You can't have HTTPS everywhere until we can get HTTPS for IoT devices. My router doesn't serve it's configuration screen via HTTPS. How could it? I have to connect to it to configure it before it's on the internet.
Same with my IoT cameras and all the various local apps I run that can start a web server. Heck, my iPhone has tons of apps that start webservers for uploading data since iPhone's file sync sucks so bad.
We need a solution to HTTPS for devices inside home networks.
I agree that having an elegant and secure solution to enable HTTPS on
non-internet-facing equipment would be nice. I work mainly on embedded devices
and all my admin interfaces are over HTTP because there's simply no way to ship a certificate that would work anywhere. It would be nice if you could easily
deploy self-signed certificates that would only work for local addresses and
only for specific devices, although of course doing that securely and with
good UI would be tricky.
In the meantime having big warnings when connecting to these ad-hoc web
interfaces makes sense I think, since they can effectively easily be spoofed and
MitM'd (LANs are not always secure in the first place so it makes sense to warn
the user not to reuse a sensitive password for instance). It's annoying for us embedded devs but I think it's for the greater good.
Same with my IoT cameras and all the various local apps I run that can start a web server. Heck, my iPhone has tons of apps that start webservers for uploading data since iPhone's file sync sucks so bad.
We need a solution to HTTPS for devices inside home networks.