Ask HN: Is it time for a home network TLD with TLS?

I&#x27;m using Tailscale HTTPS for that<p><a href="https:&#x2F;&#x2F;tailscale.com&#x2F;kb&#x2F;1153&#x2F;enabling-https&#x2F;" rel="nofollow">https:&#x2F;&#x2F;tailscale.com&#x2F;kb&#x2F;1153&#x2F;enabling-https&#x2F;</a>

Yes, it is 100% time fot that.<p>Mozilla FlyWeb was close, but didn&#x27;t handle remote access. It could have been extended to, but they dropped it.<p>I wrote a proposal here for how this could be done with Bluetooth-like pairing, using URLs that embed a certificate hash, a random sequence as an extra security layer, and a lookup URL that one can ask where to find the host for a service, for access over the WAN.<p>By using a URL instead of normal non-HTTP DNS, the lookup URL can be another web service self hosted using the same TLD, or a Data URI if one is hosting from a static IP.<p>No part of the URL besides the key is used to determine the origin for CORS and local storage, so you can change discovery methods and the random string freely.<p>Initial connection is by directly sending a link, or by LAN discovery.<p>Unless discovery is enabled and you are on the same network, it should be impossible to connect without already knowing the URL, so even if your home automation hub is very badly coded, they can&#x27;t even start hacking it till they find your URL, which can&#x27;t be found just by sniffing(Because of that random string).<p>Clients track the &quot;last seen&quot; address of servers, so even if lookup goes down, access still works until your home IP changes.<p>When nodes connect over LAN, the server sends it&#x27;s &quot;Find me on the WAN at&quot; IP. So even with no discovery server at all and no static IP, it creates a very convincing illusion of &quot;just working&quot; 99% of the time.<p>Which means that if you buy a device that uses a cloud lookup service, and they drop that service, your device will still be remote accessible, most of the time. Which might be good enough, or at least good enough to get by until you can find a more permanent solution.<p>Proposal:<p><a href="https:&#x2F;&#x2F;github.com&#x2F;WICG&#x2F;proposals&#x2F;issues&#x2F;43" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;WICG&#x2F;proposals&#x2F;issues&#x2F;43</a><p>And a partial implementation of a very close version(Lookups always use OpenDHT in this), plus a notetaking app based on it.<p><a href="https:&#x2F;&#x2F;github.com&#x2F;EternityForest&#x2F;hardlinep2p" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;EternityForest&#x2F;hardlinep2p</a><p>I really think this is one of those critical missing technologies that would really enable a lot of amazing things.

Well there is already .local, so I suppose what you are asking for is a simple way to do TLS with .local?<p>I’m not well enough versed in TLS and certs, I assume a wild card self cert for .local is a bad idea?<p><a href="https:&#x2F;&#x2F;en.m.wikipedia.org&#x2F;wiki&#x2F;.local" rel="nofollow">https:&#x2F;&#x2F;en.m.wikipedia.org&#x2F;wiki&#x2F;.local</a>

Are you talking about the scenario of communications inside the home or from the outside world to the home or both?

Maybe like a dhcp option to point to a &quot;self-signed&quot; CA cert for use exclusively on that network

I&#x27;m not sure you can trivially &quot;dropbox&quot; TLS because unlike dropbox, every application you use TLS certificates with needs to be aware of how to load and find and (potentially) acquire&#x2F;renew them in the first place. Unless you are going to &quot;dropbox&quot; literally every TLS-enabled FOSS app you could want to run, and automate their deployment and renewal. Or you could centralize on a tool like like stunnel to literally terminate all TLS connections but this comes with its own flaws (e.g. annoying protocols like IMAP upgrade the connection from plaintext to TLS &quot;in situ&quot; via STARTTLS.) But if you just use a single TLS terminator and wrote some glue for it, sure, it might work for a reasonable amount of stuff. &quot;Dropboxing&quot; the whole stack is basically just another way of saying &quot;I am going to make a turnkey software appliance&quot; and most people won&#x27;t want it.<p>Someone else proposed things like DHCP servers announcing a local CA and self-signing. Aside from circling around to where you started at (how do you know the DHCP server is not hostile a priori without landing back at stage 1?) it would also require massive extensions to all kinds of software to work. You&#x27;re going to get pushback on this without extremely good reasons, even if it wasn&#x27;t a shitload of work, so it&#x27;s practically unviable. (Alternatively you have people who actually believe things like &quot;Just typing in a 40-character base64 pubkey is _obviously_ the solution&quot; or whatever when most people just want a nice fun hostname for themselves.)<p>Here&#x27;s what I do. Just put your local (firewalled) network IPs in an set of records on a zone you own, and then use LetsEncrypt&#x27;s DNS challenges to issue a cert for them. Then put the cert where-ever you want. Done.<p>e.g. enter an A record for service1.a-domain-i-own.dev that points to 192.168.1.XXX (or 172.X.X.X, or 10.X.X.X, whatever) which is a local-only subnet. Issue a DNS challenge to LE for this record using whatever tool you like. It does not need to contact the service, it only needs verify a corresponding TXT record. Then you can just take the resulting certificate and put it on your router, your server under your desk, whatever. Use the domain name as usual while on your home network. Viola, you&#x27;re done. This lets you piggyback of the existing public LetsEncrypt, DNS, and CA systems with minimal effort and time, and you don&#x27;t need any software at the subnet level to manage anything, and even your appliances&#x2F;game consoles&#x2F;whatever (that can resolve DNS names and handle TLS) will work fine.<p>You can do all of this with Traefik today in, like, 10 lines of configuration, not a joke. You don&#x27;t have to fiddle with anything at all, almost.<p>I use this technique on a ZeroTier network I share with many (non-technical) friends and it works completely transparently; I can just hand them a link and it&#x27;s as if it was any other website, and they are oblivious to the fact it&#x27;s actually &quot;on the local subnet&quot;