# Thoughts Regarding TLS in Yggdrasil and Mycelium Networks | DevZone

# Thoughts Regarding TLS in Yggdrasil and Mycelium Networks

3 min. reading

September 1

[

1

](https://devzone.org.ua/votes/show/post/40076)

· 40 ·

[

0

](#comments)

·

*Internet version of my publication for the site of the local community of alternative networks administrators.*

In the environment of overlay networks, it is somehow accepted that if node keys are permanent and connections between nodes are protected by TLS, then an additional SSL layer is supposedly not needed. However, lately, I have started to doubt this.

## Key Compromise

In networks like [Yggdrasil](https://devzone.org.ua/post/yggdrasil-mereza-z-detsentralizovanym-routynhom) / [Mycelium](https://github.com/threefoldtech/mycelium), there is no level of complexity in generating private keys, so theoretically (though unlikely) a collision is possible. For this reason, it is recommended to use main addresses instead of subnets, and the latter - developers plan to, but have not yet removed. And they are convenient within shared hosting. Anyway, this does not exclude the possibility of accidental extraction of a copy, or not accidental, considering the potential capabilities of the crypto industry; the question is only the appropriateness of using a supercomputer for this purpose; how many users these networks will include and of what wealth, for potential attacks on routing based on a fixed algorithm for building a tree from peer ID.

## Double Layer

Technically, the Yggdrasil transport protocol takes on the role of traffic encryption when it may not be necessary. For example, in cases:

- saving electricity and CPU resources when forwarding large media files

- when the SSL / HTTPS layer is already used at the software level - to avoid interceptions of login/password or simply confidential forwarding of GET requests through proxies

Practical example: the requirement for traffic encryption [Gemini](https://devzone.org.ua/post/protokol-gemini-iak-alternatyva-http) within Yggdrasil, because the first one wants to be protected for the Internet, but I use it not where the author intended. For this reason, for some time I used the alternative [Nex](https://devzone.org.ua/post/protokol-nex-lehka-alternatyva-gemini), but later realized that some data potentially may still require a certificate, and therefore, I need the old-good HTTP+HTTPS model on sensitive forms.

If sensitive data is transmitted from the client to the server, then in my opinion, it is worth using an SSL certificate, which will serve as a safeguard, but the router has already "taken care" of everything, creating unnecessary problems.

## Certification in Local Networks

Due to the isolation of local networks, in Yggdrasil it is a problem to set up a valid certificate, for example with Let's Encrypt. But in the case of the Gemini protocol - certification authorities are not used at all. Instead, the [TOFU](https://en.wikipedia.org/wiki/Trust_on_first_use) principle is applied, which significantly reduces the risk of data interception over time - until the leak is detected. I even had thoughts about organizing an internal network certification center, why not; why not even make such a service paid?

## Conclusions

When and how exactly to encrypt data - should be decided by the user / network administrator, for those streams / data that require it. Whereas Yggdrasil and Mycelium - do it "voluntarily-compulsorily" as, in fact, other newfangled software with the label "absolutely secure". Modern software, whose developers compete for the right to be called "protected" resembles crypto-cabbage with a security coefficient was == became.

Somehow it already starts to annoy when someone starts deciding something for me where they are not asked. Marketing is marketing, slogans are slogans, but experienced users leave because of such discomfort, and tourists don't stay anyway.

And also the conclusions are that effective network solutions were invented by post-war specialists half a century ago, who had to survive, not play commercial experiments. Nothing fundamentally new has been invented in this time. Perhaps the next breakthrough will be quantum data transmission, not such nonsense: laying an automatic route to probably compromised nodes, while encrypting tons of garbage that goes through it.

Noticed an error? Notify the author, for this it is enough to highlight the text with the error and press Ctrl+Enter

[

Subscribe

](https://devzone.org.ua/login)

##### p.s.  1.3K

Joined:

    1 year ago

##### Comments (0)

#### There are no comments yet

To leave a comment, you need to log in.

Login

#### Similar Articles

1) 

[

My Alfis DNS Preset on Yggdrasil / Mycelium Router

](https://devzone.org.ua/post/miy-preset-alfis-dns-na-routeri-yggdrasilmycelium)

            I managed to crash the operating system again here, so I had to set up the con...

        

2) 

[

About Fediverse Server in Alternative Networks

](https://devzone.org.ua/post/pro-server-fediverse-v-alternatyvnykh-merezakh)

            I have been using Fediverse for a long time, but I set up my own instance relatively recently: approxima...

        

3) 

[

Yggdrasil - Network with Decentralized Routing

](https://devzone.org.ua/post/yggdrasil-mereza-z-detsentralizovanym-routynhom)

            Yggdrasil - experimental protocol for building a self-organized local...

        

4) 

[

Organization of e-mail Mailbox for Local Networks without DNS

](https://devzone.org.ua/post/orhanizatsiia-poshtovoyi-skrynky-e-mail-dlia-lokalnykh-merez-bez-dns)

            This material is an adaptation of the instructions for users of the local [admin community...

        

5) 

[

Reticulum / MeshChat with Connection via Yggdrasil

](https://devzone.org.ua/post/reticulum-vstanovlennia-na-prykladi-meshchat-z-pidkliuchenniam-cherez-yggdrasil)

            Reticulum - a relatively new communication protocol, created primarily for radio-m...

        

6) 

[

Isolation of Linux from Direct Internet Connections Based on QEMU / Virtual Machine Manager with VSOCK

](https://devzone.org.ua/post/izoliatsiia-linux-vid-priamykh-internet-zyednan-na-bazi-qemu-virtual-machine-manager-i-vsock)

            The material provides an example of isolating a virtual Linux operating system (and...

        

7) 

[

Installation and Configuration of IRC Bouncer ZNC in Linux

](https://devzone.org.ua/post/vstanovlennia-ta-nalashtuvannia-irc-baunsera-znc-v-linux)

            IRC is one of the oldest multi-user chat protocols, which is still alive...

        

8) 

[

Limiting Outgoing Connections to the Internet with ufw

](https://devzone.org.ua/post/obmezennia-vykhidnykh-zyednan-na-internet-z-ufw)

            *ufw is a command-line utility frontend for simplified management of iptables rules i...

##### Subscribe to the Weekly Newsletter

Get the best articles of the week by email

Subscribe

Subscribe to the Weekly Newsletter

Subscribe