The issue with this is that you can't create certificates this way.
Assume you own example.com, then you can issue a free certificate for *.example.com and use that certificate for all your home services. Using HTTPS in the intranet does have its benefits and eases coding when services require SSL.
If you host vaultwarden.example.com in your intranet, then you don't have to publish the subdomain on a public nameserver; it's enough that your intranet DNS resolver can respond with the local A or AAA record for vaultwarden.example.com and it's covered by the wildcard certificate.
Is it possible to limit the CA to only cover certain domain, e.g. *.yourown.home.arpa? Or is it the case that if you install a CA of your friend, it grants them the possibility of MitMing most any service (with non-pinned cert), at least when enabled by network topology?
I've been using a local CA for a long time, but I have not found a way to limit it that way, so security-wise it is less than optimal.
Friends don't ask friends to install their custom root CA. If someone asked you to install theirs, would you?
After all, once they've installed your root CA, you'll now be able to trivially intercept all of their encrypted HTTPS communications while they use your network. I wouldn't trust my mother with that power.
Specifically, what I mean is, if you have house guests that care enough about your LAN that they actually want to access any of the services you have running on it – it shouldn't be difficult to explain to them why and how to trust your CA.
The main difficulty IME is getting any of your guests to care about your LAN services in the first place.
I'm sorry, but if you ask me to install your private CA on any of my devices... I would politely tell you to stop.
As for house guests, I really like what OnHub did - you could allow anyone to network to control certain IoT devices. When someone was house sitting for me, they could have control thermostat, lights, etc from their phone without any apps or "add household member" shenanigans.
> allow anyone to network to control certain IoT devices
Yeah that makes sense :)
My own house is not really IoTified yet. I have a single "smart" plug that I can turn on or off with an app that the night table lamp on one side of the bed is plugged into. But I could see the appeal of having the IoT setup accessible to guests for people that have more IoT stuff in their house.
When you're a guest at a friend's house, for example, you would have no problem installing their root CA in exchange for the privilege of using their network? Wouldn't you find that to be a little bit antisocial or overbearing?
I can just link people from home.com to a page with an ssl cert if it became necessary for some reason. I'm curious what benefits you're thinking using HTTPS on my intranet would have (other than circumventing increasingly overzealous browser vendor API lockdowns)
(on that note, is there a chromium/firefox build available that disables all that garbage so I can test in peace without having to reverse proxy my dev server?)
Preventing other users on your network from snooping the administrative credentials to your LAN services for one (easy to do on WiFi, even if you use WPA). Also, if one of your devices switches off your WiFi and onto cellular, and you are using basic authentication, you are not only sending your credentials to whoever owns home.com, but also doing so in plain text. If you did that on some public wifi, that could get picked up by someone snooping. Sure, they wouldn't know where your services are, but why put a crack in your security when you don't need to?
> I can just link people from home.com to a page with an ssl cert if it became necessary for some reason
The only way that would work is if you use a root certificate authority and have them install it as trusted in their device, which is asking them to compromise their security, because that authority will be trusted for all TLS validation on any domain.
> Preventing other users on your network from snooping the administrative credentials
well, the only credential is that they're on my network! though fwiw i think even if there were credentials people on my LAN snooping my creds is not part of my threat model i care about at all, same with sending them to whoever owns home.com
> why put a crack in your security
because security has a cost that you shouldn't pay unless it makes sense to
> The only way that would work is if you use a root certificate authority
no, i can just link to a domain i can get Let's Encrypt certs for
Assume you own example.com, then you can issue a free certificate for *.example.com and use that certificate for all your home services. Using HTTPS in the intranet does have its benefits and eases coding when services require SSL.
If you host vaultwarden.example.com in your intranet, then you don't have to publish the subdomain on a public nameserver; it's enough that your intranet DNS resolver can respond with the local A or AAA record for vaultwarden.example.com and it's covered by the wildcard certificate.