It’s acceptable sending my Umbrel password in clear text over home network.
But how safe is it sending my Umbrel password in clear text over Tor?
Compromised Tor exit node can easily grab the password, connect remotely and wreak havoc?
If you own home network is compromised, I don’t know why are you still browsing the internet. Accessing your node page through local address means IT IS NOT going out in internet, that’s why is LOCAL. So if your local network is fine, why so much paranoia?
Tor, by default is ENCRYPTED traffic, doesn’t matter if is http or https.
HTTP/S is used only on clearnet, to make difference between http (port 80) not encrypted and https (port 443) encrypted.
On Tor network there’s no use of ports, each port is another onion address that is by default encrypted.
Seems that you need to learn more about networks and TCP/IP, this is not an issue for Umbrel.
Thanks for clarifying that Tor is always encrypted traffic.
I think this answer was a little dismissive of @UmbrelDreams. You have convinced me, actually, that I am okay on my home network, where my main concern is trusted family members. Not everyone, though, can trust their home LAN. I’m thinking of, say, college roommates sharing a broadband connection. In that situation, I might like my roommates, but I don’t necessarily trust them to not go sniffing cleartext traffic on the LAN. Just like I wouldn’t leave wads of cash lying around. Is the paranoid person’s answer to use TOR Browser on their LAN?
On top of that, routers and home networks do occasionally get compromised due to, say, zero-day vulnerabilities lurking in the latest firmware. It would be nice to know that I have another layer of security beyond my NAT firewall, if someone has managed to gain access to the kids’ gaming machine, for instance.
Running an Umbrel Node in an untrusted shared LAN is not a good idea even if you use https or Tor. Your node can get hacked pretty easy via ssh or other vulnerabilities/exploits not even related to Umbrel but Linux itself.
If your only option is to run an Umbrel Node in a shared untrusted LAN, please at least buy a good router and make your own trusted LAN.
Also a local https can show non-user friendly warnings, check RHEL Web Console (I use it myself) and you will see a management console with https, and it requires to add a browser https insecure exception
1 Like
hello
even u LAN is trusted i think get UMREBL with https ,is an priority
we can have a web server without https even in local LAN access
he is very sensitive
on my point on vue !!
All of you have no idea about how a https works.
The “s” from https means is run in encrypted mode. That means you need a SSL cerificate to encrypt that connection.
On a LOCAL address like 192.168.x.x or umbrel.local THERE’S NO WAY TO USE A SSL CERTIFICATE!
Get over it! Don’t be so obsessed for a freaking meaningless thing.
You run on your own LAN, that means IT IS your responsibility to secure it.
If not, then don’t run the freaking node. Hide inside a dark cage because somebody will come and hack your brains.
1 Like
I get it - be paranoid. But network vlan segregation doesn’t prevent network sniffing. OTOH enabling https and using a locally signed certificate will give users a false sense of security because even though a good browser (firefox and not chrome) will tell you if a self-signed certificate was changed, it could lull users into a false sense of security by thinking that using wifi with SSL on their node is secure.
In order to use BTCpay Server, LNbits (Boltcard) it is necessary to have https:// access. I believe https:// is very important.
2 Likes
It’s really annoying that umbrel doesnt’t offer https/SSL encryption out of the box. It’s not state of the art, and it’s relatively easy to create a self signed certificate on a local network. I don’t understand why umbrel doesn’t implement that.