3

Join Local Network with Duckdns and Lets encrypt

Hi guys I noticed Join's new web app suports local https which is great. Only 2 major draw backs to this approach is

1. Every time the ip changes (I assume) you would have to retrust the self signed cert

2. This method is highly susecptable to a mitm attack on a public network.

My idea is could you give an advanced option in join to always call a specified url for local connections (example: mylocaljoin.duckdns.org) and allow the user to import his/her own ssl cert pem file? I was hoping by using a trusted letsencryt cert mitm attacks could be avoided and new options could be used like avoiding the conflict with self signed certs and pwa's, etc. As for how the duckdns would now the local ip, a tasker automation could be set to push the local ip to duckdns say every time the wifi disconnects and reconnects or at a set interval.

This could theoretically be more elegantly automated by join pushing the local ip to duckdns url and auto updating the lets encrypt server certificate every 3 months. Duckdns could also be replaced with auto generated domains per user (example localip.joapps.com) but I'm not sure of the associated costs hence why I kinda gave 3 potential ways to implement. In hindsight I have no idea if this idea is impractical please let me know what you think and thanks for the hard work on the app :).

This isn't really an origianal idea. I'm basing these thoughts on how plex local play back via https works.

https://support.plex.tv/articles/206225077-how-to-use-secure-server-connections/

Follow

1 reply

Votes Newest Oldest

Hi. Thanks for the request. Can you clarify how mitm attacks could could be used with the current local network method? Thanks!

Comment
R

Over the current method isn't http used to transmit files despite self generated ssl? So wouldn't it be possible to packet snif the url once the recieving device recives the local file link from FCM?

Regarding the self signed cert 2 consern (correct me if I am wrong):

1. Every time the devices ip changes will I have to retrust the cert?

2. I sometimes live on a college campus and they use a WPA2-Enterprise network. The network requires the addition of a trust cert to connect to the network and if cert is removed network access is lost (no ssl interception is occuring as of present). Is it possible (highly unlikely) in this given network the router to log the file as a middel man by intercepting the file and forging a similar ssl signed cert to gain the file. (My main concern is that if the local file link leaks no authentication is required to pull the file).

One last question how long until local file links expire?

In hindseight my reasoning actully looks silly but curious. Sorry if I wrote a paragraph of nonsense I have a very limited understanding in networking :)

Hi! 

Ah yes, those could be sniffed you're right. Maybe I could optionally make those use https too...

1. Yes, that's correct

2. Unfortunately I'm really not well versed in that situation either. :) I'm guessing that yes, they could get access to the file.

3. It's valid for however long a google access token is valid (30 minutes last I checked)

R

Thanks for the reply (sorry if I sound naggy), any consideration of allowing importing a lets encrypt cert when implementing the https feature? As mentioned a self signed cert would have to be trusted on a ip for ip basis. Sadley the ip changes every single time the wifi disconnects.

Also is the google authentication token work independent of a google account (I rember pasting the local file transfer link on my pc where my google account was logged out and file being downloadable).

The lets encrypt cert and a duckdns url are easy to get with out portforwarding with certbot and txt record validation.

Yes, I'll consider adding that after this feature has gone public so that it can be thorouhly tested first :)

The authentication token is tied to your Google account and is generated by the Android app so it doesn't matter if your browser is signed in or not :)

R

Thanks for the consideration :)

Reply