Https for everything via Mozilla?

Maybe this has been covered else where. AFAICT there is no low-cost/free solution for IoT devices to serve https secured stuff. The probem is the IoT device runs a server, but a cert, at least one that just works, requires a domain name.

Yes, custom certs can be used but then users are asked to trust these certs which is arguably a bad precident.

Plex had a blog post years ago about how they solved the issue. The short version is they run a DNS server that auto-makes domain names in the form of something like <hashofdeviceaccountuseridetc>.plex.com that points to the local device on the local network (like 192.168.1.47) and at the same time they partnered with Digicert to auto generate a cert for that domain.

Could Mozilla do something similar? Run a DNS server that does that and partner with someone like say letsencrypt to provide the certs? What would be the reprocussions? Maybe they could make it free for open source and try to get sponsors from IoT companies?

Or maybe there is some other solution I’m unaware of?

This could be useful for more than just IoT. I’ve needed this for several non IoT projects that need to run a local webserver and I really need that server to be https but I can’t ask all my non-techie users to register domains and some how magically let me update their domain to point to local ip addresses as well as manage certs for them.

If not Mozilla who else might feel like this is something that needs to happen?

I’m not sure if you’re aware, but we actually already provide this kind of service for WebThings Gateway.

During first time setup you are offered the option of setting up a *.mozilla-iot.org subdomain to safely access your gateway over the Internet. We automatically configure DNS, generate a certificate using LestEncrypt and securely tunnel HTTPS traffic to your gateway using PageKite. You can find the source code of our registration server here. This solution means you can access your own gateway’s web interface via your own unique subdomain, without needing to reconfigure your home firewall, and with end to end encryption between your browser and your gateway.

The service is optional because you can always choose to register your own domain name and configure DNS, TLS and NAT yourself if you want to. Or host your own tunnelling server. Or choose to keep your gateway private to your home network. But if you do want remote access, it offers a lot of convenience and added security.

Currently we provide this tunnelling service for free, but it has a non-zero cost to Mozilla. Scaling this service or extending it to other use cases would certainly require a revenue stream to support it.

Note that PageKite run their own hosted version of the tunnelling service for general purpose use, though it requires a bit more technical knowledge to set up and AFAIK doesn’t automatically handle certificate registration. Their pricing is quite flexible but it costs from around $36 to $256/year depending on bandwidth usage and other perks.

It’s possible we could offer a paid service in future, if that’s something people are interested in.

we actually already provide this kind of service

It’s great that you provide that service but it’s not the same kind of service.

The problem that needs to be solved is not connecting from outside the house to devices inside the house over https. The problem is connecting inside the house from your browser to IoT devices inside the house over https.

The most common example is connecting to a home router’s settings webserver, usually at something like http://192.168.1.1. This is done via http for pretty much all home routers. The same is true of IoT cameras, etc. It’s those devices that need a way to use https for which there is currently no solution I know of except the plex solution.

Well, it technically does solve that problem too. The issue is that it requires a round trip to the Internet and therefore doesn’t work if your Internet connection goes down.

That’s what the HTTPS in Local Network Community Group are trying to solve. The Plex solution is clever, but ideally it would be possible to access local devices over HTTPS locally in a standard way without the need for anyone to run a cloud service. And it should still work when you have an Internet outage.

Thank you for the link to that group! I follow with what’s happening there.