This is still the header! Main site

Self-Hosting, Security and the PC Era

This is post no. 65 for Kev Quirk's #100DaysToOffload challenge. The point is to write many things, not to write good ones. Please adjust quality expectations accordingly :)

Apparently, one post is not enough of a reply to Moxie's "no one will want to host servers anyway" one... so here is another post, covering security.

Self-hosting is dangerous, right?

Just think of the dangers of self-hosting an email server. If it gets hacked, your domain name is doomed forever, your IP is doomed forever, and your emails will end up being spam until the end of time. Or... they'll just steal your money. Or accounts. Or... something.

Well, actually, there are very good reasons not to. You might still want to; it's, apparently, one of the harder things to self-host.

However... before we make this a blanket statement... let's go back to the 90s!

90s Computer Apps

Back in the 90s, maybe in the early 2000s, too, you used to have a computer. It had some files on it, along with programs installed. Maybe you could connect to The Internet, too; you could download your emails so that you could read them later.

Remember MSN Messenger?

a screenshot of MSN messenger

... also remember how it didn't have a server-side message history? Which is absolutely table stakes these days? Or that POP3, the popular email fetcher protocol at the time (before IMAP), would delete all your messages from the server?

And how this was not an issue whatsoever for most people? (... well except the rich and powerful ones who had enough money for multiple computers.)

The point being: cloud sync wasn't a thing not because there was no cloud yet; cloud sync didn't happen because there weren't any machines to sync to. Everything was on The Computer. Or, at least, on the same LAN as The Computer.

Same with your documents. Your pictures (... if you had one of those fancy Digital Cameras). All your mp3s. You could give them to other people... and you might have had multiple computers, after all, but your desktop computer was your Home, everything else was secondary.

Enter Mobile.

First, of course, laptops happened. And, finally, there were smartphones; they were smart enough to kinda qualify as "computers", but they weren't enough to move over your True Computing Home to them. But then... phones were also the devices you happened to have with you all the time, so... was your desktop your True Computing Home anymore...?

All these changes pointed towards the same direction: you didn't really live on a single computer anymore; having your files / emails / contacts / calendar on only one of them stopped working, and you couldn't just keep copying things around. This is part of the reason a lot of Web-based solutions (Gmail & Google Calendar, for example) ended up being popular: they weren't actually better than earlier, desktop-app solutions, but they worked from everywhere. Meanwhile, mobile apps were doing the same thing right from the start: for most of them, the source of truth was in The Cloud anyway.

But... did it have to be The Cloud? Could it have been one of your own computers instead?

Well... not quite. It's not like Running a Server is that easy (especially back in the 2000s, with computers and internet connections being a lot more expensive; dialup was a thing!). Also, companies would rather want to take over doing this: it's a lot nicer to sell you a subscription than give you a thing you could install at home.

Fast forward 20-ish years: there are a few weirdos who self-host things, but most use Cloud Solutions for everything.

... so how is this relevant again?

The point is: most "cloud" things are not about "server stuff" but about syncing your 3-4 computers.

Obviously, a web forum needs to be... a widely available web server. Your personal webmail interface, however, doesn't. It has exactly one user: you. From your phone, from your laptop, from some other places: it's always the same person.

If you self-host an RSS reader, it's only you who will be using it.

Yet... you will need to harden it against the entirety of The Internet if you want to reach it from the outside. (If you can't, you won't end up using it, so the entire thing becomes pointless.) Thus, self-hosting is still dangerous and hard...

... unless you set up a VPN, which now you can actually do in a super simple way these days!

(Yes, I know, this turned into yet another Tailscale ad again. No, they're still not paying me for this. Yes, it's really that cool. But even without, the point still stands, as long as you have a relatively easy-to-setup VPN that you don't have to tinker with a lot.)

So, if you're looking at it that way... a web interface is just remote desktop-ing into the One Computer you will keep your stuff on (e.g. article read statuses), solving the sync problem that way. It might be a better idea than actual remote desktop with e.g. a desktop email client; you might even use mobile apps for talking to your server. But... there is still a large category of things that you can self-host on a VPN, without any extra security implications, as long as your VPN is not entirely stupid.

And even if some sharing is going on (e.g. a photo album), the target audience is typically not "everyone". Which makes it a significantly easier problem, security-wise, than what e.g. a Google-scale company has to face: actual hostile users logging into and using your server.

This, of course, doesn't cover all possible apps that are cloud-based and centralized currently; it does cover a lot of them that moved to the cloud though. And even when you need a little communication between instances (e.g. sharing of photos), securing the "sharing" part is a whole lot simpler than securing the entire UI.

... comments welcome, either in email or on the (eventual) Mastodon post on Fosstodon.