13

For an embedded device under development we have a requirement for logging in to its web without sending user credentials in clear text.

The look of the log in form should be customizable, so digest authentication is not possible. The only remaining option as we see it, is to use HTTPS with SSL.

The device is usually accessed from the local network by it's IP address, but could also be made accessible from the internet.

My question is: Is it at all possible to prevent the "Could not be certified" browser warning, when no DNS name is assigned to the locally accessed device? As I see it, a SSL certificate must be bound to a DNS name and certified at a Certificate Authority for the browser to fully accept the certificate.

I am fully aware of the fact that without a certified certification the browser can not authenticate the web server, which could lead to a "man-in-the-middle" attack.

When the device is fully configured it's only accessed very rarely, but it should be easily accessible.

Improve this question
6
  • If you have the certificate's fingerprints beforehand (which is only manageable for a handful of devices), you can check them when presented with the self-signed certificate. If they match, it is your device all right. Commented Mar 6, 2012 at 13:00
  • @Piskvor having a CA certificate and issuing custom device certificates would be easier from management point of view - the client would need to install/trust just one CA certificate. Commented Mar 6, 2012 at 13:27
  • 1
    @Eugene Mayevski 'EldoS Corp: I'd be extremely hesitant to install a network hardware maker's CA certificate - that just waves a humongous red flag and screams "MITM" (As you know, any trusted CA can issue certificates for any website, and they'll be trusted by the browser). Commented Mar 6, 2012 at 13:43
  • 1
    @Piskvor trusting a bunch of self-signed certificates (which have private keys in the device and no way to revoke leaked certificate) is even more risky. Commented Mar 6, 2012 at 13:51
  • 3
    @Eugene Mayevski 'EldoS Corp: Not really. If compromised, the self-signed certs will give you MITM capabilities over that device only. The CA...well, if compromised ("bought out by a rogue agent" is also a form of compromise) it gives you MITM capability over the whole of HTTPS, and is not limited to the traffic passing just over that one device. If even a company whose bread-and-butter is being a CA can't do that right (e.g. Comodo, DigiNotar), what makes you think it will be any better in a company where being a CA is just a necessary evil to avoid self-signed certs? Commented Mar 6, 2012 at 14:53

1 Answer 1

Reset to default
7

HTTPS does allow for a certificate to be issued to an IP address instead of a hostname. Indeed, the HTTPS specification (RFC 2818) states "In some cases, the URI is specified as an IP address rather than a hostname. In this case, the iPAddress subjectAltName must be present in the certificate and must exactly match the IP in the URI."

So, if you can obtain an SSL/TLS certificate from a CA that is bound to the IP address of your device, then clients connecting to it should accept it as valid as (1) the URI used to access the device is the IP address that matches that contained within the certificate, and (2) the certificate is issued by a CA chain trusted by the client device.

If you only need to access this device using clients that you control, you can use a self-signed, bound to the IP address, certificate that you generate, but you would need to configure each client that would access it to explicitly trust that certificate since it would not be issued by a trusted CA.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

OK. We are going to ship a whole lot of device, mainly to be accessible on a local network with local IP addresses. So as I see it, it is not possible to prevent the browser warning other than manually set the certificate as trusted in the browser, as the browser has no way of authenticating the self-signed certificate.
Are routers and other network equipment with web interface also using a self-signed certificate when SSL enabled?
(1) I agree. (2) Common practice is to ship with a self-signed certificate for the web interface (that will generate a warning from a browser connecting) and allow the uploading of a different certificate by the device administrator. Therefore, the person responsible for the device can either accept the warning or uploaded their own trusted certificate.
OK that "certificate uploading" might be a solution. Thank you so much for your help!

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.