SSL Certs for IP Addresses Available Now

[DrWizzle]

Lets Encrypt have now started to issue certs for public facing IP addresses as well as their famed free TLS and DV SSL Certs.

This is an absolute Game changer!!

Now you can simply run a site without a domain name, with SSL. Whilst I don't think that's the real takeaway here, and purpose, It is dead handy for when you spin up a new server, and haven't got DNS fully functional for your hostname yet. So in theory, you could buy a server, install directadmin and not have to worry about using DA's DNS and temp link to log in to your panel securely. You could simply use the servers given IP securely, out of the box. It's something DA would have to implement, unless you set it up by obtaining certs yourself first before install DA.

I have to add, there's 2 caveats here,

You CANNOT use one of these certs with a local IP for example 10.0.10.272 or 192.168.0.100
Certs are aggressively renewed, and expire after 7 days, so daily issuance is recommended (I guess as it's only supposed to be a temp fix)

This has so much potential!

IPv4 and IPv6 supported, Pics incoming...!

Edit - Here's pics showing SSL on IPs

https://65.21.61.62/

https://[2a01:4f9:c013:5051::1]

Certificate issuance

 

[Richard G]

So in theory, you could buy a server, install directadmin and not have to worry about using DA's DNS and temp link to log in to your panel securely.

So no change at all. As this is also possible at this moment already since da uses an SSL based on the ip.
That's why it's called the (for example) 65.21.61.62-da.direct as hostname. So this way you can already directly visit your server via SSL by the hostname.
So this is already implemented. Out of the box!

This has so much potential!

To me this sounds as bad news. As this will make it a lot easier again for spammers to use ssl and stuff, without the cost of a domain name to register.
Fun for hobbyists and maybe website devs, but imho they will be sorry later on for doing this.

 

[DrWizzle]

So no change at all. As this is also possible at this moment already since da uses an SSL based on the ip.
That's why it's called the (for example) 65.21.61.62-da.direct as hostname. So this way you can already directly visit your server via SSL by the hostname.
So this is already implemented. Out of the box!


To me this sounds as bad news. As this will make it a lot easier again for spammers to use ssl and stuff, without the cost of a domain name to register.
Fun for hobbyists and maybe website devs, but imho they will be sorry later on for doing this.

Yeah I know DA do the 65.21.61.62-da.direct thing which is really handy. I do remember someone complaining about it, but I personally don't see it as a bad thing with what DA are doing and should not ditch this at all. I was merely stating it may be an option if someone hasn't set up their DNS and wants to use their IP.

Could use them on your Directslave projects? Hostname's always protected if you put a cert on like you should, but the IP itself isn't. Just a thought

I guess it could be good for devs to secure a server before they get a customers domain sorted, I mean not everyone spins up a VPS or Dedi and then puts DA or other panels on it immediately.

Maybe organizations that run servers and don't have DNS sorted, or don't plan at all to have DNS setup. and I don't see it quite like you do with spammers for example. Nothing stopping them spinning up servers as they do now, and using free/cheap domains with free SSL. You'll never get rid of spammers or botnets unfortunately

Certs are very short lived so you'd have to set up a cron to reissue every few days if you wanted to keep it ip only. People have asked Lets Encrypt for this, for domainless projects and they've obliged. They are not a replacement for the TLS certs either, more of an extension.

I can see hobbyists taking advantage of it like you say. I mean I think it's cool in some ways, as an IP can look like a phone number. In my example i've been given an 8 digit IP, 65.21.61.62 really no different from the format of a french phone number for example. Advertising maybe?

I mean there is good and bad associated with this. It's great to be positive about new things, but as you point out, it's also good to point out and identify the potential pitfalls and problems.

 

[Richard G]

Yeah I know DA do the 65.21.61.62-da.direct thing which is really handy.

Name me 1 reason why. Because I can name you a couple of reasons why it's not. Starting with teaching people the wrong way, lot don't even know how to set up a hostname correctly and then come complaint that they have mail issues, which we almost had not in the early days.
Otherwise I wouldn't have needed to write that hostname manual I did, which lots of people used (or rather had to use) to fix things.

