this post was submitted on 14 Sep 2024
47 points (91.2% liked)

Firefox

17857 readers
1 users here now

A place to discuss the news and latest developments on the open-source browser Firefox

founded 5 years ago
MODERATORS
k_o_t@lemmy.ml
47
On .LAN domains, how to stop firefox switching to https (when it's not available) and stop complaining about self-signed certificates when it is available ? (lemmy.ml)
submitted 11 months ago* (last edited 10 months ago) by interdimensionalmeme@lemmy.ml to c/firefox@lemmy.ml
22 comments fedilink hide all child comments
 

I'm just so annoyed of fighting this all the time.

If I can't figure this out I'm going to disable all https redirecting and all certificate errors off so I can have some peace

EDIT: I do not wish to manage certificates I do not want to setup private key infrastructure I don't want to use real internet domain names I don't want to manually install certificates into browsers after fishing them out of my ephemeral virtual machines

I just want to, add exception for *.lan for https auto redirect and auto-accept self-signed certificates as valid. This is not much to ask.

you are viewing a single comment's thread
view the rest of the comments
[โ€“] ReversalHatchery@beehaw.org 1 points 11 months ago (1 children)

but it's their CA so why would they do that?

I don't mean them specifically, but that to me managing access to such a CA cert's keys is security nightmare, because if I somehow get an infection, and it finds the cert file and the private key, it'll be much easier for it to make itself more persistent than I want it.

But if you don't trust your own CA what's the point of having a CA?

That's the point. I don't recommend having one. I recommend self signed certs that are

  • limited to a lan (sub)domain or a wildcard of it
  • you verified by the fingerprint (firefox can show this)
  • you only allowed for those of your internal services for the cert was intended

Or if you don't want to deal with self signed certs, buy a domain and do lets encrypt with the DNS challenge.
That's also more secure, but can be more of a hassle, though I guess it depends on preference.

But then I would use this latter one too if I had opened any services to the internet, but I didn't because I don't need to.