Short question: is it safe to access synology apps such as Photos, Audio station over the internet using quickconnect while the HTTPS-box is unchecked?
If not safe, why do these apps even have a checkbox for HTTPS?
HTTPS is safer. The checkbox is there because people can choose what they want. There always can be a reason beyond our comprehension to select something less obvious.
1 Like
Thanks.
I could’ve been more specific: what I’m really wondering is if I “broadcast” my username and password to the internet, if I connect to synology photos or audiostation from my phone without checking the HTTPS box?
Or does quickconnect use som magic to prevent this?
Nothing QuickConnect can do, if you see http:// the data will not be encrypted between your browser and the server it connects to. There could be some obfuscation or other techniques that PhotoStation or other Synology services might have implemented, but you can assume that HTTP is just not secure. It is safe to use only if you are connecting to a machine on the local network, and you trust the network, or if manage the encryption elsewhere (like using a VPN).
1 Like
Do you recommend not forwarding port 5000 in the router?
I read on synology website (linked) that it’s recommended to forward both port 5000 and 5001 for better connectivity.
You should minimize port forwards. Unless there is a specific need for HTTP forwarding, it should not exist.
BTW, these are default ports for NAS setup, and both should be changed from within Control Panel.
You should take a look at the recent video Will made on Cloudflare Tunnels. They are much more secure than port forwarding, and faster than QuickConnect. They also hide your home IP address, that I’m not so eager to broadcast.
CF tunnels come with restrictions, and it is questionable that they are more secure than HTTPS using forwarded ports.
It should also be understood that all traffic with the CF tunneling servers is unencrypted.
HTTPS access is recognized as “secure”. Need a greater level? Then VPN.
This is only partially correct. Let’s assume you want to proxy an unencrypted service running in your local network. Since you’d be running cloudflared in the same network, the only unencrypted traffic is within your LAN, and nothing unencrypted goes to the Internet. CF does not even support unencrypted tunnels, so there’s no way you can transmit unencrypted traffic.
This said, it is true that Cloudflare sees your traffic, but no man-in-the-middle can see anything unencrypted (i.e. your ISP). It’s a matter of risk appetite: I prefer to keep my network fully stealth and have no ports whatsoever open to the Internet. I use Tailscale for services that I consider sensitive, but for simple sharing CF tunnels are acceptable to me.