this post was submitted on 05 Feb 2024
44 points (97.8% liked)

Selfhosted

39435 readers
1 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
 

I have a home server and I have some HTTP services running on it. I'm thinking if I should even bother with HTTPS, as I'm already using tail scale which should be peer-to-peer and encrypted. So I shouldn't worry about any men in the middle.

Am I missing something?

It just feels wrong to work with non-S HTTP :(

all 13 comments
sorted by: hot top controversial new old
[–] [email protected] 20 points 9 months ago

There's no need, but if you really want to, you can do it through Tailscale - Provision TLS certificates for your internal Tailscale services

[–] [email protected] 16 points 9 months ago (1 children)

HTTPS performs two duties.

  1. Secures your connection from prying eyes.
  2. Verifies the identity of the server.

Your VPN provides the former but not the latter. That said the odds of there being an issue in this regard are so slim as to be zero, so you'll probably be fine.

[–] [email protected] 4 points 9 months ago (1 children)

It does though doesn't it? since every device needs to be authorized by me first

[–] damium 14 points 9 months ago (1 children)

It can still have issues with potential attacks that would redirect your client to a system outside of the VPN. It would prevent MitM but not complete replacement.

[–] lambda 1 points 9 months ago

Yep! It all comes down to your attack surface and how paranoid you want to be.

[–] [email protected] 8 points 9 months ago (1 children)

Do you have any devices on your local network where the firmware hasn't been updated in the last 12 month? The answer to that is surprisingly frequently yes, because "smart device" companies are laughably bad about device security. My intercom runs some ancient Linux kernel, my frigging washing machine could be connected to WiFi and the box that controls my roller shutters hasn't gotten an update sind 2018.

Not everyone has those and one could isolate those in VLANs and use other measures, but in this day and age "my local home network is 100% secure" is far from a safe assumption.

Heck, even your router might be vulnerable...

Adding HTTPS is just another layer in your defense in depth. How many layers you are willing to put up with is up to you, but it's definitely not overkill.

[–] [email protected] 2 points 9 months ago

I have a router with dd-wrt and I have VLANS where only my "trusted" devices are and another for everything else (like smart things or guests)

But I get your point, thank you!

[–] [email protected] 7 points 9 months ago* (last edited 9 months ago) (1 children)

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

Fewer Letters More Letters
HTTP Hypertext Transfer Protocol, the Web
HTTPS HTTP over SSL
SSL Secure Sockets Layer, for transparent encryption
TLS Transport Layer Security, supersedes SSL
VPN Virtual Private Network

3 acronyms in this thread; the most compressed thread commented on today has 8 acronyms.

[Thread #490 for this sub, first seen 5th Feb 2024, 20:05] [FAQ] [Full list] [Contact] [Source code]

[–] [email protected] 3 points 9 months ago
[–] [email protected] 1 points 9 months ago

Pretty sure all men got pushed out of the middle by grimy angry goblins that steal your cookies and tokens.