Hacker News new | past | comments | ask | show | jobs | submit login

> the router would come with a custom burned-in key that it would use to authenticate itself to the CA and get the cert

I take apart the router, and get a valid certificate. Now I hijack DNS, and get you to connect to me.

HTTPS within LAN for this purpose is useless.




I take apart the router, and get a valid certificate

You only get a valid certificate for your router's address. But if you can take apart the router, you don't need to hijack the DNS, you can simply control its traffic.

But if you're a guest in my home and I see you take apart my router, you'll have to answer a few questions. Same in an office or coffeshop. Having LAN access doesn't mean you have complete physical control of the router. So the HTTPS is not useless.


You only get a valid certificate for your router's address.

Considering basically every router has the same address, I now have a valid certificate for basically every router.


Considering basically every router has the same address

They have the same IP address, not necessarily the same DNS hostname, which is what the certificates are tied to. The user would just be told to connect to the hostname (possibly printed in the sticker) rather than to the IP.


That's certainly one option, but what happens now if I change the IP of the router in its config, because I use multiple in my LAN, one as router, the others as AP?

There is no option for any of this that isn't completely messy and hacky


On first boot and every time you change its IP, the router sends an authenticated message to the server to update its DNS records.

As a bonus, the user doesn't have to change anything to keep accessing the router admin page after the switch.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: