Some of this might have been "because I want to see if I can". Another reason is "It bothers me to keep seeing this browser tell me my connection is insecure".
As for putting it on a separate VLAN and securing traffic with firewall rules, that may be as much or more trouble than setting up the automated certificate renewal. At least with the automated certificates there may not be any further maintenance required. With firewall rules, you'll need to open up the firewall each time you want a new device to access the printer.
Sure but how long will that last? It says in the article that RSA2048 is required, however 3072 should be the minimum these days, I am not sure how long will letsencrypt even allow creating 2048bit certs.
Because that only protects you from a small subset of possible threats that end-to-end encryption protects you from like DNS hijacking and any MITM-type scenario.
Sticking it on a VLAN only controls access, not data secrecy.
Broadcasting internal IPs on public DNS records is also a suboptimal approach that leaks information to the public. Local devices should be routed over layer 2.
A VLAN buys you time, not trust. Give a printer its own seprate segment and six months later you've got ad hoc firewall exceptions for scans, updates, vendor support, and some test VM nobody remmebered to remove. TLS is boring, and that's the point: it fails closed, while network policy drifts until the weird exception becomes the default.
tls is not boring at all, especially with devices that are always 10 years behind in terms of security, it's not like you can enforce any kind of reasonable ciphersuites even in modern printers
also 9/10 printing protocols are insecure anyway
scans - sure, mailserver needs to be allowed
vendor support - same mailserver
vm - at least a reason to kill it
also why would i ever allow auto updates, it's better not to without understanding what garbage manufacturer released this time
Some of this might have been "because I want to see if I can". Another reason is "It bothers me to keep seeing this browser tell me my connection is insecure".
As for putting it on a separate VLAN and securing traffic with firewall rules, that may be as much or more trouble than setting up the automated certificate renewal. At least with the automated certificates there may not be any further maintenance required. With firewall rules, you'll need to open up the firewall each time you want a new device to access the printer.
Sure but how long will that last? It says in the article that RSA2048 is required, however 3072 should be the minimum these days, I am not sure how long will letsencrypt even allow creating 2048bit certs.
Because that only protects you from a small subset of possible threats that end-to-end encryption protects you from like DNS hijacking and any MITM-type scenario.
Sticking it on a VLAN only controls access, not data secrecy.
Broadcasting internal IPs on public DNS records is also a suboptimal approach that leaks information to the public. Local devices should be routed over layer 2.
DNS challenge doesn't broadcast internal IPs. Certificate transparency does show up hostnames or wildcards though.
A VLAN buys you time, not trust. Give a printer its own seprate segment and six months later you've got ad hoc firewall exceptions for scans, updates, vendor support, and some test VM nobody remmebered to remove. TLS is boring, and that's the point: it fails closed, while network policy drifts until the weird exception becomes the default.
tls is not boring at all, especially with devices that are always 10 years behind in terms of security, it's not like you can enforce any kind of reasonable ciphersuites even in modern printers
also 9/10 printing protocols are insecure anyway
scans - sure, mailserver needs to be allowed
vendor support - same mailserver
vm - at least a reason to kill it
also why would i ever allow auto updates, it's better not to without understanding what garbage manufacturer released this time