this post was submitted on 13 Jul 2023
42 points (100.0% liked)
Technology
37716 readers
341 users here now
A nice place to discuss rumors, happenings, innovations, and challenges in the technology sphere. We also welcome discussions on the intersections of technology and society. If it’s technological news or discussion of technology, it probably belongs here.
Remember the overriding ethos on Beehaw: Be(e) Nice. Each user you encounter here is a person, and should be treated with kindness (even if they’re wrong, or use a Linux distro you don’t like). Personal attacks will not be tolerated.
Subcommunities on Beehaw:
This community's icon was made by Aaron Schneider, under the CC-BY-NC-SA 4.0 license.
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
IMHO all these approaches are convoluted and introduce way too many components (SPOFs) to solve the problem. They're "free" but they come at the cost of maintaining all this extra infrastructure and don't forget that certificate transparency logs mean all your internal DNS records that you request a LetsEncrypt certificate for will be published publicly. (!)
An alternative approach is to set up your own internal certificate authority (CA), which you can do in a couple minutes with step-ca. You then just deploy your CA root cert to all the machines on your network and can get certs whenever you need. If you want to go the extra mile and set up automatic renewal, you can do that too, but it's overkill for internal use IMHO.
Using your own CA introduces only a single new software component and it doesn't require high availability to be useful....
Unfortunately these days internal CAs aren't always trusted. We have one where I work, and hundreds of times a day people have to click through "I understand the risks, proceed anyway" alert prompts.
Which makes me really uncomfortable - I fear one day someone will blindly click past a warning about an actual malicious certificate.
It kills me that companies seem to willingly train their users to ignore warnings and signs that something is amiss.
"Yeah, all our emails from that vendor come with the external email warning, just ignore it"