Title: Self-hosting at home and privacy
Author: Solène
Date: 10 September 2024
Tags: privacy selfhosting life
Description: In this blog post, you will learn that self-hosting your
own services at home coud leak some information about you
# Introduction
You may self-host services at home, but you need to think about the
potential drawbacks for your privacy.
Let's explore what kind of information could be extracted from
self-hosting, especially when you use a domain name.
# Public information
## Domain WHOIS
A domain name must expose some information through WHOIS queries,
basically who is the registrar responsible for it, and who could be
contacted for technical or administration matters.
Almost every registrar will offer you feature to hide your personal
information, you certainly not want to have your full name, full
address and phone number exposed on a single WHOIS request.
You can perform a WHOIS request on the link below, directly managed by
ICANN.
HTML ICANN Lookup
## TLS certificates using ACME
If you use TLS certificates for your services, and ACME (Let's Encrypt
or alternatives), all the domains for which a certificate was emitted
can easily be queried.
You can visit the following website, type a domain name, and you will
immediately have a list of existing domain names.
HTML crt.sh Certificate Search
In such situation, if you planned to keep a domain hidden by not
sharing it with anyone, you got it wrong.
## Domain name
If you use a custom domain in your email, it is highly likely that you
have some IT knowledge and that you are the only user of your email
server.
Using this statement (IT person + only domain user), someone having
access to your email address can quickly search for anything related to
your domain and figure it is related to you.
## Public IP
Anywhere you connect, your public IP is known of the remote servers.
Some bored sysadmin could take a look at the IPs in their logs, and
check if some public service is running on it, polling for secure
services (HTTPS, IMAPS, SMTPS) will immediately give associated domain
name on that IP, then they could search even further.
# Mitigations
There are not many solutions to prevent this, unfortunately.
The public IP situation could be mitigated by either continuing hosting
at home by renting a cheap server with a public IP and establish a VPN
between the two and use the public IP of the server for your services,
or to move your services to such remote server. This is an extract
cost of course. When possible, you could expose the service over Tor
hidden service or I2P if it works for your use case, you would not need
to rent a server for this.
The TLS certificates names being public could be easily solved by
generating self-signed certificates locally, and deal with it.
Depending on your services, it may be just fine, but if you have
strangers using the services, the fact to accept to trust the
certificate on first use (TOFU) may appear dangerous. Some software
fail to connect to self-signed certificates and do not offer a
bypass...
# Conclusion
Self-hosting at home can be practical for various reasons: reusing old
hardware, better local throughput, high performance for cheap... but
you need to be aware of potential privacy issues that could come with
it.