this post was submitted on 14 Sep 2024
49 points (91.5% liked)

Firefox

17951 readers
150 users here now

A place to discuss the news and latest developments on the open-source browser Firefox

founded 4 years ago
MODERATORS
 

I'm just so annoyed of fighting this all the time.

If I can't figure this out I'm going to disable all https redirecting and all certificate errors off so I can have some peace

EDIT: I do not wish to manage certificates I do not want to setup private key infrastructure I don't want to use real internet domain names I don't want to manually install certificates into browsers after fishing them out of my ephemeral virtual machines

I just want to, add exception for *.lan for https auto redirect and auto-accept self-signed certificates as valid. This is not much to ask.

you are viewing a single comment's thread
view the rest of the comments
[–] lud@lemm.ee 3 points 2 months ago* (last edited 2 months ago) (1 children)

I don't mean them specifically, but that to me managing access to such a CA cert's keys is security nightmare, because if I somehow get an infection, and it finds the cert file and the private key, it'll be much easier for it to make itself more persistent than I want it.

If you can't resist installing random shit on your CA server then sure. No attacker will really try to compromise a home CA so you really only have to worry about viruses which should be kept extremely far from the CA anyways. And obviously follow all other security precautions like good passwords or even passwordless with certificate login (remember that you have a CA server so you can easily issue authentication certificates and enroll them on a smart card or Yubikey)

The private key should also be in TPM (or a HSM like we do at work, but that's a bit extreme for home use) and be non-exportable. Managing access to the private key isn't really that hard, it should just never ever leave the CA server and you are pretty much good to go.

You can also do a two tier PKI with an offline CA and an issuing CA like I'm planning to do for an AD DS, AD CS, AD FS lab.

Personally I think wildcard certificates sound like a bigger security problem than a CA since that certificates will likely be placed on a lot of servers and if just a single one gets compromised the attacker can impersonate whatever subdomain they feel like. With a CA server you could issue individual certificates to each server/service

Private CA servers are very common and is actually a security positive. I'm not saying that everyone needs one at home, but you shouldn't be afraid to setup one if you want too.

[–] ReversalHatchery@beehaw.org 0 points 2 months ago (1 children)

I'm in a home environment. I don't have a TPM*, I don't have yubikeys. And no, certificates won't be placed on a lot of servers, as

  • I have only one, 2 if you count the raspberry
  • both of them uses a wildcard for its own subdomain, so other servers wouldn't be affected anyway
[–] lud@lemm.ee 1 points 2 months ago

That's perfectly fine for a home environment but don't act like having a proper PKI is a bad or insecure idea.

Also I would be surprised if your server doesn't have TPM unless it is very old.