Ranter
Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
Comments
-
NeatNerdPrime4351197dHave you heard about letsencrypt? From the EFF.org .
Also consider using your own CA. EasyRSA should do it. -
12bitfloat9308196dHow else can you guarantee authenticity? Your root of trust has to be somewhere and, like it or not, huge companies are just the most trustworthy place for that. At least they have a lot of incentives (investors and money) to *not* fuck over users and issue unauthorized certs
-
ventgrey30196d@NeatNerdPrime I know about Let's encrypt. However I'm not really willing to expose a homelab using things like DuckDNS/NoIP just to get a simple SSL cert.
Will check EasyRSA. Thanks for your recommendation! -
lorentz15268195d@12bitfloat They do though. Every few years a root CA is removed from Firefox because it's found to have issued fake certs to governments. The great thing about PKI is that the root CA lists are compiled by everyone separately, so Mozilla can remove the ones that abuse their position, Chrome can remove the ones that abuse their power to help unfriendly states, the PRC can add their own CAs to devices distributed in China, and you can make a list with your 3 closest friends if you like.
-
lorentz15268195dThis is the best way for a users to be able to delegate the job of keeping track of identities without giving up control over the process. Any consensus algorithm can be gamed by the rich and the beautiful. The lack of consensus is what makes PKI safe.
-
cbartle320195dEJBCA is also a free Certificate Authority (PKI). If you are just wanting things trusted locally, that would be an option.
https://www.ejbca.org/ -
12bitfloat9308193d@lorentz Well sure, but at least that's just every few years. Imagine how often such a thing would happen if it was in grasp of the average user (hacker)
Re china: It's called "root of *trust*" for a reason. At the end of the day it's all a made up fantasy anyway so if you can't trust your government to follow the (imaginary) rules... I mean then you're just fucked in general -
Elendil363190d@ventgrey i dont think exposing the homelab is strictly necessary.
My homelab k8s cluster uses subdomains for a public domain, but the urls are only resolved by local dns.
I still use cloudflare to get letsencrypt certs, but the services are not exposed to the internet.
This is something i set up recently tho, so im not 100% clear on the detail.
Related Rants
SSL was a good idea terribly implemented. Relying only on big tech for valid certificates was the single most idiotic thing the web baboons could come up with.
Sure, you could always hack comodo (again) to issue yourself some LAN certs but come on. You either expose your server or pay half a kidney for a somewhat secure thing! Give me a break....
rant
ssl
security
web
sslcerts