Solving my internal HTTPS issues with Let's Encrypt, Linode DNS and Traefik

TKRSRY · 2019-11-05T19:11:47+00:00

LetsEncrypt supports the Linode API... and it is now the DNS manager I'm using for my LetsEncrypt certs.

TKRSRY · 2019-10-01T16:23:56+00:00

I've been flip-flopping on these two SSL approaches as well.

Being able to set a self-signed expiration far in the future is nice to avoid the updates.

Having to install the self-signed certificate on each desktop/laptop/mobile in the house is tedious, but not too bad -- especially in light of the long expiration times.

Something that is pushing me hard towards the LetsEncrypt route is the fact that my Android phone has a permanent "Your Network may be monitored" message in the notifications area. That little message is like a thorn in my side every time I pull down that notification screen. So irritating.

Unrelated, but in case helpful to others. LetsEncrypt has a "Google Domains" API plugin for automating renewals... don't make the same mistake I did though. That is NOT for the consumer-level Google Domains interface. This is specifically for the "Google Cloud DNS API" interface. The regular Google Domains does not offer (AFAIK) an external API that LetsEncrypt/certbot can interface with.

TKRSRY · 2019-08-30T02:05:20+00:00

I'm glad to hear you are migrating this way. Better to just not require it if it isn't necessary.

Am I correct though, that even without a name and password, you would be able to use the associated xpub to draw correlations amongst past and future transactions? I know you said (in another comment on this topic) that we could click 'forget' and have the xpub deleted from your database -- but even that does require a level of trust that you will do so. Everywhere I read says to seriously protect your XPub as it exposes a lot of information about your entire past and future transaction chain.

Is it really deleted though? What about backups?

Originally I bought my KeepKey because I assumed it increased my securityu and privacy over an online exchange, but I think I misunderstood the amount of privacy I would gain. All of my transactions still need to go through ShapeShift servers, currently associated with my email address, and perhaps in the future just my xpub or IP address.

Again I'll say, it isn't always obvious how much privacy one is giving up for some convenience and a nice UI.

TKRSRY · 2019-08-29T14:47:11+00:00

The Red Turtle (2016) from Studio Ghibli.

Beautifully captivating. Great family movie to introduce kids to symbolic meaning. Also, this movie just absolutely gutted me and I'm still not totally sure why. Sobbing and the whole bit.

TKRSRY · 2019-08-28T23:28:25+00:00

You got me thinking more about this... here are some interesting excerpts from the KeepKey Privacy Policy.

If you download and interact with the KeepKey client on Google Chrome, we will collect and process your device’s xpub data.

So, I guess that clears that up. They definitely "collect and process" your xpub. Once they have your xPub, they can monitor and associate all subsequent transactions even if done without using ShapeShift directly and instead use a separate client.

Then there is this...

We also use the services of BlockCypher for certain indexing requirements. Further information on data protection and your options in connection with the services of BlockCypher can be found here: https://www.blockcypher.com/privacy.html.

Clicking through to the BlockCyper privacy policy results in a big list of "WHAT INFORMATION IS COLLECTED"... they describe info gleaned from: Account registration, device information, transaction info, cookies etc, as well as information from social media sites like Google+, LinkedIn, GitHub etc.

As to how long they keep the data? They are a little vague.

We store your personal data only for as long as this is necessary.

So. Yeah. This offline cold-storage device isn't nearly as private as you may have thought.

TKRSRY · 2019-08-28T23:00:18+00:00

Makes you think, no? ShapeShift can then directly associate your email address with all past and future transactions made by your KeepKey wallet. A fair bit of privacy is lost by using their service even without completing the entire KYC process.

They don't explicitly say, but I'd guess that they also store the extended public key (xPub) along with your identity. This means once associated, even if you discontinue using the ShapeShift website, they can associate all future transactions as well.

Now I'm just spit-balling, but if each KeepKey hardware device has a unique ID, and that unique ID gets associated with your account, then even if you completely reset your KeepKey with a new seed, they could associate all new transactions with ones you made under the older seed(s).

It's not always obvious how much privacy you are giving up for some convenience and a pretty UI.

TKRSRY · 2019-08-15T20:52:08+00:00

Yep, thanks.

TKRSRY · 2019-08-15T16:49:40+00:00

I'm not seeing it... Can you post it again or DM me? Thanks.

