I understand all the tech, except why I, as a home user, might want this. For that matter, what’s in it for a business user?
I’ve hosted a dozen different servers from home. FTP, HTTPS, SSH, the usual. What’s the advantage of giving up the flexibility of my DNS name? I might save a few bucks a year with Namecheap?
Not saying this is dumb or completely useless, just not seeing much application.
naught@sh.itjust.works
on 04 Jul 02:01
nextcollapse
I think literally just the “nominal fee” for the domain name. Sometimes you host a microservice or something on a laptop on your lan and don’t feel like throwing it on a domain or even subdomain, but you want/need https . The applications seem limited indeed
Corbin@programming.dev
on 04 Jul 03:30
nextcollapse
This is for short-lived cloud-allocated (virtual) machines which have an IPv4 address but not necessarily a DNS presence. When there are more than a handful of machines, name management becomes its own unique pain; often, the domain names of such a machine are an opaque string of numbers under some subdomain, and managing the name is not different from managing the raw IP address instead. Similarly, for the case of many machines all serving a wildcard (e.g. a parking page) allocating a single IP-address certificate might be preferable to copying the wildcard certificate to each machine.
As you point out, though, SSH exists and has accumulated several decades of key-management theory. Using HTTPS instead of SSH for two machines with one owner is definitely not what I would do. I’ve worked at all scales from homelabs to Google and I can’t imagine using IP-address certificates for any of it.
Now, with all of that said, if Let’s Encrypt were available over e.g. Yggdrasil then there would be a use-case for giving certificates directly to IPv6 addresses and extending PKI to the entire Yggdrasil VPN. That seems like a stretch though.
GreenKnight23@lemmy.world
on 04 Jul 04:14
collapse
I run multiple services on intranet, still use SSL. Why? because should my network ever become compromised it’s one more layer of security that will secure my data before I know what’s going on.
the_crotch@sh.itjust.works
on 05 Jul 23:52
collapse
Not sure what putz downvoted this, it’s absolutely true. All it takes is one compromised device joining your lan and setting up a packet sniffer and any unencrypted services are vulnerable.
threaded - newest
This is a garbage article full of typos and incorrect information.
I didn’t catch the typos or incorrect information – what were they?
letsencrypt.org/…/issuing-our-first-ip-address-ce…
I understand all the tech, except why I, as a home user, might want this. For that matter, what’s in it for a business user?
I’ve hosted a dozen different servers from home. FTP, HTTPS, SSH, the usual. What’s the advantage of giving up the flexibility of my DNS name? I might save a few bucks a year with Namecheap?
Not saying this is dumb or completely useless, just not seeing much application.
I think literally just the “nominal fee” for the domain name. Sometimes you host a microservice or something on a laptop on your lan and don’t feel like throwing it on a domain or even subdomain, but you want/need https . The applications seem limited indeed
This is for short-lived cloud-allocated (virtual) machines which have an IPv4 address but not necessarily a DNS presence. When there are more than a handful of machines, name management becomes its own unique pain; often, the domain names of such a machine are an opaque string of numbers under some subdomain, and managing the name is not different from managing the raw IP address instead. Similarly, for the case of many machines all serving a wildcard (e.g. a parking page) allocating a single IP-address certificate might be preferable to copying the wildcard certificate to each machine.
As you point out, though, SSH exists and has accumulated several decades of key-management theory. Using HTTPS instead of SSH for two machines with one owner is definitely not what I would do. I’ve worked at all scales from homelabs to Google and I can’t imagine using IP-address certificates for any of it.
Now, with all of that said, if Let’s Encrypt were available over e.g. Yggdrasil then there would be a use-case for giving certificates directly to IPv6 addresses and extending PKI to the entire Yggdrasil VPN. That seems like a stretch though.
I run multiple services on intranet, still use SSL. Why? because should my network ever become compromised it’s one more layer of security that will secure my data before I know what’s going on.
Not sure what putz downvoted this, it’s absolutely true. All it takes is one compromised device joining your lan and setting up a packet sniffer and any unencrypted services are vulnerable.