Lets Encrypt have now started to issue certs for public facing IP addresses as well as their famed free TLS and DV SSL Certs.
This is an absolute Game changer!! 🤩🤩
Now you can simply run a site without a domain name, with SSL. Whilst I don't think that's the real takeaway here, and purpose, It is dead handy for when you spin up a new server, and haven't got DNS fully functional for your hostname yet. So in theory, you could buy a server, install directadmin and not have to worry about using DA's DNS and temp link to log in to your panel securely. You could simply use the servers given IP securely, out of the box. It's something DA would have to implement, unless you set it up by obtaining certs yourself first before install DA.
I have to add, there's 2 caveats here,
You CANNOT use one of these certs with a local IP for example 10.0.10.272 or 192.168.0.100
Certs are aggressively renewed, and expire after 7 days, so daily issuance is recommended (I guess as it's only supposed to be a temp fix)
This has so much potential!
IPv4 and IPv6 supported, Pics incoming...! 😁
Edit - Here's pics showing SSL on IPs 😊
https://65.21.61.62/
https://[2a01:4f9:c013:5051::1]
Certificate issuance
This is an absolute Game changer!! 🤩🤩
Now you can simply run a site without a domain name, with SSL. Whilst I don't think that's the real takeaway here, and purpose, It is dead handy for when you spin up a new server, and haven't got DNS fully functional for your hostname yet. So in theory, you could buy a server, install directadmin and not have to worry about using DA's DNS and temp link to log in to your panel securely. You could simply use the servers given IP securely, out of the box. It's something DA would have to implement, unless you set it up by obtaining certs yourself first before install DA.
I have to add, there's 2 caveats here,
You CANNOT use one of these certs with a local IP for example 10.0.10.272 or 192.168.0.100
Certs are aggressively renewed, and expire after 7 days, so daily issuance is recommended (I guess as it's only supposed to be a temp fix)
This has so much potential!
IPv4 and IPv6 supported, Pics incoming...! 😁
Edit - Here's pics showing SSL on IPs 😊
https://65.21.61.62/
https://[2a01:4f9:c013:5051::1]
Certificate issuance
So in theory, you could buy a server, install directadmin and not have to worry about using DA's DNS and temp link to log in to your panel securely.
So no change at all. As this is also possible at this moment already since da uses an SSL based on the ip.
That's why it's called the (for example) 65.21.61.62-da.direct as hostname. So this way you can already directly visit your server via SSL by the hostname.
So this is already implemented. Out of the box!
This has so much potential!
To me this sounds as bad news. As this will make it a lot easier again for spammers to use ssl and stuff, without the cost of a domain name to register.
Fun for hobbyists and maybe website devs, but imho they will be sorry later on for doing this.
So no change at all. As this is also possible at this moment already since da uses an SSL based on the ip.
That's why it's called the (for example) 65.21.61.62-da.direct as hostname. So this way you can already directly visit your server via SSL by the hostname.
So this is already implemented. Out of the box!
To me this sounds as bad news. As this will make it a lot easier again for spammers to use ssl and stuff, without the cost of a domain name to register.
Fun for hobbyists and maybe website devs, but imho they will be sorry later on for doing this.
Yeah I know DA do the 65.21.61.62-da.direct thing which is really handy. I do remember someone complaining about it, but I personally don't see it as a bad thing with what DA are doing and should not ditch this at all. I was merely stating it may be an option if someone hasn't set up their DNS and wants to use their IP.
Could use them on your Directslave projects? Hostname's always protected if you put a cert on like you should, but the IP itself isn't. Just a thought
I guess it could be good for devs to secure a server before they get a customers domain sorted, I mean not everyone spins up a VPS or Dedi and then puts DA or other panels on it immediately.
Maybe organizations that run servers and don't have DNS sorted, or don't plan at all to have DNS setup. and I don't see it quite like you do with spammers for example. Nothing stopping them spinning up servers as they do now, and using free/cheap domains with free SSL. You'll never get rid of spammers or botnets unfortunately
Certs are very short lived so you'd have to set up a cron to reissue every few days if you wanted to keep it ip only. People have asked Lets Encrypt for this, for domainless projects and they've obliged. They are not a replacement for the TLS certs either, more of an extension.
I can see hobbyists taking advantage of it like you say. I mean I think it's cool in some ways, as an IP can look like a phone number. In my example i've been given an 8 digit IP, 65.21.61.62 really no different from the format of a french phone number for example. Advertising maybe? 😁
I mean there is good and bad associated with this. It's great to be positive about new things, but as you point out, it's also good to point out and identify the potential pitfalls and problems. 😉
Yeah I know DA do the 65.21.61.62-da.direct thing which is really handy.
Name me 1 reason why. Because I can name you a couple of reasons why it's not. Starting with teaching people the wrong way, lot don't even know how to set up a hostname correctly and then come complaint that they have mail issues, which we almost had not in the early days.
Otherwise I wouldn't have needed to write that hostname manual I did, which lots of people used (or rather had to use) to fix things.
