Kiwi HTTPS/SSL: Works fine. Yet its use is limited by difficult certificate deployment problems.
I've spent the last couple of weeks learning about SSL, certificates, Let's Encrypt (LE) et al. You probably didn't notice, but the forum now uses HTTPS. After some struggles I got the little web server inside the Kiwi software (Mongoose) to support HTTPS/SSL connections. I had to add some code to do automatic HTTP-to-HTTPS connection upgrades. An additional port for simultaneous, local-only HTTP (non-SSL) connections is also supported.
The performance impact of the SSL library encrypting all the web traffic is unknown. It will take some empirical measurements to decide if this is a problem or not.
The real problem is certificate management. There are many different Kiwi network deployment scenarios and not many of them support easy certificate issuance let alone automatic renewal (e.g. LE certs require renewal every 90 days).
For example, the Kiwi software could automate certificate handling pretty easily given the following conditions:
- You use your own privately registered domain to address your Kiwi.
- Your ISP does not block incoming connections on port 80 (a requirement of the LE cert challenge authenticator).
But not all Kiwis are setup this way. Some use a reverse proxy to get around the blocking of incoming connections. Some are addressed by ip address or via dynamic DNS. These limitations make it difficult or impossible to get a cert issued by a public certificate authority (CA). It is possible the Kiwi reverse proxy might be adapted to using SSL. I am still looking into that.
As a further example, the second line of http://rx.kiwisdr.com has been modified to show the number of public Kiwis addressed using: the Kiwi proxy service, a ddns service, a private domain name and an ip address. Only about 30% of public Kiwis use a private domain name.
- Let's Encrypt documentation: https://letsencrypt.org/docs
- Certbot user guide: https://eff-certbot.readthedocs.io/en/stable/using.html#user-guide
- A discussion of how complex the problem is: https://community.letsencrypt.org/t/trusted-ssl-for-private-networks/149663