I have a home server and I have some HTTP services running on it. I’m thinking if I should even bother with HTTPS, as I’m already using tail scale which should be peer-to-peer and encrypted. So I shouldn’t worry about any men in the middle.

Am I missing something?

It just feels wrong to work with non-S HTTP :(

  • atzanteol@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    16
    ·
    9 months ago

    HTTPS performs two duties.

    1. Secures your connection from prying eyes.
    2. Verifies the identity of the server.

    Your VPN provides the former but not the latter. That said the odds of there being an issue in this regard are so slim as to be zero, so you’ll probably be fine.

    • MTK@lemmy.worldOP
      link
      fedilink
      English
      arrow-up
      5
      arrow-down
      1
      ·
      9 months ago

      It does though doesn’t it? since every device needs to be authorized by me first

      • damium@programming.dev
        link
        fedilink
        English
        arrow-up
        14
        ·
        9 months ago

        It can still have issues with potential attacks that would redirect your client to a system outside of the VPN. It would prevent MitM but not complete replacement.

  • rentar42@kbin.social
    link
    fedilink
    arrow-up
    8
    ·
    9 months ago

    Do you have any devices on your local network where the firmware hasn’t been updated in the last 12 month? The answer to that is surprisingly frequently yes, because “smart device” companies are laughably bad about device security. My intercom runs some ancient Linux kernel, my frigging washing machine could be connected to WiFi and the box that controls my roller shutters hasn’t gotten an update sind 2018.

    Not everyone has those and one could isolate those in VLANs and use other measures, but in this day and age “my local home network is 100% secure” is far from a safe assumption.

    Heck, even your router might be vulnerable…

    Adding HTTPS is just another layer in your defense in depth. How many layers you are willing to put up with is up to you, but it’s definitely not overkill.

    • MTK@lemmy.worldOP
      link
      fedilink
      English
      arrow-up
      2
      ·
      9 months ago

      I have a router with dd-wrt and I have VLANS where only my “trusted” devices are and another for everything else (like smart things or guests)

      But I get your point, thank you!

  • Decronym@lemmy.decronym.xyzB
    link
    fedilink
    English
    arrow-up
    7
    ·
    edit-2
    9 months ago

    Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:

    Fewer Letters More Letters
    HTTP Hypertext Transfer Protocol, the Web
    HTTPS HTTP over SSL
    SSL Secure Sockets Layer, for transparent encryption
    TLS Transport Layer Security, supersedes SSL
    VPN Virtual Private Network

    3 acronyms in this thread; the most compressed thread commented on today has 8 acronyms.

    [Thread #490 for this sub, first seen 5th Feb 2024, 20:05] [FAQ] [Full list] [Contact] [Source code]

    • ArtikBanana@lemmy.dbzer0.com
      link
      fedilink
      English
      arrow-up
      2
      ·
      9 months ago

      I might have misunderstood you, but data transferred inside the tailnet will always be encrypted by Tailscale.
      So if you’re connected to a public wifi and someone’s looking at your traffic, accessing a random http site would be clear text, but accessing an http site inside your tailnet will be encrypted.

      Unless you define an exit node and tell Tailscale to use it. And then all your traffic will be encrypted from the view of the one looking at your traffic logs from the public wifi (and clear text from the exit node to the random http site).

      • teawrecks@sopuli.xyz
        link
        fedilink
        English
        arrow-up
        1
        ·
        9 months ago

        Yes, I misread and immediately deleted my post lol. I think you were talking about tailscale VPN, and I was thinking something more like cloudflare tunnel.

        That said, the risk is still there that tailscale (or whichever middle company) can read your plaintext packets.