I have a private network using Tailscale that runs a few local websites and services. Accessing the websites happens via the Tailscale client which connects nodes in the tailnet directly (e.g. my phone and a dokku hosted website) encrypting data from end to end. While this is a great way to secure the session it’s not validating the identity of the website.
Why does that matter and why does a certificate help?
DNS can get spoofed and someone on the network you are connecting through could serve the same domain pointing to a malicious website. While unlikely, that means someone could trick you into sharing information you thought was happening on your private website like credentials, document uploads, or photos, or anything else you might normally interact with or share.
An SSL certificate validates the identity of the private website so that you would receive a browser warning if it was being spoofed.
Links to this note
-
How Does Tailscale Work Without Ports Open?
If a home computer is running on a local network with no ports exposed, how are tools like
tailscaleworking to connect to said computer? How would the computer know that another device is trying to connect to it?