Me being grumpy and stupid again.
I have an IP Camera on my LAN, I want to connect to it via HTTPS. I can't. Why is that?
Why do this?
I have a username and password to access my IP camera. And my TV. And my lightbulbs. And all my networked gadgets. If I try to enter the passwords on a modern browser, I get this error message:
It is now an accepted fact that data should be encrypted during transport - even on a trusted network.
I have a modest home network of several dozen gadgets - all chattering away over Ethernet and WiFi.
Ideally, they are all isolated and under my control - but hackers could break in, or an automatic firmware update could compromise them, or someone could plug something in to my homeplugs.
In short - I want to access
192.168.0.123 via a secure and encrypted connection.
Why it is impossible
The Certificate Authority / Browser Forum are the people who set the policy for how SSL Certificates are issued. They prohibit generating SSL certificates for Reserved IP Addresses - like the ones on your LAN.
Their explanation is:
Only one logical host on the Internet has the IP address “184.108.40.206”, while there are tens of thousands of home Internet gateways that have the address “192.168.0.1”.
The purpose of certificates issued by publicly trusted Certification Authorities is to provide trust in names across the scope of the entire Internet. Non‐unique names, by their very nature, cannot be attested to outside their local context, and such certificates can be dangerously misused [...] issuance of certificates for non ‐ unique names and addresses, such as “www”, “www.local”, or “192.168.0.1” is deprecated
CA/Browser Forum - Guidance on the Deprecation of Internal Server Names and Reserved IP Addresses
Is there a work-around?
Sort of! Some IoT devices have self-signed certificates. if you try to connect to them via
https:// they will present the certificate - but the browser will put big scary warnings in place.
Why is that message generated? Because no reputable Certificate Authority will issue a cert, the manufacturer has self-signed it.
So I can ignore all those scary warnings and proceed. Right?
Why is this a problem?
I tried to connect to my IP camera via
https:// only to get this error.
The manufacturer doesn't do firmware updates so I'm left with a weak, self-signed certificate, which expired earlier this year.
If I tell my browser to ignore the warnings - what are the consequences? If something takes over that IP address (a malicious Internet Connected Fridge) - will I know?
There is an alternative - but it is almost too dreadful to consider.
I could rely on the manufacturer to provide a secure gateway to my devices.
- My IP toaster can make a secure connection to
- I connect to their API
- I then use the external API to control my devices
Yuck! Do you trust the Kickstarted company which provided your IP Toothbrush to stay in business for the lifetime of the product? Ha!
Do you trust them not to get hacked?
Do you want to deal with the latency between your home and the Windows Vista box in China which acts as their server?
Sadly, this is how devices like Alexa work. They don't connect directly to your kit, they go via an intermediary.
How to fix it?
I have no idea! If you do - please stick a comment in the box.