Lets Encrypt have now started to issue certs for public facing IP addresses as well as their famed free TLS and DV SSL Certs.
This is an absolute Game changer!! 🤩🤩
Now you can simply run a site without a domain name, with SSL. Whilst I don't think that's the real takeaway here, and purpose, It is dead handy for when you spin up a new server, and haven't got DNS fully functional for your hostname yet. So in theory, you could buy a server, install directadmin and not have to worry about using DA's DNS and temp link to log in to your panel securely. You could simply use the servers given IP securely, out of the box. It's something DA would have to implement, unless you set it up by obtaining certs yourself first before install DA.
I have to add, there's 2 caveats here,
You CANNOT use one of these certs with a local IP for example 10.0.10.272 or 192.168.0.100
Certs are aggressively renewed, and expire after 7 days, so daily issuance is recommended (I guess as it's only supposed to be a temp fix)
This has so much potential!
IPv4 and IPv6 supported, Pics incoming...! 😁
Edit - Here's pics showing SSL on IPs 😊
https://65.21.61.62/
https://[2a01:4f9:c013:5051::1]
Certificate issuance
This is an absolute Game changer!! 🤩🤩
Now you can simply run a site without a domain name, with SSL. Whilst I don't think that's the real takeaway here, and purpose, It is dead handy for when you spin up a new server, and haven't got DNS fully functional for your hostname yet. So in theory, you could buy a server, install directadmin and not have to worry about using DA's DNS and temp link to log in to your panel securely. You could simply use the servers given IP securely, out of the box. It's something DA would have to implement, unless you set it up by obtaining certs yourself first before install DA.
I have to add, there's 2 caveats here,
You CANNOT use one of these certs with a local IP for example 10.0.10.272 or 192.168.0.100
Certs are aggressively renewed, and expire after 7 days, so daily issuance is recommended (I guess as it's only supposed to be a temp fix)
This has so much potential!
IPv4 and IPv6 supported, Pics incoming...! 😁
Edit - Here's pics showing SSL on IPs 😊
https://65.21.61.62/
https://[2a01:4f9:c013:5051::1]
Certificate issuance
- domainless machine to machine communication.
What kind of purposes are you thinking of?
Because I don't know what provisioning is, but internal api's are internal so why would one need ssl for that?
I'm just curious about things which really makes sense so that would be things which connect to the internet or the other way around.
A smaller attack surface depends on what you're using it for (which I still don't see) because ip's will get attacked anyway.
- can be used earlier in boot fases where resolving isn't available yet.
Yes but to what purpose? I wasn't clear I guess.
I was curious why it would be beneficial. So the purposes, not just a "could be fine", but really "is usable for" and well... who cares about resolving early in boot fases. For which usable purpose (application) would this small effect in time be good?
You gave some good arguments, but question is how would they be used.
To me it sounds (bit stupid example), we get an extra spare wheel on a car.
- Yeah that's great for if the other spare looses air
- It's great for if we get two flat tires
- If we go to the beach we have a tire to play with.
All good arguments, but usability is totally unclear or not required. Which is why I'm still curious as to my examples. Hobbyists and developpers.
Who else would use that and to what purpose (applications, requirements), not just what one could do, but probably never will, or isn't required like with internal handling maybe.
There must have been a lot of questions for it otherwise LE would not have done it, I just don't see the benefits yet.
Security for machine to machine communication where no domain is required is a benefit. I don't know such situation but I guess there will be something like that. Although that communication is then only on https level if I understood correctly, right?
These certs wouldn't have become a thing if enough didn't ask for them. 😁
Right. That's why I'm curious to real valid example which people would really use, not only "nice to have because" and then never use it. I'm just curious. Because I'm sure I'm missing things somewhere.
That's the line of thought I was using when I decided to post this thread. Not that your average Joe would get much from this (unless a real hobbyist) but more for the techs, devs and sysadmins out there that don't have DNS set up, don't want or plan to use it, or no domain bought yet (as I said earlier) but want their server security path secured at the earliest operational instance. After all, not everyone uses DA.
And i'm not on about those who will complain their email isn't working as hostname incorrect etc, as this type of cert isn't for, or simply cannot be used for email as SMTP requires DNS to be present.
