I am developing an application that has a website connect to a service running on the client’s computer as a service. I need to be able to connect over HTTPS, but do not want to distribute a private key in my application. However, having each client get its own certificate signed by Let’s Encrypt will go way over the rate limits. Is there a better way to do this or would I have to find a different way to get certificates?
If it’s just your application running, it might be easier to use certificates you generate yourself (would require you setting up a simple CA infrastructure), since you can have your application trust the issuer (you) certificate.
I’m trying to have users download my application from the Internet, so I do not completely want to have all of my users have to install a CA certificate on their computers for the service to run.
You’re either misunderstanding how this works, or misexplaining the process. If they download the application, secure delivery would require a certificate on your server, which a Let’s Encrypt certificate would work great for. If your application is reaching out to a HTTP(S) server running on your customers’ devices, then they all need server certificates as well. However, the system reaching out (your system, as you described) is the one that needs to trust them, so you just need to put your own CA certificate on that system - not on all the customer devices.
My application contains a website that users can download a service from. Once the service is downloaded, it starts a server on the loopback interface so that the website can then connect to it. To prevent mixed content warnings, the local server needs to be served over HTTPS so that I can use HTTPS on my website. The way I thought of to do it would be to have each of the installed local servers to have a signed certificate so that they could use HTTPS, and I would just have another domain with its A record pointing to 127.0.0.1 so that it could connect to it.
That's good. If you do distribute a private key in the application, some security researcher will eventually notice and write a popular blog post condemning it. If the private key is used for a certificate from a public CA, like Let's Encrypt, they will also be required to immediately revoke it.
Applying for a rate limit exemption from Let's Encrypt may work. It takes a few weeks for applications to be processed, though, and I'm not certain they'll grant it.
For what it's worth, this is a popular issue at the moment. Several widely used applications have been caught embedding certificates -- like you should not do -- and forced to immediately adopt a new strategy. People have probably written posts about what's being done now.
I hope people will write some of those blog posts because I’ve also encountered this issue a number of times.
One thing is that I believe the major browsers have recently rolled out some logic where accessing an HTTP resource on localhost is considered a secure origin, so browser features requiring a secure origin are not disabled (and, I think, don’t create mixed-content errors when embedded into pages loaded from remote secure origins). That raises the question of whether you really need to be able to connect locally over HTTPS.
It looks like considering localhost to be a secure origin was not implemented until Firefox 55, and I can’t find information about other browsers. I’m probably not going to be able to rely on users having that updated of a browser, so I’m still going to need to figure out how to use HTTPS.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.