Not sure if it's immediately practical, but theoretically there's a reasonable route that looks like:
The device is built to a local MDNS domain like .internetfridgeco.local
The manufacturer self-signs their own CA internally
The manufacturer creates a cert for each device, and injects it into the device in the factory
User authorizes the manufacturer's CA only to sign only certs for domains under *.internetfridgeco.local (I have no idea if this is possible - I can't see a reason why it'd be impossible in a purely technical sense though) (You need to get the cert to the user somehow, but there's a few options of variable safety here: an email on purchase, publishing over bluetooth, downloading from real signed web portal in setup, etc etc) User browses to .internetfridgeco.local, gets cert that's trusted due to imported CA, has secure connection. With that done:
* Your traffic is encrypted
* You don't have to dismiss any big scary warnings
* Nobody on your network can take over that domain name (without giving a big scary warning)
* You don't need an internet connection to talk to your local device You do still have some more fascinating open problems though, like:
* If anybody can physically reach the device, they can probably pull the cert & private key from it (though that then still only lets them spoof that one domain)
* It's easy to open an avenue that encourages users to blindly trust new CAs, or which allows an attacker to provide their own CA here. Not unfixable, but needs careful thought.
* Certificate rotation is a hot mess if you want this device to be accessible forever
* Two companies could easily conflict in the X.local domain they want to use, since there's no central register whatsoever (unlike real DNS). The major issue though is that right now I don't think there's a well-supported way to import a limited-scope CA like this, and there's certainly no clear & reliable UX for your typical user to help them do so without also opening a huge risk to social engineering attacks tricking them into installing other malicious certificates.
The manufacturer self-signs their own CA internally
The manufacturer creates a cert for each device, and injects it into the device in the factory
User authorizes the manufacturer's CA only to sign only certs for domains under *.internetfridgeco.local (I have no idea if this is possible - I can't see a reason why it'd be impossible in a purely technical sense though) (You need to get the cert to the user somehow, but there's a few options of variable safety here: an email on purchase, publishing over bluetooth, downloading from real signed web portal in setup, etc etc) User browses to .internetfridgeco.local, gets cert that's trusted due to imported CA, has secure connection. With that done:
* Your traffic is encrypted
* You don't have to dismiss any big scary warnings
* Nobody on your network can take over that domain name (without giving a big scary warning)
* You don't need an internet connection to talk to your local device You do still have some more fascinating open problems though, like:
* If anybody can physically reach the device, they can probably pull the cert & private key from it (though that then still only lets them spoof that one domain)
* It's easy to open an avenue that encourages users to blindly trust new CAs, or which allows an attacker to provide their own CA here. Not unfixable, but needs careful thought.
* Certificate rotation is a hot mess if you want this device to be accessible forever
* Two companies could easily conflict in the X.local domain they want to use, since there's no central register whatsoever (unlike real DNS). The major issue though is that right now I don't think there's a well-supported way to import a limited-scope CA like this, and there's certainly no clear & reliable UX for your typical user to help them do so without also opening a huge risk to social engineering attacks tricking them into installing other malicious certificates.