Re: Secure Bootstrap is hard
My reading of what Netgear are doing is trying to get a valid hostname/certificate that allows connections from a browser without security warnings for invalid certificates etc. The .com/.net domains allow Netgear to register valid domain names and get trusted certificates to avoid browser warnings around insecure connections or untrusted certificates.
I'm not sure a different hostname or self-signed certificate where the private keys reside locally on the router is the issue - it puts you back to the point where you need users to click through security warnings to begin router configuration.
I can imagine a process for getting valid certificates generated per device IF you have a working Internet connection (i.e. connect to trusted host using a public key embedded in firmware, register unique DNS name via trusted host and trusted host issues valid certificate, redirect from http://router.local to https://my device name>) HOWEVER:
- what happens if there is no working Internet connection yet?
- will this still cause browser warnings when you connect the first time you use the device?
Given the target market (consumers), I'm not convinced the risk of embedded certificate keys outweighs the advantages of convenience for the user, particularly when the troubleshooting steps would like be accepting untrusted connections which establishes bad habits. Using short certificate lifetimes, separate certificates per device model and auto-updates for firmware would significantly reduce the risk AND allow Netgear to respond quickly to any threats that became public.
Or you ship a setup application that allows you to bypass browser security warnings and is only used if the automated setup fails.
Unless I'm missing an obvious solution...