this post was submitted on 16 Jun 2024
85 points (97.8% liked)

Selfhosted

39980 readers
603 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

I've not read this yet, just passing it along, as it looks really interesting.

I'm not affiliated in any way with this.

ETA: If anyone has read it / bought a copy, a review would be very appreciated.

top 25 comments
sorted by: hot top controversial new old
[–] [email protected] 16 points 4 months ago (3 children)

Hopefully the author explains how to use SSL/TLS since their site doesn't :/

[–] [email protected] 11 points 4 months ago (2 children)

They do, via Traefik. Chapter 8.

Maybe they decided there was nothing that requires an SSL/TLS certificate on this particular site? (They accept payments elsewhere).

[–] [email protected] 9 points 4 months ago

It’s because you linked to the site using http://. This is something the site should account for, but doesn’t.

[–] [email protected] 1 points 4 months ago (1 children)

How do you know that if you've never read it?

[–] [email protected] 13 points 4 months ago

Because I clicked the link and read the link at the top which says "Code". The book's contents are open source. :)

Though I think everyone who can afford to and wants a copy should consider buying one. As an author myself, I know this author would prefer that option, but they're being very cool by sharing the contents online too.

https://github.com/meonkeys/shb/blob/main/book/steadfast.asciidoc

[–] [email protected] 2 points 4 months ago (2 children)

The site does use https for me... it instantly redirects from http to https

[–] [email protected] 5 points 4 months ago (1 children)

Your browser is redirecting, the site is not.

[–] [email protected] 4 points 4 months ago (1 children)

That's possible, I'm using Firefox, is that something firefox would do?

[–] [email protected] 3 points 4 months ago

Yes, there is/was a setting for that, should be on by default.

[–] [email protected] 2 points 4 months ago

Sounds like the robot guy doesn't use https only mode

[–] [email protected] -2 points 4 months ago (4 children)

I might have missed it, but it doesn't look like their site accepts payment data, or has a login of any kind.

Why would the lack of SSL concern you?

[–] [email protected] 6 points 4 months ago* (last edited 4 months ago) (1 children)

The site is encrypted but you can also access the site over http. The author hasn’t configured any kind of HTTPS upgrade. This is an easily correctable oversight that a self proclaimed “self hosting expert” should have accounted for.

[–] [email protected] 1 points 4 months ago (1 children)

They should just block port 80

[–] [email protected] 2 points 4 months ago

Or not have the website listen on port 80, or redirect connections from http to https on connect. Lots of very simple ways to correct this problem.

[–] [email protected] 3 points 4 months ago

Why wouldn't that concern you? That means it is totally plain text with zero verification of incoming data or encryption. It is really easy to tamper with http traffic.

[–] [email protected] 3 points 4 months ago (1 children)

Why would the lack of SSL concern you?

Because it means my traffic to that site is in the clear. And while we're not transacting anything sensitive necessarily. It's still best practice to limit sniffing.

Automatically swapping to https should be default behavior for every website.

[–] [email protected] -3 points 4 months ago (1 children)

There's no need to encrypt this data. Any entity that is watching you knows how to see the domains you visit, and everything on this site is on the main page, or a click away from it.

An SSL here is nothing more than security theater, or marketing.

[–] [email protected] 5 points 4 months ago (1 children)

An SSL here is nothing more than security theater, or marketing.

Or like I already said... is best practice.

[–] [email protected] -1 points 4 months ago (1 children)

"Best practice" isn't a catch-all rebuttal. Best practices are contextual. I'm keen to see your justification for encryption beyond "all sites should encrypt everything always".

My assertion is that this isn't necessary in this case. Why do you think that it is necessary to encrypt open-source, freely available, non-controversial site content?

[–] [email protected] 7 points 4 months ago* (last edited 4 months ago)

The site is already available in HTTPS. Why would you even serve content non-encrypted?

