> It is currently not possible to keep your internal network private and still have HTTPS without hacks or problems on standard end user devices.
Only if you consider transferring the cert from the public server to your internal server a hack.
But how would it ever work otherwise? The CA needs to have some publicly accessible way to check your control of the domain, right?
You need a fake DNS entry on your local network for this to work - I would call that a hack.
And what if you aren't running a public webserver like 99% of normal people out there?
> But how would it ever work otherwise? The CA needs to have some publicly accessible way to check your control of the domain, right?
I mean that's exactly the problem: Why do you have to rely on the public CA infrastructure for local devices?
Consider the scenario of a smart wifi bulb in your local network that you want to control with your smartphone.
IMO it would be great to have your home router act as a local CA that can only issue certificates for .local domains and have that trusted per default by user agents. Would make smart home stuff a lot better than the current situation...
> IMO it would be great to have your home router act as a local CA that can only issue certificates for .local domains and have that trusted per default by user agents. Would make smart home stuff a lot better than the current situation...
How would you talk to the router and make sure the communication is actually with the router and not someone else?
The browser/lightbulb comes with trusted CAs preinstalled, but then you would have to install the routers CA cert on every device you add to the network.
Sure, if someone knows your WiFi password they could set up an "evil" router close to your house with the same SSID and credentials, or they could break into your house and install LAN wiretaps, but c'mon, if you are this paranoid you probably don't even have a smartphone in the first place.
Do you mean that you don’t need a way to verify the routers identity on the local network because it is already protected by a password?
Firstly, I don’t think that’s true because you add a lot of sketchy and unknown devices to your network over time (guests, streaming stick, computer with preinstalled OS…) so I wouldn’t trust every device in my WiFi.
And also, if you do trust your network, you don’t really need https inside it, right?
Only if you consider transferring the cert from the public server to your internal server a hack. But how would it ever work otherwise? The CA needs to have some publicly accessible way to check your control of the domain, right?