Let’s Encrypt are rolling out IP-based certs, you may wanna follow its development. I’m not sure if it could be used for your forwarded VPN port, but it’d be nice anyhow
Comment on How to selfhost with a VPN
humanoidchaos@lemmy.cif.su 3 weeks agoThanks.
It’s my understanding that https provides encryption for the data sent between you and the server. If you’re not sending any sensitive data, then the encryption shouldn’t be necessary.
Don’t get me wrong, encryption is great even when it isn’t necessary. For my demonstration purposes though, I chose not to include it.
I also believe it’s possible to set up HTTPS encryption without a domain name, but it might result in that “we can’t verify the authenticity of this website” warning in web browsers due to using a self-signed certificate.
stratself@lemdro.id 3 weeks ago
humanoidchaos@lemmy.cif.su 3 weeks ago
Thanks. This is new to me and I’m going to be looking into it.
turmoil@feddit.org 3 weeks ago
As I use docker for most of my deploys (as you should for websites exposed to the Internet anyway), I can wholeheartedly recommend traefik for this. Basically it has the functionality of nginx, but supports easy Let’s Encrypt certificates.
Laser@feddit.org 3 weeks ago
Let’s Encrypt are rolling out IP-based certs, you may wanna follow its development. I’m not sure if it could be used for your forwarded VPN port, but it’d be nice anyhow
It shouldn’t be because you’re not actually the owner of the IP address. If any user could get a cert, they could impersonate any other.
I believe encryption helps prevent tampering the data between the server and user too. It should prevent for example, someone MITM the connection and injecting malicious content that tells the user to download malware
No, encryption only protects the confidentiality of data. You need message authentication codes or authenticated encryption to make sure the message hasn’t been transported with. Especially stream ciphers like ChaCha (but also AES in counter mode) are susceptible to malleability attacks, which are super simple yet very dangerous.
frezik@lemmy.blahaj.zone 3 weeks ago
Public key crypto, properly implemented, does prevent MITM attacks. TLS does do this, and that’s all that matters here
Laser@feddit.org 3 weeks ago
Public key crypto, properly implemented, does prevent MITM attacks.
It does, but modern public key crypto doesn’t encrypt any client data (RSA key exchange was the only one to my knowledge). It also only verifies the certificates, and the topic was about payload data (i.e. the site you want to view), which asymmetric crypto doesn’t deal with for performance reasons.
My post was not about “does TLS prevent undetected data manipulation” (it does), but rather if it’s the encryption that is responsible for it (it’s not unless you put AES-GCM into that umbrella term).
SteveTech@programming.dev 3 weeks ago
It shouldn’t be because you’re not actually the owner of the IP address. If any user could get a cert, they could impersonate any other.
They’re ‘shortlived’ 7 day certs, verified using a HTTP challenge. It doesn’t matter who owns the IP, it’s just a matter of who holds the IP.
Laser@feddit.org 3 weeks ago
Right, and for the challenge, you need to have access to a privileged port (which usually implies ownership), which you won’t get assigned.
ComradeMiao@lemmy.world 3 weeks ago
It takes two seconds to get https and 10 bucks a year for a domain. Come on
possiblylinux127@lemmy.zip 3 weeks ago
Honestly if one is wanting the lowest cost you can buy a 1.111B class domain from gen.xyz. it is $0.99 a year which is far cheaper than anything I’ve seen.
ComradeMiao@lemmy.world 3 weeks ago
Even more reason for no excuse
WhyJiffie@sh.itjust.works 3 weeks ago
but it is sensitive data. the webserver can send executable code to the web browser. if it does not that doesn’t matter, what matters is that it can be inserted by a middleman. It’s not like there’s a dedicated person needed to do that, it can just happen automatically.
drspod@lemmy.ml 3 weeks ago
Anyone with the ability to inject or modify packets in the network path between server and client can inject malicious javascript or browser exploits into an unencrypted HTTP TCP stream. The client’s User-Agent and other headers would allow the attacker to customize their attack to target that specific browser version, and compromise the client machine.
possiblylinux127@lemmy.zip 3 weeks ago
You can pickup a cheap domain from gen.xyz. The cheapest domain is $0.99 which is pretty affordable especially since you probably are already paying for a internet connection.
Once you have the domain you can point it to your IP and then set port 443 on that address to point to Caddy. On Caddy you can either configure it as a server or use it as a reverse proxy to point to something else.
Security wise I would put all of this on its own vlan with ACLs to control access. If that sounds confusing start with https.
SMillerNL@lemmy.world 3 weeks ago
It’s my understanding that https provides encryption for the data sent between you and the server. If you’re not sending any sensitive data, then the encryption shouldn’t be necessary.
As others have pointed out, everything can be sensitive. If I’m self hosting nextcloud instance with chat that under British law should check for age… self hosting is now sensitive.
In addition to that, without a secure connection you’re stuck with HTTP/1.1 from 1999 instead of the modern 2 or 3 versions.
I also believe it’s possible to set up HTTPS encryption without a domain name, but it might result in that “we can’t verify the authenticity of this website” warning in web browsers due to using a self-signed certificate.
N0x0n@lemmy.ml 3 weeks ago
In addition to that, without a secure connection you’re stuck with HTTP/1.1
That’s not entirely true. A lot of requests, even with https, are send over HTTP/1.1. And this is kinda mind blowing that in 2025 we still rely on something so old and insecure…
Same goes with SMS and the old SS7 protocol from 1970… 2FA SMS is probably the most insecure way to get access to your bank account or what ever service promotes 2FA sms login.
falynns@lemmy.world 3 weeks ago
I can’t believe SMS is still used for anything but sure OTP sent in text makes sure my account is secure Mr Bank.
SMillerNL@lemmy.world 3 weeks ago
Does that contradict what I said? Sure, HTTP 1 is still widely used, but without TLS you can’t use anything else.
For SMS we don’t have a choice, but if you configure your own web server you do have a choice.
fmstrat@lemmy.nowsci.com 3 weeks ago
Not that I think you need it for this, but a DynDNS implementation would give you a hostname you can dynamically change to your VPN ip, thus solving the SSL host issue.
N0x0n@lemmy.ml 3 weeks ago
I also believe it’s possible to set up HTTPS encryption without a domain name, but it might result in that “we can’t verify the authenticity of this website” warning in web browsers due to using a self-signed certificate.
Just create your own rootCA and IntermediateCA and sign your certificate with those, put the CA in your trust store of your system and get rid of this self-signed warning on every device and happily access all your service via: *.home.lab or whater ever local domain pleases you.
frongt@lemmy.zip 3 weeks ago
I’m not installing OP’s CA cert just to view his blog.
N0x0n@lemmy.ml 3 weeks ago
Fair point ! Yeah sure if you host a blog online it doesn’t make sense… But if you only self-host your services for family and some friends and access them over VPN, a local CA is actually a privacy respecting choice.
Hosting something on the web (specially self-hosted) without the propre software and hardware is a bad idea in the first place anyway !
possiblylinux127@lemmy.zip 3 weeks ago
That is a pretty bad take as all data is sensitive. Https also provides integrity to prevent man in the middle attacks.
theshatterstone54@feddit.uk 3 weeks ago
And that’s why even static sites like Hugo blogs or even simple pages like the one OP posted should have HTTPS. Source: Studied Distributed Systems at university.