If you need an education on the matter... Here you go. https://www.cloudflare.com/learning/ssl/why-use-https/

"I don’t handle sensitive information on my website so I don’t need HTTPS"

A common reason websites don’t implement security is because they think it’s overkill for their purposes. After all, if you’re not dealing with sensitive data, who cares if someone is snooping? There are a few reasons that this is an overly simplistic view on web security. For example, some Internet service providers will actually inject advertising into HTTP-served websites. These ads may or may not be in line with the content of the website, and can potentially be offensive, aside from the fact that the website provider has no creative input or share of the revenue. These injected ads are no longer feasible once a site is secured.
Modern web browsers now limit functionality for sites that are not secure. Important features that improve the quality of the website now require HTTPS. Geolocation, push notifications and the service workers needed to run progressive web applications (PWAs) all require heightened security. This makes sense; data such as a user’s location is sensitive and can be used for nefarious purposes.

I don't feel the need to be your teacher. You can easily google why you should always be using HTTPS. There's numerous reason... all overwhelmingly obvious. Forget the basic "Not every ISP is an angel, and they all will collect as much information as they can get". But I already said that... "It’s still best practice to limit sniffing." Not sure why I need to elaborate any more on that. Very much akin to "why close your window blinds", because nobody likes a peeping tom.

Ultimately for this specific website it's literally changing a couple lines of code in their apache or nginx instance (or whatever proxy they're using). It's called best practice for a reason.

Edit: Hell it's even a bit more of a guarantee that your site makes it to the consumer unaltered. Would be odd for that site to have it's packets intercepted and midget porn be added to every page wouldn't it? Think that would hurt the guys reputation?

[–] [email protected] 1 points 4 months ago* (last edited 4 months ago)

The site links to a site that accepts payment data. So because the author's site is http, a MITM attacker could change the payment links from lulu.com to site-that-actually-steals-your-credit-card.com.

That's one huge thing https provides over http.. assurance of unadulterated content, including links to sites that actually deal in sensitive data.

[–] [email protected] 4 points 4 months ago* (last edited 4 months ago) (1 children)

Hi! Author here. I added a http → https redirect to my book website, thanks all. I do intend to always serve public content via https to (as other smart folks have thoughtfully mentioned) guard against stuff getting messed with between my server and your browser (however unlikely that may be). In this case I thought my server was redirecting to https, but turns out my Firefox was forcing https (again, same as other smart folks said).

re: "expert", ugh, I'm embarrassed to even use that word, but someone else graciously called me that (so I intended to remove "self-proclaimed"), and it supposedly helps for sales. All I know is I'm growing and learning just like you, the more I know the less I know I know, and I make mistakes all the time. I always appreciate kind corrections/feedback/comments/patches/suggestions/etc.

That includes feedback on https://github.com/meonkeys/shb/blob/main/pelican/website/content/extra/.htaccess ... I feel clever fixing two things in a single redirect (getting rid of www. and forcing https), but I'm not sure if I'm doing something silly or dangerous here. I'm definitely not an expert at Apache mod_rewrite, I just cobbled that together from official docs and stackoverflow posts.

[–] [email protected] 1 points 4 months ago

Hi author! I'm Dad. :)

Thanks for joining the conversation. I thought it too much to hope you'd be on Lemmy but glad you are! Thanks for adding those bits about https, but I was saddened to see that 90% of the conversation around this centered on that one side topic.

I've only read the TOC for your book so far but it seems very much what we need to see more people adopt self-hosting so thank you very much for putting in the time and effort!

[–] [email protected] 2 points 4 months ago

Cool, thanks for the link!

[–] [email protected] 1 points 4 months ago* (last edited 4 months ago)

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

Fewer Letters More Letters
HTTP Hypertext Transfer Protocol, the Web
HTTPS HTTP over SSL
SSL Secure Sockets Layer, for transparent encryption
TLS Transport Layer Security, supersedes SSL
nginx Popular HTTP server

[Thread #812 for this sub, first seen 16th Jun 2024, 20:05] [FAQ] [Full list] [Contact] [Source code]