Hey All, I am just getting started in my journey. Part of my goals is to de-google my life and am looking to start with my calendar. I want to to sync with my laptop and my phone. I was going to start reading about nextcould because it seems like it would have the stuff I need and more. My question is what does the community use, so that I can read and research about it. No technical questions yet.


Edit: Not sure why I cannot see the replies when signed in (visible when logged out). Will be checking out your suggestions. Thanks Self Hosted community!

  • lemmyvore@feddit.nl
    link
    fedilink
    English
    arrow-up
    1
    ·
    9 months ago

    Not if you get a wildcard certificate, then the CT logs only show *.example.com. The bad guys also can’t get subdomains from the DNS server without breaking into it because nowadays DNS servers don’t do public zone transfer.

    You can also use a wildcard CNAME on the DNS too, just to be extra safe. That way the subdomain names only live in your reverse proxy and on your devices, effectively acting as an additional auth factor (see below though). But it only works if you don’t need to define any explicit subdomain; typically clashes with email stuff because a CNAME on *.example.com won’t allow you to also have MX on *.example.com or TXT on _dmarc.example.com.

    It’s true that subdomains are not a super secret auth factor right now because of SNI (Server Name Indication) which transmits them in clear outside TLS connections, so that reverse proxies can do host-based routing. So the subdomain can be intercepted anywhere on routers, by ISP etc. It will also be freely given away to any DNS server you use to resolve them (but you can mitigate that by using DoH or DoT with a privacy-pledged DNS server). You also can’t afford to share links to your subdomain with anybody so it’s best kept for services used only by a select number of trusted people.

    The SNI issue is being worked on btw, we now have Encrypted Hello (ECH) which uses DoH keys to encrypt the domain name outside TLS, but ECH is still being adopted.