For the longest time, I have been accessing Octoprint using http://octopi.local/ in my browser's address bar. However, that always gave me a “not secure” address.
However, this morning I’ve now found that if instead of connecting to http://octopi.local/ I just needed to connect to https://octopi/ ( add the ‘s’ after http and remove the '.local' ) to get a secured connection.
When I clicked on the lock icon on the address bar and viewed the certificate, I found the certificate it was using was 'Bitdefender Personal CA.Net-Defender’. I am using Bitdefender Total Security as my antivirus program on my computer that I am connecting from. In any case, problem solved for me.
That sounds like your "Bitdefender Total Security" is actually performing what is commonly referred to as a Man-in-the-Middle Attack to rewrite the certificate installed on OctoPi (and frankly that would be a reason for me to switch to a different security suite), because that is actually self signed, generated on first boot and has also been mentioned in various places in the available documentation.
So just to make this perfectly clear, OctoPrint does not ship with SSL, the reverse proxy on OctoPi however has a self-signed and uniquely generated certificate installed, which is also why https is only an option instead of the default, because self-signed certificates generate quite scary warnings in modern browsers (a topic I could spend hours talking about but won't here). However, it is mentioned in the installation instructions and even on the command line when using SSH or similar.
tldr: OctoPrint does not in fact ship with a certificate signed by "Bitdefender Personal CA.Net-Defender"
@foosel - thanks, I am no security expert for sure.
However, when I first tried this Bitdefender did pop up a window saying the site was unsafe or the certificate invalid or something like that - I can't remember exactly. However, it gave me an option to accept it, which I did. When now I look into my BitDefender exceptions the ip address of my raspberry running octoprint is listed. My guess is that Bitdefender did not rewrite the certificate installed on OctoPi on the Raspberry itself, rather it was whitelisted on my PC for use by my PC, and now is using one it automatically created itself as a proxy. But again, I am no security expert.
Also, I just noticed the certificate being used has a creation date of today, and an expiry date into next week. It will be interesting to see what happens next week, do I get another pop-up window, or does Bitdefender automatically create a replacement?
In any case, if you can tell me where the certificate on my Raspberry is, and what it should be, I can confirm if that is what it is, or not, on my Pi.
I think this only 'works' when you allow bitdefender to install a CA authority in your browser which accepts any self signed certificate as valid.
From a security perspective the very purpose of certificates is to make your browser balk when someone tries to insert an unknown certificate in your communication. Apparently Bitdefender disables that protection, treating the ssl security as a cosmetic issue and helps automating MITM attacks.
