upvote

points

by lousken7 hours ago |
comments
upvoteby justin_oaks6 hours ago|
next
[-]
Some of this might have been "because I want to see if I can". Another reason is "It bothers me to keep seeing this browser tell me my connection is insecure".

As for putting it on a separate VLAN and securing traffic with firewall rules, that may be as much or more trouble than setting up the automated certificate renewal. At least with the automated certificates there may not be any further maintenance required. With firewall rules, you'll need to open up the firewall each time you want a new device to access the printer.

reply
upvoteby lousken5 hours ago|
parent|
[-]
Sure but how long will that last? It says in the article that RSA2048 is required, however 3072 should be the minimum these days, I am not sure how long will letsencrypt even allow creating 2048bit certs.
reply
upvoteby dns_snek6 hours ago|
prev|
next
[-]
Because that only protects you from a small subset of possible threats that end-to-end encryption protects you from like DNS hijacking and any MITM-type scenario.

Sticking it on a VLAN only controls access, not data secrecy.

reply
upvoteby VladVladikoff5 hours ago|
parent|
[-]
Broadcasting internal IPs on public DNS records is also a suboptimal approach that leaks information to the public. Local devices should be routed over layer 2.
reply
upvoteby iso16314 hours ago|
parent|
[-]
DNS challenge doesn't broadcast internal IPs. Certificate transparency does show up hostnames or wildcards though.
reply
upvoteby hrmtst938375 hours ago|
prev|
[-]
A VLAN buys you time, not trust. Give a printer its own seprate segment and six months later you've got ad hoc firewall exceptions for scans, updates, vendor support, and some test VM nobody remmebered to remove. TLS is boring, and that's the point: it fails closed, while network policy drifts until the weird exception becomes the default.
reply
upvoteby lousken4 hours ago|
parent|
[-]
tls is not boring at all, especially with devices that are always 10 years behind in terms of security, it's not like you can enforce any kind of reasonable ciphersuites even in modern printers

also 9/10 printing protocols are insecure anyway

scans - sure, mailserver needs to be allowed

vendor support - same mailserver

vm - at least a reason to kill it

also why would i ever allow auto updates, it's better not to without understanding what garbage manufacturer released this time

reply