Comment on selfhosting alternative to nextdns
lemmyvore@feddit.nl 10 months agoMITM your traffic
How exactly would that work? You would have to accept broken certificates or even no TLS at all for that to work.
Comment on selfhosting alternative to nextdns
lemmyvore@feddit.nl 10 months agoMITM your traffic
How exactly would that work? You would have to accept broken certificates or even no TLS at all for that to work.
chiisana@lemmy.chiisana.net 10 months ago
As the person I replied to mentioned, these kind of providers would often also get you to install a cert that they’d use to sign with. Once it is installed, the certificates wouldn’t appear broken anymore.
lemmyvore@feddit.nl 10 months ago
You’d have to install a cert for each domain. It’s not likely to happen. The only provider where this works is Cloudflare but that’s because they force you to use them as registrar and DNS so they can issue duplicate certs for any domain.
chiisana@lemmy.chiisana.net 10 months ago
A CA cert is higher up can sign for any desired domain. Certificates are a chain of trust and as long as the entire chain can be validated (by the root level installed by the user), then the entire cert will appear valid. During installation, that’s what gets installed and then the provider signs for whatever domain you’re visiting that they’d need (or want) to MITM.
Cloudflare uses LetsEncrypt, Google and a few other CAs to sign their certs.