[greggman2]

You can't have HTTPS everywhere until we can get HTTPS for IoT devices. My router doesn't serve it's configuration screen via HTTPS. How could it? I have to connect to it to configure it before it's on the internet.

Same with my IoT cameras and all the various local apps I run that can start a web server. Heck, my iPhone has tons of apps that start webservers for uploading data since iPhone's file sync sucks so bad.

We need a solution to HTTPS for devices inside home networks.

[simias]

I agree that having an elegant and secure solution to enable HTTPS on non-internet-facing equipment would be nice. I work mainly on embedded devices and all my admin interfaces are over HTTP because there's simply no way to ship a certificate that would work anywhere. It would be nice if you could easily deploy self-signed certificates that would only work for local addresses and only for specific devices, although of course doing that securely and with good UI would be tricky.

In the meantime having big warnings when connecting to these ad-hoc web interfaces makes sense I think, since they can effectively easily be spoofed and MitM'd (LANs are not always secure in the first place so it makes sense to warn the user not to reuse a sensitive password for instance). It's annoying for us embedded devs but I think it's for the greater good.