Second is that yes you can visit the panel, but it's anyway best to not do anything until the background things are installed, otherwise the changes are not integrated into for example apache and you get odd things like missing domain names or other errors.
So if you have to wait anyway, you can just as well setup things correctly and learn to do it correctly and then an LE SSL certificate is there fast enough with the autoSSL.

DS does not need to be an exception. Just use a subdomain of your domain as hostname is very well possible like ds.domain.com or something like that. We have it that way and even with SSL!

Seems LE is the first one doing it, and I'm sure there is a reason others didn't do it before. I can't imagine an organisation not wanting to have to setup their network correctly with domain name, certainly not these days.

Shortlived yes, well... 3 months. And people asked this. Yes well people always ask for things, doesn't always mean those things are good or wise.

So until now I don't see any benefits at all, except for a few hobbyists and website devs. Ofcourse I could be wrong, maybe some have some great examples.

But you don't need to convince me. I just gave my opinion. Lets talk in a few years and see if my thoughts were wrong or right. But I fear the most and probably it's even not conform RFC.

 

[sysdev]

Oh very nice, About time

 

[sysdev]

Yeah I know DA do the 65.21.61.62-da.direct thing which is really handy. I do remember someone complaining about it, but I personally don't see it as a bad thing with what DA are doing and should not ditch this at all. I was merely stating it may be an option if someone hasn't set up their DNS and wants to use their IP.

Could use them on your Directslave projects? Hostname's always protected if you put a cert on like you should, but the IP itself isn't. Just a thought

I guess it could be good for devs to secure a server before they get a customers domain sorted, I mean not everyone spins up a VPS or Dedi and then puts DA or other panels on it immediately.

Maybe organizations that run servers and don't have DNS sorted, or don't plan at all to have DNS setup. and I don't see it quite like you do with spammers for example. Nothing stopping them spinning up servers as they do now, and using free/cheap domains with free SSL. You'll never get rid of spammers or botnets unfortunately

Certs are very short lived so you'd have to set up a cron to reissue every few days if you wanted to keep it ip only. People have asked Lets Encrypt for this, for domainless projects and they've obliged. They are not a replacement for the TLS certs either, more of an extension.

I can see hobbyists taking advantage of it like you say. I mean I think it's cool in some ways, as an IP can look like a phone number. In my example i've been given an 8 digit IP, 65.21.61.62 really no different from the format of a french phone number for example. Advertising maybe?

I mean there is good and bad associated with this. It's great to be positive about new things, but as you point out, it's also good to point out and identify the potential pitfalls and problems.

Finally spinning up servers with tls, no mitm, no cn/san crap, perfect for headless installs, no resolver dependencies. It's actually safer than with a domain because dnsspoofing ain't working anymore.

 

[DrWizzle]

Finally spinning up servers with tls, no mitm, no cn/san crap, perfect for headless installs, no resolver dependencies. It's actually safer than with a domain because dnsspoofing ain't working anymore.

Finally, someone who thinks it's a good idea . You're dead right though, can't spoof that DNS if there ain't any! I love taking their toys away

 

[Richard G]

Finally spinning up servers with tls, no mitm, no cn/san crap,

Out of curiosity.... what will you be using them for then?

 

[sysdev]

Finally, someone who thinks it's a good idea . You're dead right though, can't spoof that DNS if there ain't any! I love taking their toys away

Yeah, MAC-to-MAC communication only.

 

[sysdev]

Out of curiosity.... what will you be using them for then?

Uhmm, I see a few interestion option in the network architecture and security field.

- much smaller attack surface.
- domainless machine to machine communication.
- provisioning sometimes
- internal api's
- The 'safety' of not requiring SNI so less manipulation vectors
- worthless when used on another ip so a good protection against theft.
- can be used earlier in boot fases where resolving isn't available yet.

But for the average web user it's probably totally worthless, because it's well... one of a kind (IP) ssl and had limited use.

 

[DrWizzle]

Uhmm, I see a few interestion option in the network architecture and security field.

