Adding SSL to home domain

[SAguy]

I've got a my own domain, with DynDns set up on my router.
On my router I have a couple of ports open so I can manage some thing externally.

Is there any way I can purchase a SSL cert and make use of it on my home network so when I access things externally I can be sure my connection is secure?

Thinking about it now though - since https is on 443, how does that work with port forwarding if my IP camera is on a random port 8009?

Would I have to have an apache server running at home, load my public key there? Then instead of using port forwarding only access my home network devices using ports, use a path such as https://abc.example.co.za/camera and let apache do a reverse proxy to that device?

Mmmm... Think I'm answering my own question here.

 

[syntax]

the SSL cert verifies the site identity, it does not have a bearing on encryption over a non validated certificate.
I am not sure I would bother with a home network to buy a cert, but its up to you.

Port forward is just that, you forward x port to y port.
you access via normal port X, the port forward takes care of swapping the ports as long as your app listens on port Y
If you wanted to use different ports then

https://example.com:8080

 

[infscrtyrisk]

What is it that you want to secure -- the userid / password login of the external interface? If so, why not just setup your own CA & use a self-signed cert? Also, seriously consider a WAF, routers don't usually have very secure web app interfaces... though a proper IPSec VPN would be best.

 

[RoganDawes]

I've got a my own domain, with DynDns set up on my router.
On my router I have a couple of ports open so I can manage some thing externally.

Is there any way I can purchase a SSL cert and make use of it on my home network so when I access things externally I can be sure my connection is secure?

Thinking about it now though - since https is on 443, how does that work with port forwarding if my IP camera is on a random port 8009?

Would I have to have an apache server running at home, load my public key there? Then instead of using port forwarding only access my home network devices using ports, use a path such as https://abc.example.co.za/camera and let apache do a reverse proxy to that device?

Mmmm... Think I'm answering my own question here.

You can get a free SSL cert from letsencrypt with very little effort. The problem is that having an SSL certificate doesn't make any promises about the security of the thing at the end of the tunnel.

Think of it as the following:

* an unencrypted connection is like using a clear pipe to siphon petrol into your car. Someone watching can see what what you are putting into the tank.
* an encrypted connection is an opaque pipe. Someone watching can't see what is poured into the car.

HOWEVER:

Someone else could ALSO use an opaque pipe to pour something into the car. If they choose to pour sugar water into the tank, you're going to have a bad day.

All this means is that if whatever is listening on the other end of your SSL connection is not checking what is coming in carefully (authentication, validation), you have a security problem regardless of whether that was sent over an SSL connection or not.

Apart from anything else, google recent stories of DDoS attacks generated from compromised IP cameras.

FWIW, I have an SSL cert for my home router (running OpenWRT, managed by letsencrypt). It's not exposed to the internet, however, and my primary use case for it is actually playing with EAP-TLS for a guest network.

 

[SAguy]

Thanks infscrtyrisk and RoganDawes for the responses.

For me it's about securing logins when I log on to applications on my network from outside, such as my DVR via the web portal.
Based on the replies an SSL cert would add to the security measures in place, but again I'm only as secure as those portals themselves are.

Best option would be a vpn I guess, but that would mean I first need to connect to the vpn on my phone before any of the applications work - I doubt these apps have built in configuration for connecting via a vpn tunnel.

 

[RoganDawes]

Setting up a VPN to your router is first prize, yes. That would provide strong authentication that you are authorized to even start speaking to the other services on your network.

 

[Watchdogs]

Best option would be a vpn I guess, but that would mean I first need to connect to the vpn on my phone before any of the applications work - I doubt these apps have built in configuration for connecting via a vpn tunnel.

A secure VPN would be a good option....but there is a balance between security and convenience unfortunately....you have to decide what is more important. If you setup a private tunnel via the router (i.e. Netgear) and use a trusted VPN client, I doubt you will have issues connecting to the apps if the router is configured correctly

 

[syntax]

You can get a free SSL cert from letsencrypt with very little effort. The problem is that having an SSL certificate doesn't make any promises about the security of the thing at the end of the tunnel.

Think of it as the following:

* an unencrypted connection is like using a clear pipe to siphon petrol into your car. Someone watching can see what what you are putting into the tank.
* an encrypted connection is an opaque pipe. Someone watching can't see what is poured into the car.

HOWEVER:

Someone else could ALSO use an opaque pipe to pour something into the car. If they choose to pour sugar water into the tank, you're going to have a bad day.

All this means is that if whatever is listening on the other end of your SSL connection is not checking what is coming in carefully (authentication, validation), you have a security problem regardless of whether that was sent over an SSL connection or not.

Apart from anything else, google recent stories of DDoS attacks generated from compromised IP cameras.

