this post was submitted on 31 Mar 2024
55 points (93.7% liked)

Selfhosted

39919 readers
311 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

Hey All, I am just getting started in my journey. Part of my goals is to de-google my life and am looking to start with my calendar. I want to to sync with my laptop and my phone. I was going to start reading about nextcould because it seems like it would have the stuff I need and more. My question is what does the community use, so that I can read and research about it. No technical questions yet.


Edit: Not sure why I cannot see the replies when signed in (visible when logged out). Will be checking out your suggestions. Thanks Self Hosted community!

you are viewing a single comment's thread
view the rest of the comments
[–] lemmyvore@feddit.nl 2 points 7 months ago

Not if you get a wildcard certificate, then the CT logs only show *.example.com. The bad guys also can't get subdomains from the DNS server without breaking into it because nowadays DNS servers don't do public zone transfer.

You can also use a wildcard CNAME on the DNS too, just to be extra safe. That way the subdomain names only live in your reverse proxy and on your devices, effectively acting as an additional auth factor (see below though). But it only works if you don't need to define any explicit subdomain; typically clashes with email stuff because a CNAME on *.example.com won't allow you to also have MX on *.example.com or TXT on _dmarc.example.com.

It's true that subdomains are not a super secret auth factor right now because of SNI (Server Name Indication) which transmits them in clear outside TLS connections, so that reverse proxies can do host-based routing. So the subdomain can be intercepted anywhere on routers, by ISP etc. It will also be freely given away to any DNS server you use to resolve them (but you can mitigate that by using DoH or DoT with a privacy-pledged DNS server). You also can't afford to share links to your subdomain with anybody so it's best kept for services used only by a select number of trusted people.

The SNI issue is being worked on btw, we now have Encrypted Hello (ECH) which uses DoH keys to encrypt the domain name outside TLS, but ECH is still being adopted.