The post is strange (even if not serious). Like, what do you expect?
If the provider deletes data in this situation, people complain. If the provider hosts data for free, there are people who still complain (even accuse the provider with dark patterns). Perhaps that’s why the focus is becoming enterprise customers.
I would note that, although obviously the confidentiality in TLS is based on public key cryptography, authentication by mTLS doesn’t reach the cryptography part.
The process starts with a client and server hello. Then the server sends its certificate to the client, and the client sends its certificate to the server. The server verifies that the client’s certificate is signed by a certificate authority in its trust store. That’s the authentication part. The client’s private key is not used.
The confidentiality comes next if authentication is successful.
I asked because X509 certificates are complex and difficult to securely parse. Also mTLS is rarely used.
Your suggested solution Cloudflare Tunnels man in the middles the traffic and it’s not an end to end tunnel. It’s a tunnel to Cloudflare! The users should be warned about this!
For purely personal stuff which I only access from my devices, I use SSL client certificates in front of normal auth. The rest of services are mostly public anyway.
It’s a great product, but unfortunately they terminate the TLS and scan the traffic. It’s same as hosting the data on google or Microsoft (except you pay for hardware also).
It should not be considered self hosted.
Is there a reverse proxy where the client makes a TLS connection to the proxy, proves their identity, if successful is allowed by proxy to initiate a new TLS connection to the server at home with the certificate of that server?
If the provider deletes data in this situation, people complain. If the provider hosts data for free, there are people who still complain (even accuse the provider with dark patterns). Perhaps that’s why the focus is becoming enterprise customers.
reply