Local HTTPS Requires a Certificate; Does That Expose The NAS Online?

Currently reading
Local HTTPS Requires a Certificate; Does That Expose The NAS Online?

Hi, at the risk of having my head chewed off (like someone else in a similar thread: Not Secured Connection on Local LAN?) I am asking if there is a security risk when I get an SSL Certificate (so I can log in to DSM via https)

In short: is there a way to enable HTTPS without exposing any information about our NAS, including the fact that it exists? We are LAN-only access right now.


My experience with websites and servers does included SSL Certificates, and adjusting the appropriate DNS records and nameservers. But that's always been for public/www websites I was working on. So I have the concept of getting a certificate signed, etc.

This new Synology NAS is local-only, and for now, we are keeping it local (LAN) access only. I think HTTPS is a good idea, because standard HTTP connections have been called insecure for many years now. 🤔 Maybe HTTPS isn't needed for local-only access?


In all my research, it seems like if I want to access via https, I need an SSL certificate. Once I do that, I have to register a unique domain name (Don't want to use any current domain name we have for our website(s).) It seems like registering a domain name is a 'public' action that anyone can see if they really wanted to. Does that open the NAS up to potential attack?

Thank you very much!
 
Last edited:
The whole world agrees that https is the right and secure way to access web applications. The question is: do you require that extra layer of security.

If all devices and users in your network are trustworthy, I doubt there much to gain from it. Though, if you don't fully trust the devices/users, then https could at least protect from sniffing, tempered requests/responses, reply attacks and man in the middle attacks.

In all my research, it seems like if I want to access via https, I need an SSL certificate.
Actually, since a couple of years every commonly known Certificate Authority (CA) only issue TLS certificates, the successor of SSL certificates. All SSL versions are considered unsafe, which is the reason no one issues or uses them anymore. Regardless, people seem to stick to the name SSL

Thus said, yes you need to have a tls certificate to enable https for your webserver and/or reverse proxy.

You can create a self-signed CA and issue self-signed certificates with it. Of course, you need to import the self-signed CA's certificate into the OS's certificate store, depending on the browser in its own certificate store, and depending on client applications sometime in a different type of trust store to get rid of the "insecure connection" notifications.

There are plenty of blog post with detailed instructions about the commands that need to be executed to generate these things. You can google for the search terms "create self signed ca and server certificates", which will bring up a link like this:
Generate self-signed certificate with a custom root CA - Azure Application Gateway. Anyone of those should do.

I forgot to address a part of your post: with a self-signed CA and self-signed certificates there is no information expose of your certificates or your infrastructure to anything on the internet. It is completely private.
 
Upvote 0

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

  • Question
Just wondering what the general consensus is regarding the move online for access control solutions...
Replies
1
Views
839
  • Question
Your situation seems like it should be simple and that the security mechanisms are being overly pedantic...
Replies
10
Views
7,936
  • Question
Oh yes, of course. Doesn’t work for the URL ending in ts.net either Sometimes I wish I’d had a proper...
Replies
2
Views
2,851
I understand your sentiment. But it'll drive me crazy when it works and curl -i shows Nginx (as it is...
Replies
19
Views
5,337
M
i use the built-in function in DSM to get the certificate. There was nothing more to do and everything...
Replies
11
Views
1,982
makon
M
Here in Windows Core Networking, we’re interested in keeping your traffic as private as possible, as well...
Replies
0
Views
1,850

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Back
Top