I wasn't debating your point; I was pointing out how this service accomplishes it without tripping over that problem. FWIW: I'm not sure that's actually how it works.
The device talks to an AWS EC2 proxy IP that Helm makes sure isn't on an IP blacklist. All traffic that goes through that is TLS encrypted using Lets Encrypt keys.
Elsewhere in the thread, Giri says it uses a VPN connection. Is it TLS + something else?
helm.garrytan.com:3333 for example responds with a self-signed localhost cert, not LE keys. IMAPS (still not sure why that’s there but I asked that in a different comment so let's have that thread there) and 8443 do answer with LE though :)