FWIW, I have an SSL cert for my home router (running OpenWRT, managed by letsencrypt). It's not exposed to the internet, however, and my primary use case for it is actually playing with EAP-TLS for a guest network.

Im not sure I understand what you are saying, a self signed cert has the same security as a trusted cert with the exception of verifying the authenticity of the site. The site hasnt been verified or "trusted" and you dont have a guarantee you are connecting to where or what you think you are connecting to. The risk is on the client side, for this scenario I dont believe there is a significant risk and I would be happy to use a self signed cert myself.

 

[infscrtyrisk]

Im not sure I understand what you are saying, a self signed cert has the same security as a trusted cert with the exception of verifying the authenticity of the site.

True. I would argue that it's even more secure, provided of course that the CA has been setup securely. If you have signed the cert, with a CA that you trust (because you set it up and maintain it ), then surely it would be better than a CA that someone else manages? Budget for the The Ultimate Home CA would be roughly somewhere along the lines of under R2000 ZAR if one really want to provision 3x Raspberry pis, one offline (in a safe with ethernet ports filled with epoxy), one on a protected network and another handling validation.

The site hasnt been verified or "trusted" and you dont have a guarantee you are connecting to where or what you think you are connecting to.

Somewhat true. It's pretty dependable due to the aforementioned, TLS 1.2 mutual auth isn't bad when its restricted to GCH ciphers, and TLS 1.3 will soon be here. Yes, it is dependent on dynamic DNS, and attacks need to be mitigated through some clever configs.

The risk is on the client side, for this scenario I dont believe there is a significant risk and I would be happy to use a self signed cert myself.

Somewhat true, but for this statement to be true, we would have to rule out whatever is happening server side (and whatever else is on the network and being a home network your guess is as good as mine).

Client side, totally true. A WAF would be great, so another Raspberry pi running apache with modsecurity (and some special sauce), breaking the TLS tunnel and inspecting (and blocking) traffic for nasties.

All things considered, including the costs of above, and assuming that the endpoint is secure (how secure is the average Android mobile ) and that the OP hasn't got state secrets stored on his/her network, I'd go with self-signed certs. But a robustly configured IPSEC VPN (using dodgy, validated self-signed certs ) may be more cost-effective and simpler.

Time for Binary Risk Analysis (please use Chrome).

 

[syntax]

True. I would argue that it's even more secure, provided of course that the CA has been setup securely. If you have signed the cert, with a CA that you trust (because you set it up and maintain it ), then surely it would be better than a CA that someone else manages? Budget for the The Ultimate Home CA would be roughly somewhere along the lines of under R2000 ZAR if one really want to provision 3x Raspberry pis, one offline (in a safe with ethernet ports filled with epoxy), one on a protected network and another handling validation.

My point was the security, as in the underlying technology in securing the traffic.

Somewhat true. It's pretty dependable due to the aforementioned, TLS 1.2 mutual auth isn't bad when its restricted to GCH ciphers, and TLS 1.3 will soon be here. Yes, it is dependent on dynamic DNS, and attacks need to be mitigated through some clever configs.

Again my point is between 2 certs, one trusted and one not. Taking that the certs are identical in every other way, i believe then my statements are not somewhat true, but are true

Somewhat true, but for this statement to be true, we would have to rule out whatever is happening server side (and whatever else is on the network and being a home network your guess is as good as mine).

Exactly the same as my other points, the difference between trusted and untrusted, not between these kinds of negotiations in general.

Client side, totally true. A WAF would be great, so another Raspberry pi running apache with modsecurity (and some special sauce), breaking the TLS tunnel and inspecting (and blocking) traffic for nasties.

A WAF takes constant love and attention, if his site is that critical and requires this kind of security, I am not sure I would be hosting this at home. I would probably use a cloud provider and stick it behind them, like cloudflare.

 

[RoganDawes]

Im not sure I understand what you are saying, a self signed cert has the same security as a trusted cert with the exception of verifying the authenticity of the site. The site hasnt been verified or "trusted" and you dont have a guarantee you are connecting to where or what you think you are connecting to. The risk is on the client side, for this scenario I dont believe there is a significant risk and I would be happy to use a self signed cert myself.

I don't believe I made any statements regarding the difference between the use of a certificate signed by a well-known authority, and a self signed cert in my post?

The ONLY difference a well known authority makes is allowing OTHER people to make trust decisions. If you are the only user of your site, by all means, use a self-signed cert. Then add the CA to all your devices, making sure to avoid all the warnings, etc, that come along with additional CA's.

So in fact, contrary to my statement above, using a well-known CA can actually make your own life easier too. And, making use of ACME, means you don't have to worry about your own certificate expiring at an inopportune time!