[moo360]

Completely agree with the author of the article. Would love to run https by default for lan without having to require users to install my custom CA cert. I don't really understand why self signed certs can't be allowed in browsers and the browser just notify the user that the website identity can't be verified while the actual communication between the two is still encrypted.

If anything I would say that a solution would be for browsers to adopt the following changes.

1) Make HTTP plaintext show the warning you currently get with a self signed cert (ie: warning of death)

2) Make HTTPS self-signed show a "not secure" warning in the address bar (currently what happens on HTTP plaintext) with more info available on a click

3) Standard CA signed HTTPS has no changes

[pfg]

Are you suggesting this change merely for users navigating to IP addresses in reserved IP space, or for everything?

If it's the latter, all that stands between an active MitM and my paypal.com credentials is a non-blocking "Not Secure" indicator in the address bar. That's not really acceptable.

[moo360]

I just feel like separating the concerns of

1) Identity of the server

2) If the connection to the server is encrypted or not

would be a good idea in modern browsers. Because the article is completely correct, everything as it is right now essentially disincentives anyone producing IoT or any other kinds of consumer based lan devices from using https.