Hetzner does run a (MitM) proxy in front of my server!
old.reddit.com
external-link
I created a thread about strange server behavior 2 days ago:...

cross-posted from: https://lemmy.one/post/5660007

Likely under the command of law enforcement and without informing any clients.

@rho50@lemmy.nz
link
fedilink
English
351Y

This is why self hosted to me means actually running it on my own hardware in a location I have at least some control of physical access.

That said, an ISP could perform the same attack on a server hosted in your home using the HTTP-01 ACME challenge, so really no one is safe.

HSTS+certificate pinning, and monitoring new certificates issued for your domains using Certificate Transparency (crt.sh can be used to view these logs) is probably the only way to catch this kind of thing.

fmstrat
link
fedilink
English
71Y

Post title is missing Linode.

fmstrat
link
fedilink
English
121Y

Good suggestions at the bottom.

There are several indications which could be used to discover the attack from day 1:

All issued SSL/TLS certificates are subject to certificate transparency. It is worth configuring certificate transparency monitoring, such as Cert Spotter (source on github), which will notify you by email of new certificates issued for your domain names

Limit validation methods and set exact account identifier which could issue new certificates with Certification Authority Authorization (CAA) Record Extensions for Account URI and Automatic Certificate Management Environment (ACME) Method Binding (RFC 8657) to prevent certificate issue for your domain using other certificate authorities, ACME accounts or validation methods

Possibly linux
link
fedilink
English
11Y

deleted by creator

pootriarch
link
fedilink
English
11Y

so per wikipedia and confirmed at MDN, firefox is the only major browser line not to consider certificate transparency at all. and yet it’s the only one that has given me occasional maddening SSL errors that have blocked site access (not always little sites, it’s happened with amazon).

i don’t understand how firefox can be simultaneously the least picky about certificates and the most likely to spuriously decide they’re invalid.

TheHolm
link
fedilink
English
11Y

Is it tame for selfhosted to switch to DANE?

Turun
link
fedilink
English
61Y

Yes. All hosting providers will comply with requests from law enforcement.

Signal and proton mail were forced to hand out information as well in the past. All you can do is choose which provider you distrust the least.

Possibly linux
link
fedilink
English
11Y

My domain has two certs issued to it. Am I in trouble?

@Decronym@lemmy.decronym.xyz
bot account
link
fedilink
English
2
edit-2
1Y

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:

Fewer Letters More Letters
HTTP Hypertext Transfer Protocol, the Web
SSL Secure Sockets Layer, for transparent encryption
TLS Transport Layer Security, supersedes SSL

[Thread #232 for this sub, first seen 22nd Oct 2023, 23:05] [FAQ] [Full list] [Contact] [Source code]

Create a post

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don’t control.

Rules:

  1. Be civil: we’re here to support and learn from one another. Insults won’t be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it’s not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don’t duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

  • 1 user online
  • 126 users / day
  • 421 users / week
  • 1.16K users / month
  • 3.85K users / 6 months
  • 1 subscriber
  • 3.68K Posts
  • 74.2K Comments
  • Modlog