Owen5d ago

Do you want to put a web page on a .local address to do something cool for your household or club? Here's the list of browser features that browser vendors have decided you're just not fuckin' allowed to use. https://developer.mozilla.org/en-US/docs/Web/Security/Defenses/Secure_Contexts/features_restricted_to_secure_contexts

Some random site halfway around the world, served over https with a robo-verified certificate, is allowed, though, so take some comfort in that.

Features restricted to secure contexts - Security | MDN

This reference lists the web platform features available only in secure contexts — see Secure Contexts for a definition and more details.

MDN Web Docs
Show threadOwen5d ago

There's a discussion thread about allowing RFC 1918 addresses and their ip6 equivalents to participate in secure contexts at https://github.com/w3c/webappsec-secure-contexts/issues/60 . It is _eight years_ old without resolution.

I can't find any discussion at all on allowing the user to designate certain origins as secure contexts. Maybe that's a thing for some browsers.

Using secure-context gated features with local devices · Issue #60 · w3c/webappsec-secure-contexts

As proposed here which is continuing on from w3ctag/design-principles#75: It should be possible for people to create devices that are located on home networks that use modern browser features. One ...

GitHub
Show threadOwen5d ago
The recommendation in that thread is to run a private CA for your LAN. Anyone who has experience doing that outside of a managed (i.e., corporate) network will tell you how hilariously useless that advice is.
Show threadRyan Castellucci (they/them) 5d ago
@owen I use acme-dns authorized subdomain certificates on my lab, this is nearly as unreasonable as running a CA for my home network. And I have run one on a corporate network.
Show threadCassandrich5d ago
@ryanc @owen With DNS-PERSIST-01 it'll be easy to get real certs for your LAN-only devices.
Show threadJima 
@dalias @ryanc @owen With the right tooling, even DNS-01 isn't the worst.
May 10 at 10:44pmWeb
Show threadCassandrich3d ago
@jima @ryanc @owen I just consider DNS-01 a giant weakness/violation of access controls. Automated processes should never have access to modify DNS, especially when that often (for non experts) means credentials to registrar.
Show threadJima 3d ago
@dalias @ryanc @owen I completely agree, which is why I CNAME the _acme-challenge records off to a distinct zone, which the automated process DOES have access to modify. 😀
Show threadCassandrich3d ago

@jima @ryanc @owen Yep, that's the right way to do it.

Prior to DNS-PERSIST-01 announcement, I had an even fancier plan in the works: delegating _acme_challenge to a public server (run as a public service) with a DS whose key is held by your device that wants certs. When you need to do the ACME dance, the device would send a DNS packet to the public service, which would cache and serve it for up to some short time limit.

I never got around to implementing it, and once DNS-PERSIST-01 was announced, I dropped the idea because it's no longer needed.

Show threadJima 3d ago
@dalias @ryanc @owen In my case, the delegated server is PowerDNS with an SQL backend, and my validation hook script just adds a row to the records table, remotely over TLS (which is itself provided by a Let's Encrypt cert 😅).
Show threadHaelwenn /элвэн/ 3d ago
@dalias @jima @ryanc @owen Well the challenge allows to delegate to another zone/nameserver (what I do here), but it's probably not the most typical setup.
Show threadJima 3d ago
@lanodan @dalias @ryanc @owen It's always so nice to meet other DNS weirdos. 🥰
Show threadPaul Martin3d ago
@[email protected] @[email protected] @[email protected] @[email protected] @[email protected] Is the collective noun of DNS weirdos a delegation or a resolution?
Show threadJima 3d ago
@nowster @lanodan @dalias @ryanc @owen My vote is for "delegation." Good question!
Show threadRyan Castellucci (they/them) 2d ago
@jima @nowster @lanodan @dalias @owen definitely delegation
Show threadCassandrich3d ago
@lanodan @ryanc @owen @jima Yeah everyone just gives their webservers credentials to transfer all their domains to an attacker... 🤡