Would it be possible for routers to run Let's Encrypt?
#discuss#networking#security
Meghan (she/her)

Meghan (she/her) @nektro

About: 24. Local trans witch who prefers to do magic with a keyboard. she/her. Currently hacking away at making the Web less centralized.

Location:
Massachusetts, USA
Joined:
Mar 13, 2017

Would it be possible for routers to run Let's Encrypt?

Publish Date: Jun 21 '18
17 7

Would it be possible for routers to run Let's Encrypt? Should they? Connections to 192.168.1.1 should be secure too, especially if browsers are going to become more strict about TLS adoption.

Comments 7 total

  • Frederik 👨‍💻➡️🌐 Creemers
    Frederik 👨‍💻➡️🌐 CreemersJun 21, 2018

    I'm not really sure how that would work. The router would need to request an address for 192.168.1.1, but the LetsEncrypt servers would require proof that you own that address, but since it's a local address, they can't do a dns lookup, or send an http request to do the veriication.

    • Meghan (she/her)
      Meghan (she/her)Jun 21, 2018

      I've since seen here that they aren't able to produce certificates that aren't a part of public DNS. So names like localhost and 192.168.x.x are currently not possible for Let's Encrypt. Do you think they'll add this in the future? Or potentially create "global" certs that any service running on a local network could use?

      • Oliver Cole
        Oliver ColeJun 24, 2018

        Breaking this down:
        Do you think they'll add this in the future

        How would you propose that Let's Encrypt validate my ownership of 192.168.1.1? They need to contact that IP address to check I own it - but their 192.168.1.1 doesn't refer to the same machine as mine.
        Does that make sense?

        Or potentially create "global" certs that any service running on a local network could use
        So now, I open 192.168.1.1 in my browser, or let's say 10.45.214.12. I get back a valid Let's Encrypt TLS certificate for that IP. I'm certain that I'm talking to the machine on my LAN, or corporate WAN, with that IP address, right?
        Not quite - how do I know someone hasn't rerouted the traffic to a machine they control - say some kind of hacker who already has a foothold in the network.
        If Let's Encrypt publicly post private keys and certificates for all the private IP addresses in existence, I can never be sure if I'm talking to the machine I want to talk to, or another machine that happens to have the same private key downloaded from Let's Encrypt!

  • Adrian B.G.
    Adrian B.G.Jun 24, 2018

    If the attacker is connected to your network, and intercept your traffic then is too late :))

    Some routers already have this option asus.com/us/support/FAQ/1034294/

    I think that by exposing the router admins to the internet is a bigger threat than not using a secure connection in your LAN.

  • Meghan (she/her)
    Meghan (she/her)Jun 24, 2018

    Thanks for the amazing response!

  • Dinesh Rathee
    Dinesh RatheeMar 4, 2020

    LetsEncrypt have revoked around 3 million certs last night due to a bug that they found. Are you impacted by this, Check out ?

    DevTo
    [+] dev.to/dineshrathee12/letsencrypt-...

    GitHub
    [+] github.com/dineshrathee12/Let-s-En...

    LetsEncryptCommunity
    [+] community.letsencrypt.org/t/letsen...

Add comment