stuff in 192.168.*.* or with a *.myhomenet.home DNS name"?

Show threadFrost「|霜の狼|人面獣心」🐺❄️

@fizbin @Viss @Quinnypig I think there's actually a restriction you can add these days to do that.

Not sure how widely supported it is though.

Also as always, OpenSSL is a fuck and it's really hard to do anything right with it.

Dec 29, 2022 at 7:13pmWeb