I have a home server and I have some HTTP services running on it. I’m thinking if I should even bother with HTTPS, as I’m already using tail scale which should be peer-to-peer and encrypted. So I shouldn’t worry about any men in the middle.

Am I missing something?

It just feels wrong to work with non-S HTTP :(

  • MTK@lemmy.worldOPEnglish
    51·
    11 months ago

    It does though doesn’t it? since every device needs to be authorized by me first

    • damium@programming.devEnglish
      14·
      11 months ago

      It can still have issues with potential attacks that would redirect your client to a system outside of the VPN. It would prevent MitM but not complete replacement.

    • atzanteolEnglish
      1·
      11 months ago

      How do you know you’re connecting to the server you think you’re connecting to? When you enter http://myserver.local into a web browser, for example, it does a DNS lookup to get an IP address. You’re assuming that that lookup returns the value you think it should. BUT if something has poisoned your DNS cache, added an entry to /etc/hosts, etc. that IP address could be some other server. Without a certificate being presented by the server you likely wouldn’t notice.

      But as I said - it’s pretty unlikely in your scenario. But something to understand better for other scenarios.