I never said anything about using the VPN as an ACL. All I said was to only expose the service over the VPN. That doesn’t necessarily mean that the app doesn’t have authentication or authorization.
I’m also only talking about residential use cases, where it’s a common practice (when not using a VPN) to just expose everything via port forwarding. Businesses aren’t setting up Jellyfin on their servers.
true, fun fact a VPN is also an application with an auth layer. dun dun dun!
Sure, but someone would have to first get on the VPN, and then find vulnerable apps once on the internal network, as opposed to just scanning the internet for public-facing vulnerable systems. Wireguard (and thus Tailscale) doesn’t respond to port scans at all - it only responds to packets that are signed with a known key.
Admittedly, networking and network security isn’t my specialty so I’m absolutely sure you’ve got more knowledge in this area.
I never said anything about using the VPN as an ACL.
its literally your entire argument. you may not realize that is what you’re saying but it is. ‘vpns prevent {insert entity here} from accessing your systems by not publicly exposing them’. ACL -> ‘access control list’, you need to be on the VPNs list in order to access it which provides control for the network. your router already exposes you to the public internet. using a VPN or not doesnt change this.
in fact:
Sure, but someone would have to first get on the VPN
what do you think the phrase first geton the VPN means? its literally has access via the ACL. more on that paragraph later…
I’m also only talking about residential use cases, where it’s a common practice (when not using a VPN) to just expose everything via port forwarding.
business vs residential doesnt change security properties of approaches.
Businesses aren’t setting up Jellyfin on their servers.
because its literally is not a tool designed for any practical business use case. but that’s completely unrelated to its security properties. You’re literally just slapping a VPN in front to deal with the broken ACL’s that jellyfin provides.
Sure, but someone would have to first get on the VPN, and then find vulnerable apps once on the internal network, as opposed to just scanning the internet for public-facing vulnerable systems.
Doubling up on the authn/authz layers doesnt improve security, it just worsens user experience, which then leads to users taking short cuts for their own convenience undercutting whatever security you’re doing.
again as that wonderful federal document discusses VPNs are useful for preventing lateral movement once a device on a network is compromised (see worse user experience). but you literally need multiples of them in order for that to be effective and you need a reason for the segmentation.
Wireguard (and thus Tailscale) doesn’t respond to port scans at all - it only responds to packets that are signed with a known key.
port scanning isnt a vulnerability, its an attack optimization. a discovery mechanism once an attacker already on a network.
it doesnt really even slow attackers down these days. it doesnt take long to just plaster every port with your request for a specific application and when you’re attacking a system you essentially already know what vulnerabilities you’re going to attack (or you just try all the ones you have). oh no, it took them 30 seconds to compromise the network instead of 3…
you can also achieve similar properties at the application level w/ quic’s 0-RT, you send the auth request in the initial packet. so either the authn works or the connection silently hangs just like wireguard.
Nevermind the fact that using something like wireguard gives attackers something to target on your local device. ‘oh look, the keys to the kingdom just sitting here… on disk… in a well known directory… so kind of people to just leave these skeleton keys just lying out in the open like this, its a great trick VPNs have pulled teaching everyone they’re for security instead of privacy’
Admittedly, networking and network security isn’t my specialty
And I’ll refer you back to my original posts about VPNs not being effective security measures and how you should stop quoting dogma.
Its perfectly fine you’re using one, just stop spreading misinformation that they’re for security in any manner. you’re just using it to poorly plug security issues down stream in jellyfin.
fun fact: did you know that the encryption in the bittorrent protocol is basically useless and has major performance impacts when enabled?
also fun fact: did you know most networks get compromised by attacking the router itself first? you know the easiest thing to secure in the first place from a complexity standpoint? making this entire discuss pointless?
in real terms: try retrovibed at some point its still early days for it but its UX is designed around dealing with a lot of these issues.
I never said anything about using the VPN as an ACL. All I said was to only expose the service over the VPN. That doesn’t necessarily mean that the app doesn’t have authentication or authorization.
I’m also only talking about residential use cases, where it’s a common practice (when not using a VPN) to just expose everything via port forwarding. Businesses aren’t setting up Jellyfin on their servers.
Sure, but someone would have to first get on the VPN, and then find vulnerable apps once on the internal network, as opposed to just scanning the internet for public-facing vulnerable systems. Wireguard (and thus Tailscale) doesn’t respond to port scans at all - it only responds to packets that are signed with a known key.
Admittedly, networking and network security isn’t my specialty so I’m absolutely sure you’ve got more knowledge in this area.
its literally your entire argument. you may not realize that is what you’re saying but it is. ‘vpns prevent {insert entity here} from accessing your systems by not publicly exposing them’. ACL -> ‘access control list’, you need to be on the VPNs list in order to access it which provides control for the network. your router already exposes you to the public internet. using a VPN or not doesnt change this.
in fact:
what do you think the phrase
first get on the VPNmeans? its literallyhas access via the ACL. more on that paragraph later…business vs residential doesnt change security properties of approaches.
because its literally is not a tool designed for any practical business use case. but that’s completely unrelated to its security properties. You’re literally just slapping a VPN in front to deal with the broken ACL’s that jellyfin provides.
Doubling up on the authn/authz layers doesnt improve security, it just worsens user experience, which then leads to users taking short cuts for their own convenience undercutting whatever security you’re doing.
again as that wonderful federal document discusses VPNs are useful for preventing lateral movement once a device on a network is compromised (see worse user experience). but you literally need multiples of them in order for that to be effective and you need a reason for the segmentation.
port scanning isnt a vulnerability, its an attack optimization. a discovery mechanism once an attacker already on a network.
it doesnt really even slow attackers down these days. it doesnt take long to just plaster every port with your request for a specific application and when you’re attacking a system you essentially already know what vulnerabilities you’re going to attack (or you just try all the ones you have). oh no, it took them 30 seconds to compromise the network instead of 3…
you can also achieve similar properties at the application level w/ quic’s 0-RT, you send the auth request in the initial packet. so either the authn works or the connection silently hangs just like wireguard.
Nevermind the fact that using something like wireguard gives attackers something to target on your local device. ‘oh look, the keys to the kingdom just sitting here… on disk… in a well known directory… so kind of people to just leave these skeleton keys just lying out in the open like this, its a great trick VPNs have pulled teaching everyone they’re for security instead of privacy’
And I’ll refer you back to my original posts about VPNs not being effective security measures and how you should stop quoting dogma.
Its perfectly fine you’re using one, just stop spreading misinformation that they’re for security in any manner. you’re just using it to poorly plug security issues down stream in jellyfin.
fun fact: did you know that the encryption in the bittorrent protocol is basically useless and has major performance impacts when enabled?
also fun fact: did you know most networks get compromised by attacking the router itself first? you know the easiest thing to secure in the first place from a complexity standpoint? making this entire discuss pointless?
in real terms: try retrovibed at some point its still early days for it but its UX is designed around dealing with a lot of these issues.