Symfony Profiler

{
    "@context": [
        "https:\/\/join-lemmy.org\/context.json",
        "https:\/\/www.w3.org\/ns\/activitystreams"
    ],
    "actor": "https:\/\/lemmy.world\/c\/selfhosted",
    "to": [
        "https:\/\/www.w3.org\/ns\/activitystreams#Public"
    ],
    "object": {
        "id": "https:\/\/sh.itjust.works\/activities\/update\/10db893a-cf09-4909-90db-fe5345dd0985",
        "actor": "https:\/\/sh.itjust.works\/u\/litchralee",
        "@context": [
            "https:\/\/join-lemmy.org\/context.json",
            "https:\/\/www.w3.org\/ns\/activitystreams"
        ],
        "to": [
            "https:\/\/www.w3.org\/ns\/activitystreams#Public"
        ],
        "object": {
            "type": "Note",
            "id": "https:\/\/sh.itjust.works\/comment\/17895114",
            "attributedTo": "https:\/\/sh.itjust.works\/u\/litchralee",
            "to": [
                "https:\/\/www.w3.org\/ns\/activitystreams#Public"
            ],
            "cc": [
                "https:\/\/lemmy.world\/c\/selfhosted",
                "https:\/\/lemmy.ml\/u\/Charger8232"
            ],
            "content": "<p>I previously <a href=\"https:\/\/sh.itjust.works\/comment\/17890232\" rel=\"nofollow\">proffered some information in the first thread<\/a>.<\/p>\n<p>But there\u2019s something I wish to clarify about self-signed certificates, for the benefit of everyone. Irrespective of whichever certificate store that an app uses \u2013 either its own or the one maintained by the OS \u2013 the CA Browser Forum. which maintains the standards for public certificates, prohibits issuance of TLS certificates for <em>reserved <a href=\"https:\/\/www.iana.org\/assignments\/iana-ipv4-special-registry\/iana-ipv4-special-registry.xhtml\" rel=\"nofollow\">IPv4<\/a> or <a href=\"https:\/\/www.iana.org\/assignments\/iana-ipv6-special-registry\/iana-ipv6-special-registry.xhtml\" rel=\"nofollow\">IPv6<\/a> addresses<\/em>. See <a href=\"https:\/\/cabforum.org\/working-groups\/server\/baseline-requirements\/documents\/CA-Browser-Forum-TLS-BR-2.1.4.pdf\" rel=\"nofollow\">Section 4.2.2<\/a>.<\/p>\n<p>This is because those addresses will resolve to different machines on different networks. Whereas a certificate for a global-scope IP address is fine because it should resolve to the same destination. If certificate authorities won\u2019t issue certs for private IP addresses, there\u2019s a good chance that apps won\u2019t tolerate such certs either. Nor should they, for precisely the reason given above.<\/p>\n<p>A proper self-signed cert \u2013 either for a domain name or a global-scope IP address \u2013 does not create any MITM issues as long as the certificate was manually confirmed the first time and added to the trust store, either in-app or in the OS. Thereafter, only a bona fide MITM attack would raise an alarm, the same as if a MITM attacker tries to impersonate any other domain name. SSH is the most similar, where trust-on-first-connection is the norm, not the outlier.<\/p>\n<p>There are safe ways to use self-signed certificate. People should not discard that option so wontonly.<\/p>\n",
            "inReplyTo": "https:\/\/lemmy.ml\/post\/28376589",
            "mediaType": "text\/html",
            "source": {
                "content": "I previously [proffered some information in the first thread](https:\/\/sh.itjust.works\/comment\/17890232).\n\nBut there's something I wish to clarify about self-signed certificates, for the benefit of everyone. Irrespective of whichever certificate store that an app uses -- either its own or the one maintained by the OS -- the CA Browser Forum. which maintains the standards for public certificates, prohibits issuance of TLS certificates for _reserved [IPv4](https:\/\/www.iana.org\/assignments\/iana-ipv4-special-registry\/iana-ipv4-special-registry.xhtml) or [IPv6](https:\/\/www.iana.org\/assignments\/iana-ipv6-special-registry\/iana-ipv6-special-registry.xhtml) addresses_. See [Section 4.2.2](https:\/\/cabforum.org\/working-groups\/server\/baseline-requirements\/documents\/CA-Browser-Forum-TLS-BR-2.1.4.pdf).\n\nThis is because those addresses will resolve to different machines on different networks. Whereas a certificate for a global-scope IP address is fine because it should resolve to the same destination. If certificate authorities won't issue certs for private IP addresses, there's a good chance that apps won't tolerate such certs either. Nor should they, for precisely the reason given above.\n\nA proper self-signed cert -- either for a domain name or a global-scope IP address -- does not create any MITM issues as long as the certificate was manually confirmed the first time and added to the trust store, either in-app or in the OS. Thereafter, only a bona fide MITM attack would raise an alarm, the same as if a MITM attacker tries to impersonate any other domain name. SSH is the most similar, where trust-on-first-connection is the norm, not the outlier.\n\nThere are safe ways to use self-signed certificate. People should not discard that option so wontonly.",
                "mediaType": "text\/markdown"
            },
            "published": "2025-04-10T02:48:50.436149Z",
            "updated": "2025-04-10T02:49:52.555311Z",
            "tag": [
                {
                    "href": "https:\/\/lemmy.ml\/u\/Charger8232",
                    "name": "@Charger8232@lemmy.ml",
                    "type": "Mention"
                }
            ],
            "distinguished": false,
            "language": {
                "identifier": "en",
                "name": "English"
            },
            "audience": "https:\/\/lemmy.world\/c\/selfhosted",
            "attachment": []
        },
        "cc": [
