TLSMy.net: Enabling HTTPS for home network devices

Presented at ToorCon San Diego TwentyOne (2019), Nov. 8, 2019, 12:30 p.m. (25 minutes)

This talk introduces TLSMy.net, a new DNS-based service that allows home network devices to automatically request certificates that can be used with non-routable or dynamic IP addresses. A slightly longer abstract: Let's Encrypt has enabled rapid adoption of TLS across the long-tail of public-facing services. Unfortunately, there are still challenges in deploying TLS on home network devices, such as routers, TV tuners, and IoT hubs. These devices are commonly accessed by their non-routable, dynamically-assigned IP address, preventing traditional domain-validated certificates from being used. This talk introduces TLSMy.net, a new DNS-based service that allows home network devices to automatically request certificates that can be used with non-routable IP addresses. Talk outline: - Introduction - Why TLS is important for local network devices - New web features (e.g., cross-origin resource sharing and requests) REQUIRE TLS to be used. - Why TLS is hard to deploy locally - Home users don't typically own a domain -- no DV certs - Services aren't usually externally-facing, so certbot doesn't work - How Plex solves the issue - IP.accountid.plex.direct - Requires cooperation with a CA - What if we could use Plex's solution with Let's Encrypt? - How Let's Encrypt issues certs - Subdomain and wildcard rules - ACME protocol - HTTP challenge - DNS challenge - Let's Encrypt accounts - Public/private key - Public key is identity - Private key is used to authenticate - Creating a DNS responder for wildcard addresses - Maps a.b.c.d.pubkey.tlsmy.net to IP address a.b.c.d - Updating DNS records for wildcard subdomain validation - Use challenge/response to verify permission to update *.pubkey.tlsmy.net - Proof of possession of private key - Trust model - Need to somewhat trust domain owner - If device manufacturer is domain owner, you may implicitly trust them anyway - Can use certificate transparency logs to audit domain owner - Getting adoption - Overcoming Let's Encrypt rate limits - Getting device vendors to support TLS - Summary

Presenters:

• Karl Koscher / supersat   as Karl Koscher
  Karl Koscher is a research scientist working at the University of Washington where he specializes in wireless and embedded systems security. Previously, he was a postdoctoral scholar working with Stefan Savage at UC San Diego. He received his Ph.D. from the University of Washington in 2014, where he was advised by Tadayoshi Kohno.

Links:

• https://talks.toorcon.net/toorcon21/talk/G88NTB/

Similar Presentations:

• 31C3 (2014) / Let's Encrypt: A Free Robotic Certificate Authority
• The Eleventh HOPE (2016) / The Next Billion Certificates: Let's Encrypt and Scaling the Web PKI
• DEF CON 23 (2015) / Let's Encrypt - Minting Free Certificates to Encrypt the Entire Web