- much smaller attack surface.
- domainless machine to machine communication.
- provisioning sometimes
- internal api's
- The 'safety' of not requiring SNI so less manipulation vectors
- worthless when used on another ip so a good protection against theft.
- can be used earlier in boot fases where resolving isn't available yet.

But for the average web user it's probably totally worthless, because it's well... one of a kind (IP) ssl and had limited use.

That's the line of thought I was using when I decided to post this thread. Not that your average Joe would get much from this (unless a real hobbyist) but more for the techs, devs and sysadmins out there that don't have DNS set up, don't want or plan to use it, or no domain bought yet (as I said earlier) but want their server security path secured at the earliest operational instance. After all, not everyone uses DA.

And i'm not on about those who will complain their email isn't working as hostname incorrect etc, as this type of cert isn't for, or simply cannot be used for email as SMTP requires DNS to be present.

I can see some interesting things developing from this, good and maybe bad. This is certainly progress, whatever direction you want to look at it. These certs wouldn't have become a thing if enough didn't ask for them.

 

[Richard G]

- domainless machine to machine communication.
What kind of purposes are you thinking of?

Because I don't know what provisioning is, but internal api's are internal so why would one need ssl for that?

I'm just curious about things which really makes sense so that would be things which connect to the internet or the other way around.
A smaller attack surface depends on what you're using it for (which I still don't see) because ip's will get attacked anyway.

- can be used earlier in boot fases where resolving isn't available yet.

Yes but to what purpose? I wasn't clear I guess.
I was curious why it would be beneficial. So the purposes, not just a "could be fine", but really "is usable for" and well... who cares about resolving early in boot fases. For which usable purpose (application) would this small effect in time be good?

You gave some good arguments, but question is how would they be used.
To me it sounds (bit stupid example), we get an extra spare wheel on a car.
- Yeah that's great for if the other spare looses air
- It's great for if we get two flat tires
- If we go to the beach we have a tire to play with.

All good arguments, but usability is totally unclear or not required. Which is why I'm still curious as to my examples. Hobbyists and developpers.
Who else would use that and to what purpose (applications, requirements), not just what one could do, but probably never will, or isn't required like with internal handling maybe.

There must have been a lot of questions for it otherwise LE would not have done it, I just don't see the benefits yet.
Security for machine to machine communication where no domain is required is a benefit. I don't know such situation but I guess there will be something like that. Although that communication is then only on https level if I understood correctly, right?

These certs wouldn't have become a thing if enough didn't ask for them.

Right. That's why I'm curious to real valid example which people would really use, not only "nice to have because" and then never use it. I'm just curious. Because I'm sure I'm missing things somewhere.

 

[sysdev]

That's the line of thought I was using when I decided to post this thread. Not that your average Joe would get much from this (unless a real hobbyist) but more for the techs, devs and sysadmins out there that don't have DNS set up, don't want or plan to use it, or no domain bought yet (as I said earlier) but want their server security path secured at the earliest operational instance. After all, not everyone uses DA.

And i'm not on about those who will complain their email isn't working as hostname incorrect etc, as this type of cert isn't for, or simply cannot be used for email as SMTP requires DNS to be present.

I can see some interesting things developing from this, good and maybe bad. This is certainly progress, whatever direction you want to look at it. These certs wouldn't have become a thing if enough didn't ask for them.

Everything good can be used for bad. Obviously malware from https://1.2.3.4 is going to work. Then again, today thats' 'dsafdsfdsafdshfdgsfds.fdsgfhsgfdhsfd.com' and also works...

But having an uptodate ip ssl cert without the need for dns/sni related stuff, that also expires within a week... is... very nice.

 

[Richard G]

Then again, today thats' 'dsafdsfdsafdshfdgsfds.fdsgfhsgfdhsfd.com' and also works...

Correct, but costs more money and effort to setup.

But having an uptodate ip ssl cert without the need for dns/sni related stuff, that also expires within a week... is... very nice.

I'm sure it will be, but what you would use it for?
And within a week? Aren't those for 3 months also then?

 

[sysdev]

- domainless machine to machine communication.
What kind of purposes are you thinking of?