            "https:\/\/lemmy.world\/c\/selfhosted",
            "https:\/\/lemmy.ml\/u\/Charger8232"
        ],
        "tag": [
            {
                "href": "https:\/\/lemmy.ml\/u\/Charger8232",
                "name": "@Charger8232@lemmy.ml",
                "type": "Mention"
            }
        ],
        "type": "Update",
        "audience": "https:\/\/lemmy.world\/c\/selfhosted"
    },
    "cc": [
        "https:\/\/lemmy.world\/c\/selfhosted\/followers"
    ],
    "type": "Announce",
    "id": "https:\/\/lemmy.world\/activities\/announce\/update\/838ee4c3-b316-4321-a4e0-8d777b403248"
}

{"@context":["https://join-lemmy.org/context.json","https://www.w3.org/ns/activitystreams"],"actor":"https://lemmy.world/c/selfhosted","to":["https://www.w3.org/ns/activitystreams#Public"],"object":{"id":"https://sh.itjust.works/activities/update/10db893a-cf09-4909-90db-fe5345dd0985","actor":"https://sh.itjust.works/u/litchralee","@context":["https://join-lemmy.org/context.json","https://www.w3.org/ns/activitystreams"],"to":["https://www.w3.org/ns/activitystreams#Public"],"object":{"type":"Note","id":"https://sh.itjust.works/comment/17895114","attributedTo":"https://sh.itjust.works/u/litchralee","to":["https://www.w3.org/ns/activitystreams#Public"],"cc":["https://lemmy.world/c/selfhosted","https://lemmy.ml/u/Charger8232"],"content":"<p>I previously <a href=\"https://sh.itjust.works/comment/17890232\" rel=\"nofollow\">proffered some information in the first thread</a>.</p>\n<p>But there’s something I wish to clarify about self-signed certificates, for the benefit of everyone. Irrespective of whichever certificate store that an app uses – either its own or the one maintained by the OS – the CA Browser Forum. which maintains the standards for public certificates, prohibits issuance of TLS certificates for <em>reserved <a href=\"https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml\" rel=\"nofollow\">IPv4</a> or <a href=\"https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml\" rel=\"nofollow\">IPv6</a> addresses</em>. See <a href=\"https://cabforum.org/working-groups/server/baseline-requirements/documents/CA-Browser-Forum-TLS-BR-2.1.4.pdf\" rel=\"nofollow\">Section 4.2.2</a>.</p>\n<p>This is because those addresses will resolve to different machines on different networks. Whereas a certificate for a global-scope IP address is fine because it should resolve to the same destination. If certificate authorities won’t issue certs for private IP addresses, there’s a good chance that apps won’t tolerate such certs either. Nor should they, for precisely the reason given above.</p>\n<p>A proper self-signed cert – either for a domain name or a global-scope IP address – does not create any MITM issues as long as the certificate was manually confirmed the first time and added to the trust store, either in-app or in the OS. Thereafter, only a bona fide MITM attack would raise an alarm, the same as if a MITM attacker tries to impersonate any other domain name. SSH is the most similar, where trust-on-first-connection is the norm, not the outlier.</p>\n<p>There are safe ways to use self-signed certificate. People should not discard that option so wontonly.</p>\n","inReplyTo":"https://lemmy.ml/post/28376589","mediaType":"text/html","source":{"content":"I previously [proffered some information in the first thread](https://sh.itjust.works/comment/17890232).\n\nBut there's something I wish to clarify about self-signed certificates, for the benefit of everyone. Irrespective of whichever certificate store that an app uses -- either its own or the one maintained by the OS -- the CA Browser Forum. which maintains the standards for public certificates, prohibits issuance of TLS certificates for _reserved [IPv4](https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml) or [IPv6](https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml) addresses_. See [Section 4.2.2](https://cabforum.org/working-groups/server/baseline-requirements/documents/CA-Browser-Forum-TLS-BR-2.1.4.pdf).\n\nThis is because those addresses will resolve to different machines on different networks. Whereas a certificate for a global-scope IP address is fine because it should resolve to the same destination. If certificate authorities won't issue certs for private IP addresses, there's a good chance that apps won't tolerate such certs either. Nor should they, for precisely the reason given above.\n\nA proper self-signed cert -- either for a domain name or a global-scope IP address -- does not create any MITM issues as long as the certificate was manually confirmed the first time and added to the trust store, either in-app or in the OS. Thereafter, only a bona fide MITM attack would raise an alarm, the same as if a MITM attacker tries to impersonate any other domain name. SSH is the most similar, where trust-on-first-connection is the norm, not the outlier.\n\nThere are safe ways to use self-signed certificate. People should not discard that option so wontonly.","mediaType":"text/markdown"},"published":"2025-04-10T02:48:50.436149Z","updated":"2025-04-10T02:49:52.555311Z","tag":[{"href":"https://lemmy.ml/u/Charger8232","name":"@Charger8232@lemmy.ml","type":"Mention"}],"distinguished":false,"language":{"identifier":"en","name":"English"},"audience":"https://lemmy.world/c/selfhosted","attachment":[]},"cc":["https://lemmy.world/c/selfhosted","https://lemmy.ml/u/Charger8232"],"tag":[{"href":"https://lemmy.ml/u/Charger8232","name":"@Charger8232@lemmy.ml","type":"Mention"}],"type":"Update","audience":"https://lemmy.world/c/selfhosted"},"cc":["https://lemmy.world/c/selfhosted/followers"],"type":"Announce","id":"https://lemmy.world/activities/announce/update/838ee4c3-b316-4321-a4e0-8d777b403248"}