Browsers are being pretty weak to understand difference between local networks vs internet.
Lot of times I have seen hassle caused by HTTPS, be it printer or server baseboard management controller.
An issue I don't think is addressed is how do you get a valid certificate for a server on a local network? Like setting a new device or router, you often type in the IP address (or maybe mDN name), then you either have to use http, or for https you get a warning and have to add an exception for an invalid certificate... How would one even solve this issue on a local network? I had an idea that I was thinking would be a cool RFC, have the router run a CA, then pass a DHCP (or RA) option with a local CA certificate for the end-user device to trust. Then services could request server certs from it (via ACME protocol). The issue though is that this gives too much power to the network operator. Imagine connecting to wifi at a coffee shop and they decide to MITM your google connections...
Citation needed. Firefox HTTPS only mode does not upgrade local IP addresses or reserved local "TLDs" like .local. If machines on your "local network" are squatting on a public IP or potentially public domain name how is the browser supposed to know the difference?
> Firefox HTTPS only mode does not upgrade local IP addresses or reserved local "TLDs" like .local. If machines on your "local network" are squatting on a public IP…
It could be one of your public IP addresses—more likely with IPv6, but still possible with IPv4—and not simply "squatting" on someone else's assigned public IP address. The browser may not be aware that these are local.
With that said, the devices should use public domain names and obtain proper certificates for them via the ACME DNS challenge, which avoids the issue altogether.