Ryan Sleevi <r...@sleevi.com> writes: >I similarly suspect you’re unaware of https://wicg.github.io/cors-rfc1918/ in >which browsers seek to limit or restrict communication to such devices?
A... blog post? Not sure what that is, it's labelled "A Collection of Interesting Ideas", stashed on Github under the WICG's repository? No, for some inexplicable reason I seem to have missed that one. Is there a "Beware of the Leopard" sign somewhere? It talks a lot about details of CORS, but I'm not sure what it says about allowing secure HTTPS to devices at RFC 1918 addresses. The doc says "we propose a mitigation against these kinds of attacks that would require internal devices to explicitly opt-in to requests from the public internet", which indicates it's targeted at something altogether different. >while also acknowledging that you have not kept up with the state of the >industry for the past near-decade of improvements or enhancements If the industry actually publicised some of this stuff rather than posting articles with names like "A Collection of Interesting Ideas" to GitHub (which in any case doesn't look like it actually addresses the problem) then I might have kept up with it a bit more. And as I've already pointed out, given the number of vendors who are resorting to slipping in their own root CAs and other tricks, I'm not the only one who's missing all these well-hidden industry solutions. >> HTTPS to device with non-FQDN: ??? >> HTTPS to device with static IP address: ??? > >I suspect any answer such as “Don’t do this” or “This is intentionally not >supported” will be met by you as “impractical”. Try me. The reason why I ruled out "negotiate a custom deal with a commercial CA" is that it genuinely doesn't scale, you can't expect 10,000, 50,000, 100,000 (whatever the number is) device vendors to all cut a special deal with a commercial/public/whatever CA just to allow a browser to talk to their $30 Internet-connected whatsit. It's a simple enough question, so I'll repeat it again, a vendor selling some sort of Internet-connected device that needs to be administered via HTTP (i.e. using a browser), a printer, router, HVAC unit, whatever you like, wants to add encryption to the connection. How should they do this for the fairly common scenarios of: HTTPS to device on local network (e.g. RFC 1918). HTTPS to device with non-FQDN. HTTPS to device with static IP address. What's the recommended BCP for a vendor to allow browser-based HTTPS access for these scenarios? I'm genuinely curious. And please publish the recommendation so others can follow it (not on GitHub labelled "A Collection of Interesting Ideas"). Peter. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy