Secure web connections on private networks

The drive to secure the web with https traffic has had some unintended casualties. One of them is the ease of using browsers to talk to local devices on your network.

Kiri:Moto and all of Grid.Space must be served over https in order to be integrated into sites like Onshape, and also not to be penalized by Google or other search engines. It’s also just a good idea.

But when Kiri:Moto (KM) wants to talk to OctoPrint (OP) to spool a job and OP is running on your local home network, the current browser security regimes all but prevent it. And that’s because in order for a secure site (KM) to send data to a device (OP), it must not downgrade that connection to an insecure (http) one.

By default and out of necessity, OctoPrint typically only uses http on your home network. In order to have OctoPrint listen for https traffic, it needs a special certificate. And while you can create your own “self singed” certificates, this is not sufficiently secure for our purposes. Browsers will still reject the KM to OP connection in that case. The OP certificate needs to be signed by a root CA.

There are byzantine ways to accomplish this. It involves you controlling DNS services for a domain and some command line hijinks to convince LetsEncrypt to generate a certificate for you. Once the certificate is issued, it needs to be renewed every 60-80 days. So put the previous bit on repeat.

Because all of this is so difficult and there is no real sanctioned way to accomplish secure local/private network communications, most devices use secured cloud endpoints to route traffic from your desktop to the 3d printer, cnc mill, or laser cutter sitting next to you. This is daft. Yet we now accept it as the norm that data to control devices in our immediate proximity probably has to go through an AWS server somewhere else first.

Good luck using your expensive tools or changing your thermostat if you have poor internet service or AWS is having a bad day.

There are efforts underway to remedy this. But realistically it will be years before they are ratified and begin to be supported by browsers.

In the meantime, I have stood up a service that does all of this for you. It will allow you to claim a host name under the my.addr.live sub-domain, map it to an RFC1918 private address, and then download certificates that you can install on a local device with that IP address.

Once you’ve done this, you can access, for example, your local OctoPrint device as oppunome.my.addr.live from within your browser over https. But more importantly, you can tell Kiri:Moto to send a print directly to that host name and the traffic will never leave your home network.

The web page to claim a host name and get a certificate is at:

https://a.grid.space

I look forward to your feedback

so you are saying you just do this once, ie get a cert from my.addr.live and you never have to do it again?

I REALLY like my stuff to run locally and only go outside the network for update information so that when the Big One hits, I can still operate my machines on my local LAN.

The cert has to be renewed every 90 days, and this is automated. All you have to do is setup a cron job to (curl/wget) pull the updated file(s) at some interval from the link provided and place them on your server.

This is a great solution Stuart. Security is hard, and thus why very few things on local networks have HTTPS, so kudos for making a solution and sharing it with the world.

So it will only run on an isolated LAN for 90 days from when the cert was last obtained. Got it but wish there was an easy way to just let stuff run on isolated networks instead of being forced to have any kind of umbilical cord tied to some outside network.

Unfortunately, those are the rules made by higher powers. No cert lasts forever. They’ve been steadily reducing the life-span of all new certs over the years. So at least intermittent internet connectivity is required.

If there is no way to easily control this on a private LAN then these large vendors will be able to forced everything into the cloud at some point.

Another generous gift from Stewart Allen. Sweet.

For @DougL 's indefinitely disconnectable use case, can locally installed KM use HTTP on an isolated network?

I thought Stewart was saying that browser vendors were removing HTTP( non-secure ) connections and therefore KM installed locally would require certificates since it runs in ‘the browser’. Maybe I missed something said which implied this was only about KM on grid.space(ie on the Internet ).

This solves for a wide variety of use cases beyond Kiri:Moto talking to OctoPrint or other private / local https endpoints.

Hey Stewart, I was just made aware of this service by friend and thought I should let you know that handing out the same private key to everyone is a really, really bad idea. It would allow an attacker to obtain your key and certificate, sniff out a registered subdomain that suits him and disguise himself as a secure service on the local network, impersonating any domain registered using this tool.
The only secure way to solve this is to set up a different certificate for every registered subdomain and only hand out every cert+key pair once, or only make it accessibly to the same email address in some foolproof way.
Also please be aware that Letsencrypt tends to revoke certificates like this and lock the accounts tied to them.

FWIW, a self-signed certificate would be significantly more secure than this and creating a root to sign them that can be added to your OS or browser is fairly straight forward. Another option is to use Letsencrypt with certbot in a cron-job to auto-renew every 90 days, DuckDNS is a free DDNS service that can be used in conjunction with this for a very easy to set up, no-maintenance and most importantly free solution to this problem.

While I think this attack vector is remote, I did setup the ability to generate a cert per IP on the back end. It was originally setup this way for testing. But point taken. I will change the way certs are generated. I do think asking people to generate, add certs to their browser, and also sign their own with it is a tall order. It’s already harder than it has to be with this helper.