kosamari
commented
7 years ago Will take a look at this as part of security content audit
Open pinobatch opened 7 years ago
kosamari
commented
7 years ago Will take a look at this as part of security content audit
pinobatch
commented
7 years ago For the benefit of those searching for this issue, FQDN-less servers are associated with the following protocols:
The article "Enabling HTTPS on Your Servers" gives a list of steps to enable HTTPS on a web server. For convenience, I'll summarize:
But it is missing one vital step: purchase a domain name from a domain registrar in order to give your server a fully-qualified domain name (FQDN).
The Baseline Requirements that all widely trusted CAs follow require servers to have an FQDN in order to be eligible for a certificate. In particular, the Baseline Requirements forbid issuing a certificate that covers a hostname within a made-up top level domain (TLD), such as
.localor.internal, or an IP address within a range reserved for a local area network (LAN), such as192.168/16.Web servers accessible through the Internet have an FQDN as a matter of course. But web servers internal to a LAN may not. Such a private server may have any of several roles:
localhostBoth Mozilla (in "Deprecating Non-Secure HTTP") and a Let's Encrypt representative (in an AMA on reddit) have acknowledged that securing these nameless private servers is a hard problem, but they haven't described particular solutions that scale.