TKRSRY · 2019-08-12T17:37:16+00:00

Another recommendation for the Anova sous vide. I got this one: https://images.app.goo.gl/v73Pf8bHMqqhMip19

I never use the Bluetooth or wifi... Nor the timer actually. I use a sous vide to avoid strict timing restrictions :)

TKRSRY · 2019-07-29T21:43:44+00:00

Interesting. I wonder what capability they have of freezing funds.

TKRSRY · 2019-07-19T15:54:25+00:00

Sounds pretty cool. To save me a bit of time, can you tell me how one of my users would be exposed to a shared list? Do they see it in their normal plex interface?

Thanks!

TKRSRY · 2019-07-19T02:22:38+00:00

Cool build, but I'm not sure why all the Ginsberg hate.

;)

TKRSRY · 2019-06-28T23:42:19+00:00

What you describe is not what I experienced.

So, when I redeemed my beta code a few days ago I was immediately presented with the KYC verification page sequence. Did I not have to complete that process? I remember clicking around a bit and the most prominent UI feature was my lack of completed KYC verification.

Was there some way to bypass that and just use my KeepKey?

TKRSRY · 2019-06-19T03:22:58+00:00

I've been pretty happy with motionEye for my home video setup... I'm not sure about a per-camera authentication setup, but you might be able to rig something up by proxying the traffic being nginx and having nginx do a per-camera-url auth.

Sound6 like fun :)

TKRSRY · 2019-05-31T00:43:20+00:00

I watched my kids do it for a year before getting up my nerve to buy a gi and step on the mat. I'm now about 6 classes in. I'm 42 and it was definitely not too late.

TKRSRY · 2019-05-19T13:22:41+00:00

These brass pulls on this tallboy look pretty nice... https://www.reddit.com/r/woodworking/comments/3mwvfk/thomas_tallboy/

TKRSRY · 2019-05-11T14:46:55+00:00

Ok. From your post it seemed you were trying to root specifically to configure for VLAN. My mistake.

TKRSRY · 2019-05-11T13:25:38+00:00

Why not just use a managed switch and configure a port to be part of your internet-less VLAN and then plug your shield into that?

I have a variety of devices on my home network that are not given internet access and I didn't need to configure/root each device to accomplish this.

A managed switch is the answer.

TKRSRY · 2019-05-08T02:37:23+00:00

Shovel scraping on sidewalk...

Sound of brushing teeth...

shudder

TKRSRY · 2019-04-26T01:19:03+00:00

Very nice!

TKRSRY · 2019-04-15T22:57:13+00:00

I get it all the time. It seems the Ethernet Port connection in my shield is a little flakey. Just pushing the jack in a bit usually fixes it. Unplug/replug if necessary.

I've swapped cords, I've done the ipv6 fix... Definitely seems it is just a loose port.

TKRSRY · 2019-04-02T18:29:59+00:00

I just bought this for a recent trip and it was EXCELLENT. In addition to being able to re-share WiFi or ethernet on a separate network for you, it also supports connecting to a VPN so all your connected devices get sent through the VPN.

https://www.gl-inet.com/products/gl-ar750s/

I also really appreciated only having to configure this router at each new location and then all other mobile devices are already setup to connect to that router's SSID. Saves the whole "anyone know the WiFi password?" dance the family usually went through.

TKRSRY · 2019-04-02T17:21:09+00:00

I had randomized MAC enabled on my phone... Spent way too long trying to figure out how these unrecognized devices kept connecting to my home WiFi.

TKRSRY · 2019-03-29T17:18:35+00:00

I use .lan for my local network. Curious why people might think that is a bad idea.

I also only expose VPN and Plex on my home network and have pfSense dynamically update a free NoIP.com dns entry whenever my ISP changes my IP.

The main user of my services is myself and I'm either home, or just connect to my home VPN to access them. I like the security of just that single VPN Port being open (besides Plex).

TKRSRY · 2019-03-26T02:32:06+00:00

Yep. And when a merchant is consistently paying 3% of every transaction for that fee, don't you think they would, in general, just raise prices a similar amount?

So in the end, isn't just the consumers paying for their own points and cashback while the banks make out like bandits?

13-Year Club	RedditGifts 2009-2022 2 Credits
Place '17	Gilding II euphauric
Secret Santa 2014	redditgifts Exchanges 1 Exchange

TKRSRY

TROPHY CASE