Let’s Encrypt Rolls Out Free Security Certs For Ip Addresses

Let’s Encrypt, a certificate authority (CA) known for its free TLS/SSL certificates, has begun issuing digital certificates for IP addresses.

It’s not the first CA to do so. PositiveSSL, Sectigo, and GeoTrust all offer TLS/SSL certificates for use with IP addresses, at prices ranging from $40 to $90 or so annually. But Let’s Encrypt does so at no cost.

For those with a static IP address who want to host a website, an IP address certificate provides a way to offer visitors a secure connection with that numeric identifier while avoiding the nominal expense of a domain name.

Why would one want 1.1.1.1?

Generally, web users visit websites by entering domain names, like theregister.com, into their browser. The browser checks with the domain name system (DNS) to map the text-based name to a numeric IP address, then tries to connect to the associated site.

Entering theregister.com’s IPv4 address (104.18.4.22) directly into the browser’s address bar produces an error. But if we acquired an IP address certificate and configured our servers properly, readers could visit using only the numeric address. Cloudflare does this with its 1.1.1.1 IP address, which should redirect to https://one.one.one.one if a user entered only the dotted quad into a browser.

There’s no compelling reason to use IP addresses to find websites, and some good reasons not to do so. For example, DNS names remain when website operates change backends – the name can simply be pointed to another IP address. If web visitors associate a site with a specific IP number, backend changes might require an HTTP redirect rule that routes visitors from the old to the new IP address, which has the potential to negatively impact load times and search engine optimization.

Another reason to favor domain names over IP addresses, explains Aaron Gable, principal engineer at Let’s Encrypt, in a blog post, is that IP addresses commonly change – they’re often dynamically allocated by ISPs to residential internet customers and thus may vary between sessions. Although this doesn’t affect web sites, it means people don’t have the same sense of ownership with regard to numeric IP addresses.

Domain names also have established arbitration rules, the Uniform Domain Name Dispute Resolution Policy (UDRP). Disagreements over IP address rights can get very messy.

Those caveats aside, IP certificates have been a requested feature at least since 2017 and Gable sees several potential scenarios when an IP address certificate might be warranted.

First, a hosting provider might want one to provide a default landing page in case someone types the company’s IP address into a browser, as Cloudflare has done with 1.1.1.1 and Google has done with 8.8.8.8.

Or a web publisher might want to provide a way to connect securely to a website without paying for a domain name, which generally runs between $10 and $50 annually, depending on the domain name registrar.

Gable also suggests that servers supporting the hyper-secure DNS over HTTPS (DoH) protocol might benefit from an IP address certificate.

Other potential uses include providing secure remote access to certain home devices like network-attached storage servers (already doable with tunneling tech like WireGuard or Tailscale), and securing short-lived connections for server administration or interconnection.

Why short-lived? Because rapid cert expiration will become the industry norm in a few years, as the technique reduces the potential for damage if attackers use fake certificates. The downside of this fraud defense is the need to automate the certificate renewal process using an ACME client like Certbot.

Let’s Encrypt limits the lifespan of its IP address certificate to six days, a period it adopted for other short-lived certificates earlier this year as a security measure.

According to Gable, IP address certificates are now available in Let’s Encrypt’s Staging environment and will become generally available later this year. ®

Original Source