I can see some interesting things developing from this, good and maybe bad. This is certainly progress, whatever direction you want to look at it. These certs wouldn't have become a thing if enough didn't ask for them. 😁
Everything good can be used for bad. Obviously malware from https://1.2.3.4 is going to work. Then again, today thats' 'dsafdsfdsafdshfdgsfds.fdsgfhsgfdhsfd.com' and also works...
But having an uptodate ip ssl cert without the need for dns/sni related stuff, that also expires within a week... is... very nice.
Everything good can be used for bad. Obviously malware from https://1.2.3.4 is going to work. Then again, today thats' 'dsafdsfdsafdshfdgsfds.fdsgfhsgfdhsfd.com' and also works...
Correct, but costs more money and effort to setup.
But having an uptodate ip ssl cert without the need for dns/sni related stuff, that also expires within a week... is... very nice.
I'm sure it will be, but what you would use it for?
And within a week? Aren't those for 3 months also then?
What kind of purposes are you thinking of?
Because I don't know what provisioning is, but internal api's are internal so why would one need ssl for that?
I'm just curious about things which really makes sense so that would be things which connect to the internet or the other way around.
A smaller attack surface depends on what you're using it for (which I still don't see) because ip's will get attacked anyway.
Yes but to what purpose? I wasn't clear I guess.
I was curious why it would be beneficial. So the purposes, not just a "could be fine", but really "is usable for" and well... who cares about resolving early in boot fases. For which usable purpose (application) would this small effect in time be good?
You gave some good arguments, but question is how would they be used.
To me it sounds (bit stupid example), we get an extra spare wheel on a car.
- Yeah that's great for if the other spare looses air
- It's great for if we get two flat tires
- If we go to the beach we have a tire to play with.
All good arguments, but usability is totally unclear or not required. Which is why I'm still curious as to my examples. Hobbyists and developpers.
Who else would use that and to what purpose (applications, requirements), not just what one could do, but probably never will, or isn't required like with internal handling maybe.
There must have been a lot of questions for it otherwise LE would not have done it, I just don't see the benefits yet.
Security for machine to machine communication where no domain is required is a benefit. I don't know such situation but I guess there will be something like that. Although that communication is then only on https level if I understood correctly, right?
Right. That's why I'm curious to real valid example which people would really use, not only "nice to have because" and then never use it. I'm just curious. Because I'm sure I'm missing things somewhere.
Well, provisioning is actually nothing more than the moment a vps is created, where the resolv.conf is empty, resolvers aren't working yet.
But imagine I only want to talk secure to 1.2.3.4. Not to a name that whatever dns admin named something. Or it needs to work even when that same admin pushed dns errorcrap on friday? Or your dns is ddos'ed into oblivian and your backups stop working.
Yeah, ok, it's hard to make it cool
I'm sure it will be, but what you would use it for?
And within a week? Aren't those for 3 months also then?
I did say they were aggressive with the issue periods, as illustrated in pic 3, post #1 They are issued for 7 days only. I guess this is as most use cases are startup servers, and only need a few hours maybe, but that protection could be very valuable. The other reason (among many more i'm sure) is security. The CA verifies you are still in control of that IP, as I guess datacentres like Vultr, Hetzner and the like have many thousands of IPs and they shift daily with vps provisioning and deletion.
Correct, but costs more money and effort to setup.
I'm sure it will be, but what you would use it for?
And within a week? Aren't those for 3 months also then?
Well, everyone has a 1$ voucher at the cheapest hoster available *kuch* where donald duck can get his domain, or whatever a stolen and already maxed out creditcard says. They pay nothing. And one wrong click of a user, in 1000 mails from 1 a single brute forced email account, will get them only more money.
And sadly this darkweb-as-a-service is often cheaper (with numbers) than I even have to pay for a .com domain. So, ssl on a ip address... not sure if this has a real impact. We might not see the difference between 'm' and 'rn' but, we get 'microthingy.com' vs '1.2.3.4'
I think they we're short lived... Not sure... Not using it yet and this is not my thinking day
- Page :
- 1
- 2
There are no replies made for this post yet.