Unless you manage to leak your private host/client SSH keys, this is close to being as secure as it gets.
I'd say that HTTPS (or TLS in general) is more problematic, since you need to trust numerous root CAs in machine/browser store. Sure, you can use certificate pinning, but that has the same issues as SSH host key verification.
CA compromise is very rare and difficult. There are much easier attacks on TLS than that (notably, attacking insecure validation methods; the problem isn't that CAs aren't secure, it's that validation methods and their dependencies are insecure). Besides, the CAs for TLS only covers transport security; authentication+authorization would be handled securely through OIDC, using temporary sessions and not exposing the true credential, often combined with 2FA. Even you successfully attack a TLS server, two factors, and an active session, it only works once; you have to keep pulling it off to remain inside.
Compare that to malware that just copies a developer's ssh private key off the disk (again, almost nobody ever password protects theirs). This just happened recently on a massive scale with the npm attacks. Or intercepts the first connection from a client host and, again, because nobody ever validates keys, injects a false host key, and now they're pwnd indefinitely. Or, again, companies that do not strictly validate host keys, meaning immediate MitM. There's like a dozen ways to compromise SSH. It doesn't have to be that way, but it is that way, because of how people use it.
Great, now we need caching for something that's seldom (relatively speaking) used by people.
Let's not forget that scrapers can be quite stupid. For example, if you have phpBB installed, which by defaults puts session ID as query parameter if cookies are disabled, many scrapers will scrape every URL numerous times, with a different session ID. Cache also doesn't help you here, since URLs are unique per visitor.
You’re describing changing the base assumption for software reachable on the internet. “Assume all possible unauthenticated urls will be hit basically constantly”. Bots used to exist but they were rare traffic spikes that would usually behave well and could mostly be ignored. No longer.
GUI might not be as powerful, but in my experience, it's similarly non-intuitive as alternatives, such as VirtualBox / UTM (macOS) / VMware Fusion/Player.
For anything more complex (e.g. GPU passthrough) you will need to drop into manually modifying XML files.
I don't like this. Bad user experience with AI and general enshitification of Windows was the push that many people needed to at least try Linux, and for companies to take Linux a bit more serious as the desktop platform.
I think the more important platform is Laptop right now. Linux on laptops has battery life issues because unfortunately modern/hardware software makes it so "good battery life" is a knifes edge configuration.
Peer-to-peer requires that devices from different home networks talk to each other. Gaming, audio/video chat, screen sharing, file sharing (torrents), etc.
The whole idea of the internet from the beginning is that devices can talk with each other.
> Traditionally, operating a Matrix homeserver has meant accepting a heavy operational burden. You aren't just installing software; you are becoming a system administrator. You have to provision virtual private servers (VPS), tune PostgreSQL for heavy write loads, manage Redis for caching, configure reverse proxies, and handle rotation for TLS certificates. It’s a stateful, heavy beast that demands to be fed time and money, whether you are sending one message a day or one million.
I have limited experience with Matrix, but you don't actually need Synapse (reference homeserver) which is quite a resource hog and not even remotely easy to setup/administer.
You can just use the lightweight Continuwuity homeserver for the Matrix part, and Caddy for the reverse proxy/TLS/ACME part, installed on a VPS. Both require minimal configuration, and provide packages for many Linux distributions, as well as Docker images.
(Continuwuity is a fork of conduwuit which was a fork of Conduit. Conduit was abandoned, but is now active again, and there are also other active forks as well. However, it seems to me that Continuwuity is currently the most active fork.)
reply