Breaking this down: Do you think they'll add this in the future
How would you propose that Let's Encrypt validate my ownership of 192.168.1.1? They need to contact that IP address to check I own it - but their 192.168.1.1 doesn't refer to the same machine as mine.
Does that make sense?
Or potentially create "global" certs that any service running on a local network could use
So now, I open 192.168.1.1 in my browser, or let's say 10.45.214.12. I get back a valid Let's Encrypt TLS certificate for that IP. I'm certain that I'm talking to the machine on my LAN, or corporate WAN, with that IP address, right?
Not quite - how do I know someone hasn't rerouted the traffic to a machine they control - say some kind of hacker who already has a foothold in the network.
If Let's Encrypt publicly post private keys and certificates for all the private IP addresses in existence, I can never be sure if I'm talking to the machine I want to talk to, or another machine that happens to have the same private key downloaded from Let's Encrypt!
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
Breaking this down:
Do you think they'll add this in the future
How would you propose that Let's Encrypt validate my ownership of
192.168.1.1? They need to contact that IP address to check I own it - but their192.168.1.1doesn't refer to the same machine as mine.Does that make sense?
Or potentially create "global" certs that any service running on a local network could use
So now, I open
192.168.1.1in my browser, or let's say10.45.214.12. I get back a valid Let's Encrypt TLS certificate for that IP. I'm certain that I'm talking to the machine on my LAN, or corporate WAN, with that IP address, right?Not quite - how do I know someone hasn't rerouted the traffic to a machine they control - say some kind of hacker who already has a foothold in the network.
If Let's Encrypt publicly post private keys and certificates for all the private IP addresses in existence, I can never be sure if I'm talking to the machine I want to talk to, or another machine that happens to have the same private key downloaded from Let's Encrypt!