[Cryptography] Fast handling of IP Address changes for HTTPS
Ismail Kizir
ikizir at gmail.com
Thu Dec 28 20:53:34 EST 2017
On 12/28/2017 02:35 PM, Paul F Fraser wrote:
>
> Any suggestion how to handle this?
Hello Paul,
I don't know much about your case.
But, if your site will be used by phone application, you can embed
X25519 keys and create your own DH Key exchange.
This will also prevent any kind of MITM attack.
I am actually working on a similar solution for my messenger application.
Me too, I am using LetsEncrypt certificates.
Previously, I have been using 4096 bit embedded RSA keys but X25519
are simpler and don't require additional binary modules. A simple
plain javascript solves the problem.
I am combining X25519 with my own symmetric encryption, but there are
much easier solutions like:
https://github.com/dchest/tweetnacl-js
You don't need to write much code. There are libraries for both client
& server sides.
I hope it helps.
Regards
Ismail Kizir
On Thu, Dec 28, 2017 at 11:35 PM, Paul F Fraser <paulf at a2zliving.com> wrote:
> Hi,
>
> Running a webserver on a home system suffers from the problem of IP Address
> changes after modem reboot.
>
> In Australia with the National Broadband Network (NBN) I am also
> experiencing IP Address changes without the modem disconnecting. It may not
> be general, but in my case it seems that a fixed IP Address is not
> available.
>
> Also, when server is on a laptop it would be nice to be able to have the
> server available at different locations.
>
> Using dynamic DNS it takes some time for the new address to work through the
> system, due to isp dns caching etc.
>
> Having a domain name and LetsEncrypt certificate for the home server what
> methods are available to handle IP address changes fast.
>
> In researching the subject one solution might be to use a SAN certificate
> with 2 domain names. The first domain being a site to redirect to the home
> server using the second domain name. But the redirect would have to be to an
> IP address, not domain name!
>
> Another possibility is to use "DH_anon" cipher suite but I have no real idea
> how this works. This would probably be the best solution as I have a secure
> back channel network that can be used to update the ip addresses and for any
> authentication and authorization purposes.
>
> Any suggestion how to handle this?
>
> Paul Fraser
>
>
>
>
>
> _______________________________________________
> The cryptography mailing list
> cryptography at metzdowd.com
> http://www.metzdowd.com/mailman/listinfo/cryptography
More information about the cryptography
mailing list