Hey folks! I'm developing a web app that turns old devices into virtual keyboards for triggering actions, similar to Touch Portal but open-source for Linux. The app sets up a server on a desktop or laptop, and users access a webpage on their devices within the same local network to send requests. Since all requests to the server need a password in the HTTP header for security, I want to secure the connection with a self-signed certificate. However, self-signed certificates trigger security warnings in browsers, which might scare off users before they even try the app. I considered a few options: 1) An initial informational page that explains the security warning before users accept it; 2) Instructions for importing the self-signed certificate as a trusted CA; 3) Redesigning the authentication method to avoid HTTPS; and 4) Using an online proxy, but that would compromise security. I'm leaning towards a combo of options 1 and 2, but I'm wondering if anyone has faced a similar issue and what solutions worked for them? Thanks!
5 Answers
If you're managing the local network, consider registering a domain with Let's Encrypt and using local DNS to resolve that domain to the server's IP. If you also control the devices, you can add the necessary certificates directly. Otherwise, you might just have to prepare a guide for users on how to install the certificates.
You might want to consider using Cloudflare Tunnel to create a secure connection without having to worry about self-signing certificates at all. It could streamline your setup.
That’s a solid idea! I’ll look into that option. Thanks!
Have you thought about using WebRTC for a peer-to-peer connection? It can still require a primary server for the initial connection setup, kind of like a lobby for games where users join using a code. That way, you might be able to avoid the certificate issue altogether!
Just a heads up, WebRTC might not work on older devices, which you're aiming to support.
That’s a neat idea! I'll definitely check into WebRTC, thanks!
If this app has a public-facing aspect, maybe just use a free SSL certificate from Let's Encrypt? Self-signed certificates are usually for testing, not production.
I can’t go that route since it’s entirely local with no public access. The server runs on my machine and communicates with old devices within the same network.
Exactly! They mentioned that it’s only local use.
How about creating a script to install the self-signed cert automatically during the app's installation? It could simplify the process for users and reduce concerns!
Great suggestion! I’ll need to research how to manage CA certificates across different operating systems.
Unfortunately, I don’t control the network or devices since they’ll be on the users’ setups. Seems like I’ll have to stick with user instructions.