| ▲ | franga2000 3 days ago |
| You use the term "internal use" and "corporations" like they're interchangable, but that's definitely not the case. Lots of small businesses, other organizations or even individuals want to have some internal services and having to "set up" a CA and add the certs to all client devices just to access some app on the local network is absurd! |
|
| ▲ | akerl_ 3 days ago | parent | next [-] |
| The average small business in 2025 is not running custom on-premise infrastructure to solve their problems. Small businesses are paying vendors to provide services, sometimes in the form of on-premise appliances but more often in the form of SaaS offerings. And I'm happy to have the CAB push those vendors to improve their TLS support via efforts like this. Individuals are in the same boat: if you're running your own custom services at your house, you've self-identified as being in the amazingly small fraction of the population with both the technical literacy and desire to do so. Either set up LetsEncrypt or run your own ACME service; the CAB is making clear here and in prior changes that they're not letting the 1% hold back the security bar for everybody else. |
|
| ▲ | JimBlackwood 3 days ago | parent | prev | next [-] |
| I don't think it's absurd and personally it feels easier to setup an internal CA than some of the alternatives. In the hackiest of setups, it's a few commands to generate a CA and issue a wildcard certificate for everything. Then a single line in the bootstrap script or documentation for new devices to trust the CA and you're done. Going a few steps further, setting up something like Hashicorp Vault is not hard and regardless of org size; you need to do secret distribution somehow. |
| |
| ▲ | lucb1e 3 days ago | parent | next [-] | | > it's a few commands to generate a CA My dad still calls my terminals a "DOS window" and doesn't understand why I don't use GUIs like a normal person. He has his own business. He absolutely cannot just roll out a CA for secure comms with his local printer or whatever. He literally calls me to help with buying a PDF reader Myself, I'm employed at a small business and we're all as tech savvy as it gets. It took me several days to set it up on secure hardware (smartcard, figuring out compatibility and broken documentation), making sure I understand what all the options do and that it's secure for years to come and whatnot, working out what the procedure for issuing should be, etc. Eventually got it done, handed it over to the higher-up who gets to issue certs, distribute the CA cert to everyone... it's never used. We have a wiki page with TLS and SSH fingerprints | | |
| ▲ | JimBlackwood 3 days ago | parent | next [-] | | > My dad still calls my terminals a "DOS window" and doesn't understand why I don't use GUIs like a normal person. He has his own business. He absolutely cannot just roll out a CA for secure comms with his local printer or whatever. He literally calls me to help with buying a PDF reader This is fair. I assumed all small businesses would be tech startups, haha. | |
| ▲ | Retric 3 days ago | parent | prev [-] | | The vast majority of companies operate just fine without understanding anything about building codes or vehicle repair etc. Paying experts (Ed: setting up internal infrastructure) is a perfectly viable option so the only real question is the amount of effort involved not if random people know how to do something. | | |
| ▲ | lucb1e 3 days ago | parent | next [-] | | Paying an expert to come set up a local CA seems rather silly when you'd normally outsource operating one to the people who professionally run a CA | | |
| ▲ | Retric 3 days ago | parent [-] | | You’d only need internal certificates if someone had set up internal infrastructure. Expecting that person to do a good job means having working certificates be they internal or external. |
| |
| ▲ | nilslindemann 3 days ago | parent | prev [-] | | > Paying experts is a perfectly viable option Congrats for securing your job by selling the free internet and your soul. | | |
| ▲ | Retric 3 days ago | parent [-] | | I’m not going to be doing this, but I care about knowledge being free not labor or infrastructure. If someone doesn’t want to learn then nobody needs to help them for free. | | |
|
|
| |
| ▲ | disiplus 3 days ago | parent | prev | next [-] | | We have this, it's not trivial for some small team, and you have to deal with stuff like conda env coming with it's own set of certs so you have to take care of that. It's better then the alternative of fighting with browsers but still it's not without extra complexity | | |
| ▲ | JimBlackwood 3 days ago | parent [-] | | For sure, nothing is without extra complexity. But, to me, it feels like additional complexity for whoever does DevOps (where I think it should be) and takes away complexity from all other users. |
| |
| ▲ | 3 days ago | parent | prev | next [-] | | [deleted] | |
| ▲ | msie 3 days ago | parent | prev [-] | | Wow, amazing how out of touch this is. | | |
| ▲ | JimBlackwood 3 days ago | parent [-] | | Can you explain? I don't see why | | |
| ▲ | Henchman21 3 days ago | parent [-] | | You seem to think every business is a tech startup and is staffed with competent engineers. Perhaps spend some time outside your bubble? I’ve read many of your comments and you just do seem to be caught in your own little world. “Out of touch” is apt and you should probably reflect on that at length. | | |
| ▲ | JimBlackwood 3 days ago | parent [-] | | > You seem to think every business is a tech startup and is staffed with competent engineers. If we’re talking about businesses hosting services on some intranet and concerned about TLS, then yes, I assume it’s either a tech company or they have at least one competent engineer to host these things. Why else would the question be relevant? > “Out of touch” is apt and you should probably reflect on that at length. That’s a very weird personal comment based on a few comments on a website that’s inside a tech savvy bubble. Most people here work in IT, so I talk as if most people here work in IT. If you’re a mechanic at a garage or a lawyer at a law firm, I wouldn’t tell you rolling your own CA is easy and just a few commands. | | |
| ▲ | Henchman21 2 days ago | parent [-] | | You know, your perspective is valuable; I often operate as if the context is “all people everywhere”, which is rarely true and is definitely not true here. So I will take the error as mine and thank you for pointing it out :) |
|
|
|
|
|
|
| ▲ | acedTrex 3 days ago | parent | prev [-] |
| Sounds like there is a market for a browser that is intranet only and doesnt do various checks |
| |
| ▲ | jillyboel 3 days ago | parent | next [-] | | Good luck getting that distributed everywhere including the iOS app store and random samsung TVs that stopped receiving updates a decade ago. Not to mention the massive undertaking that even just maintaining a multi-platform chromium fork is. | |
| ▲ | JimBlackwood 3 days ago | parent | prev [-] | | Why would you want this? Then on production, you'll run into issues you did not encounter on staging because you skipped various checks. |
|
