Should I use LetsEncrypt on my Synology NAS?


#1

Hello. When it comes to certificates, I’m at a noob level.

A) Would someone be willing to explain the benefits of replacing Synology’s self-signed certificate with one by Let’s Encrypt?

B) I notice in Chrome and when connecting over LAN/https, I receive a warning from Chrome that https is broken. This is due to Synology’s self-signed certificate.

C) Will a proper certificate improve my NAS’es security in any way?

Thank you for any help or links that you provide pointing me in the right direction.


#2

Certificates from Let’s Encrypt will be trusted by most of the software (such as web browsers) likely to access your NAS without you needing to specifically tell the browser to trust that certificate. This is because the browser vendors trust Let’s Encrypt (actually, IdenTrust, who in turn trust Let’s Encrypt) to issue trustworthy certificates.

This is mostly a benefit if using many different devices to access the NAS, or if you need several other people (family, visitors?) to access the NAS. For a single person or a small number of people it may be perfectly convenient to explicitly tell the web browser that you trust your existing self-signed certificate, or even to just ignore any warnings and proceed.

The technology (e.g. encryption strength) used to access the NAS will be identical regardless of whether a Let’s Encrypt certificate or the self-signed certificate are used. However, there can be a risk that someone with access to your network (including a WiFi network if you use one) would be able to pretend to be the NAS. This will make them the “Man in the middle” able to spy on everything you do with the NAS, and change what you see if they wish. The warnings that enable you to spot such an imposter would be the exact same type of warnings you’ve described now, so having the Let’s Encrypt certificate (which would mean no warnings normally) might ensure you’re alerted to such an attack. On the other hand you may judge that your network is secure or that this is an unlikely state of affairs.

If you sometimes access the NAS from outside your home, the risk of someone impersonating it is obviously higher, bad guys are unlikely to stake out your house, but they might plant a device at a coffee shop or other popular browsing location.

Be aware that if a Let’s Encrypt certificate does sound like something you want, Let’s Encrypt can only issue you a certificate for a public Internet DNS name you really control, this is the sort of reason they’re considered trustworthy in the first place. If your NAS has such a name, even if it’s not normally accessible from the Internet, you can get a certificate. But if you don’t own such a name, you won’t be able to get any certificates from Let’s Encrypt.


#3

Thank you for the reply. I notice that the issue doesn’t happen in Edge or Firefox because it seems to load http over https as I was attempting to secure the NAS a bit more. I don’t plan to set up any features to access the NAS off site so I’m debating if https is even needed. The issue itself only seems to happen in Chrome - I seem to remember something recently in how Chrome was going to handle https, but I can’t seem to find/recall that information.

I do not currently have a domain although I have one that I plan to get. So, thank you for that information on the Let’s Encrypt standards. Seeing a faulty certificate from Synology let me here as I’ve heard great information about Let’s Encrypt without knowing that standard that you mention. Overall, I just wanted to more secure the NAS and though Let’s Encrypt would be the place to start.


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.