nycmeshnet
/faq: Request to help improve "Is the mesh secure?" question
Ehud's comment:
I must say this answer never satisfied me personally nor anyone I talked to. I think we need a more hand-holdy and comprehensive explanation of precautionary actions they need to take, not just throw out "just use https and vpn! easy!"
Especially since to most people "use a vpn" means about as much as "use a flux capacitor" -- it's some magical tech and they have zero clue where to even start.
Jillian's comment:
I agree. This answer isn't very succinct for the purpose of a FAQ. Maybe we could develop a short answer for this page and link to a more detailed description or steps on how and why people should secure their network?
I think @jessetane had some good thoughts when talking about this in Slack with @lattera. Let me see if I can find it in the chat history.
There's this pull request that never made it over to the org repo - https://github.com/jedahan/docs/pull/1
I'll leave this here, hopefully it's useful to whoever is creating the "hand-holdy" version. This is just my opinion at the moment, others may disagree with some of it of course.
The mesh is not secure in the same way that the internet in general is not secure. Use tools that provide "end-to-end" encryption and authentication to ensure that the (un)trustworthiness of the network is not relevant to the confidentiality and integrity of your communications. The only widely used and easily available tool I know of for accomplishing this is SSL/TLS (HTTPS is HTTP tunneled inside TLS).
There are caveats of course: the x509 based web PKI (used for the authentication part of TLS) is badly broken in my opinion, but fixing that doesn't specifically have anything to do with the mesh. Other things are also broken (SNI is not yet encrypted, DNS is not usually encrypted etc) but these issues are receiving a fair amount of attention from the internet community at large and progress does appear to be being made.
VPN is a valuable tool that can be used to skip some hops in, and/or alter the topology of, the network that connects you and your destinations. It's tricky to understand and get right, and must be used in addition to (not instead of) end-to-end tools like TLS. I don't personally think it makes sense to expect folks to need or want use of a VPN inside the mesh.
All of this is to say nothing of course about how secure or insecure your router and its firewall is. You're effectively bringing the internet to your doorstep, so you should probably expect the worst. Most off-the-shelf type home routers are designed with this in mind and should have something reasonable in place by default.