Second is that yes you can visit the panel, but it's anyway best to not do anything until the background things are installed, otherwise the changes are not integrated into for example apache and you get odd things like missing domain names or other errors.
So if you have to wait anyway, you can just as well setup things correctly and learn to do it correctly and then an LE SSL certificate is there fast enough with the autoSSL.
DS does not need to be an exception. Just use a subdomain of your domain as hostname is very well possible like ds.domain.com or something like that. We have it that way and even with SSL!
Seems LE is the first one doing it, and I'm sure there is a reason others didn't do it before. I can't imagine an organisation not wanting to have to setup their network correctly with domain name, certainly not these days.
Shortlived yes, well... 3 months. And people asked this. Yes well people always ask for things, doesn't always mean those things are good or wise.
So until now I don't see any benefits at all, except for a few hobbyists and website devs. Ofcourse I could be wrong, maybe some have some great examples.
But you don't need to convince me. I just gave my opinion. Lets talk in a few years and see if my thoughts were wrong or right. But I fear the most and probably it's even not conform RFC.
Yeah I know DA do the 65.21.61.62-da.direct thing which is really handy. I do remember someone complaining about it, but I personally don't see it as a bad thing with what DA are doing and should not ditch this at all. I was merely stating it may be an option if someone hasn't set up their DNS and wants to use their IP.
Could use them on your Directslave projects? Hostname's always protected if you put a cert on like you should, but the IP itself isn't. Just a thought
I guess it could be good for devs to secure a server before they get a customers domain sorted, I mean not everyone spins up a VPS or Dedi and then puts DA or other panels on it immediately.
Maybe organizations that run servers and don't have DNS sorted, or don't plan at all to have DNS setup. and I don't see it quite like you do with spammers for example. Nothing stopping them spinning up servers as they do now, and using free/cheap domains with free SSL. You'll never get rid of spammers or botnets unfortunately
Certs are very short lived so you'd have to set up a cron to reissue every few days if you wanted to keep it ip only. People have asked Lets Encrypt for this, for domainless projects and they've obliged. They are not a replacement for the TLS certs either, more of an extension.
I can see hobbyists taking advantage of it like you say. I mean I think it's cool in some ways, as an IP can look like a phone number. In my example i've been given an 8 digit IP, 65.21.61.62 really no different from the format of a french phone number for example. Advertising maybe? 😁
I mean there is good and bad associated with this. It's great to be positive about new things, but as you point out, it's also good to point out and identify the potential pitfalls and problems. 😉
Finally spinning up servers with tls, no mitm, no cn/san crap, perfect for headless installs, no resolver dependencies. It's actually safer than with a domain because dnsspoofing ain't working anymore.
Finally spinning up servers with tls, no mitm, no cn/san crap, perfect for headless installs, no resolver dependencies. It's actually safer than with a domain because dnsspoofing ain't working anymore.
Finally, someone who thinks it's a good idea 😁😁. You're dead right though, can't spoof that DNS if there ain't any! I love taking their toys away 🤣🤣🤣
Finally spinning up servers with tls, no mitm, no cn/san crap,
Out of curiosity.... what will you be using them for then?
Finally, someone who thinks it's a good idea 😁😁. You're dead right though, can't spoof that DNS if there ain't any! I love taking their toys away 🤣🤣🤣
Yeah, MAC-to-MAC communication only.
Out of curiosity.... what will you be using them for then?
Uhmm, I see a few interestion option in the network architecture and security field.
- much smaller attack surface.
- domainless machine to machine communication.
- provisioning sometimes
- internal api's
- The 'safety' of not requiring SNI so less manipulation vectors
- worthless when used on another ip so a good protection against theft.
- can be used earlier in boot fases where resolving isn't available yet.
But for the average web user it's probably totally worthless, because it's well... one of a kind (IP) ssl and had limited use.
Uhmm, I see a few interestion option in the network architecture and security field.
- much smaller attack surface.
- domainless machine to machine communication.
- provisioning sometimes
- internal api's
- The 'safety' of not requiring SNI so less manipulation vectors
- worthless when used on another ip so a good protection against theft.
- can be used earlier in boot fases where resolving isn't available yet.
But for the average web user it's probably totally worthless, because it's well... one of a kind (IP) ssl and had limited use.
That's the line of thought I was using when I decided to post this thread. Not that your average Joe would get much from this (unless a real hobbyist) but more for the techs, devs and sysadmins out there that don't have DNS set up, don't want or plan to use it, or no domain bought yet (as I said earlier) but want their server security path secured at the earliest operational instance. After all, not everyone uses DA.
And i'm not on about those who will complain their email isn't working as hostname incorrect etc, as this type of cert isn't for, or simply cannot be used for email as SMTP requires DNS to be present.
I can see some interesting things developing from this, good and maybe bad. This is certainly progress, whatever direction you want to look at it. These certs wouldn't have become a thing if enough didn't ask for them. 😁
- Page :
- 1
- 2
There are no replies made for this post yet.