Because I don't know what provisioning is, but internal api's are internal so why would one need ssl for that?

I'm just curious about things which really makes sense so that would be things which connect to the internet or the other way around.
A smaller attack surface depends on what you're using it for (which I still don't see) because ip's will get attacked anyway.


Yes but to what purpose? I wasn't clear I guess.
I was curious why it would be beneficial. So the purposes, not just a "could be fine", but really "is usable for" and well... who cares about resolving early in boot fases. For which usable purpose (application) would this small effect in time be good?

You gave some good arguments, but question is how would they be used.
To me it sounds (bit stupid example), we get an extra spare wheel on a car.
- Yeah that's great for if the other spare looses air
- It's great for if we get two flat tires
- If we go to the beach we have a tire to play with.

All good arguments, but usability is totally unclear or not required. Which is why I'm still curious as to my examples. Hobbyists and developpers.
Who else would use that and to what purpose (applications, requirements), not just what one could do, but probably never will, or isn't required like with internal handling maybe.

There must have been a lot of questions for it otherwise LE would not have done it, I just don't see the benefits yet.
Security for machine to machine communication where no domain is required is a benefit. I don't know such situation but I guess there will be something like that. Although that communication is then only on https level if I understood correctly, right?


Right. That's why I'm curious to real valid example which people would really use, not only "nice to have because" and then never use it. I'm just curious. Because I'm sure I'm missing things somewhere.

Well, provisioning is actually nothing more than the moment a vps is created, where the resolv.conf is empty, resolvers aren't working yet.
But imagine I only want to talk secure to 1.2.3.4. Not to a name that whatever dns admin named something. Or it needs to work even when that same admin pushed dns errorcrap on friday? Or your dns is ddos'ed into oblivian and your backups stop working.

Yeah, ok, it's hard to make it cool

 

[DrWizzle]

I'm sure it will be, but what you would use it for?
And within a week? Aren't those for 3 months also then?

I did say they were aggressive with the issue periods, as illustrated in pic 3, post #1 They are issued for 7 days only. I guess this is as most use cases are startup servers, and only need a few hours maybe, but that protection could be very valuable. The other reason (among many more i'm sure) is security. The CA verifies you are still in control of that IP, as I guess datacentres like Vultr, Hetzner and the like have many thousands of IPs and they shift daily with vps provisioning and deletion.

 

[sysdev]

Correct, but costs more money and effort to setup.


I'm sure it will be, but what you would use it for?
And within a week? Aren't those for 3 months also then?

Well, everyone has a 1$ voucher at the cheapest hoster available *kuch* where donald duck can get his domain, or whatever a stolen and already maxed out creditcard says. They pay nothing. And one wrong click of a user, in 1000 mails from 1 a single brute forced email account, will get them only more money.
And sadly this darkweb-as-a-service is often cheaper (with numbers) than I even have to pay for a .com domain. So, ssl on a ip address... not sure if this has a real impact. We might not see the difference between 'm' and 'rn' but, we get 'microthingy.com' vs '1.2.3.4'

I think they we're short lived... Not sure... Not using it yet and this is not my thinking day

 

[DrWizzle]

I think they we're short lived... Not sure... Not using it yet and this is not my thinking day

Issued for a max of 7 days, and you can also add in normal DNS based identifiers as well into the certificate if they all resolve to the same IP address.

 

[DrWizzle]

As I wanted to play with this yesterday, and explore it a little more @sysdev I bought a cheap domain for a few £ and spun up a vps (as illustrated above) set the hostname and put the IP cert on. Here's what the cert reports:

So, in effect if you needed to mix and match for whatever reason, you could.

 

[sysdev]

Correct, but costs more money and effort to setup.


I'm sure it will be, but what you would use it for?
And within a week? Aren't those for 3 months also then?

Firmware updates and ipmi is maybe a good example. You obviously want to keep some things outside of any dns without having to resort to a split dns setup. As I also do a lot of iot electronics, every step i don't have to take is an instant win.

It sucks if you only want sni to work, but it has some interesting possibilities.