There is a nice upside to working with a small provider: the complete absence of caveats and bullshit. I host a bunch of stuff with (edit: erm, a small hosting vendor – not sure if it’s okay to post the link here after all?) and it’s super refreshing:
When something says 6.99 EUR or whatever, it’s really 6.99 – no tiny-font, low-contrast popover that tells you it’s actually 6.99 EUR for the first month and then it’s really 9.99.
Competent customer support with straightforward services. “Lower resources” might mean that the best response time you get from a small provider is worse than the best response time you get from Big Cloud. But whenever I have a problem, it takes less time to have it resolved than it takes me to pet all the chat bots and get to pester a human being at $bigprovider.
No half-assed, semi-automated, leaky services. Presumably, large companies can afford to keep poorly-paid, high-turnover stuff to keep ancient services sort of working, but small companies don’t, so most of the time, if they have something in their portfolio, it works like a charm modulo available resources.
No spam. At one point Godaddy sent me eight (!!!) emails in a single day, even though I carefully clicked the unsubscribe link in every single thing they sent me. I still get their emails even though I no longer host any domain with them.
Overall it’s far less time-consuming than way more famous alternatives, and bear in mind that I routinely have to go through Google Translate because they’re a Swedish company and I don’t speak any Swedish. Hell I’ve never even been to Sweden. I don’t even know how I found out about them and why I have an account in the first place.
Edit: I routinely go by this route with lots of things I do. E.g. for a long time I purchased all my computers from a small local shop (no sad story, the owner eventually got tired and sold it to a pretty big company, everyone got a fat bonus and promptly left). It was a little pricier (5-10% at most) and sometimes not as convenient (shipping was expensive so I usually had to pick things up). On the upside, I got warranty services pretty much on the spot, I don’t think I ever waited more than a day for anything, unless it literally required shipping new hardware from God knows where.
I know small vendors are scary in a world of big companies but give it a try, you’ll be surprised!
I totally agree that the pricing is way more attractive with the smaller players. It’s why I used Digital Ocean and Linode for my hobby projects.
However I think the author’s point still stands: The smaller providers might not have the army of infosec professionals that the MegaCorps do, and if you’re auditing STRICTLY against security, that’s, like, a thing to be reckoned with IMO.
Oh, absolutely, there’s all sorts of compliance, erm, activity I guess I might call it? that large vendors are way better at providing, and not just in security, even stuff like financial paperwork tends to be way less of a headache when there’s a whole department that has SOPs for it.
I’d like to know what provider it was just for reference; DM me if you don’t want to post it openly? I had very similar experiences with a small hosting provider before they sadly had to close down and I meandered over to Linode. RIP Betaforce.
You know, I think it’s fine to post it after all, I’m not affiliated with them in any way, they’re not that big, everything I said above applies to them but many other smaller vendors, and I think lobste.rs isn’t getting crawled anyway, so why the hell not: it’s inleed.net.
Unless you benefit from specific things that you can’t get from the big players, like customisability or the ability to use particular software, then I find this category a hard sell. Some folks value provider diversity, but for today’s analysis I’m taking a selfish view of your own security.
Is this actually true? You cite Fastmail specifically. Are we then comparing it to something like GMail, or instead to hosting your own e-mail server?
I ask only because Fastmail’s brand marketing heavily emphasizes user privacy and data security/integrity. IT’s a small company with a ton of skin in the game and a reputation to protect. Am I actually safer keeping my data with a BigCorp than with a small company which, sure, may have fewer QA resources?
Also, under the “Self Managed VPN” section:
This is starting to get seriously inconvenient. Every device that wants to connect to one of these services needs to be on the VPN, probably all the time. You might be tempted to take a shortcut and use unencrypted HTTP for your services but now you have the risk of being spoofed on a hostile network when your VPN is disconnected and sending your bearer token to an attacker in the clear. Credentials or certificates for the VPN must be managed, and what’s your plan for noticing if someone managed to steal some of those creds?
Have you considered keeping your services locked up behind Tailscale but perhaps using something like CloudFlare Tunnel to provide https protected external access for at least those services you’re willing to expose to a modicum of risk?
I’ve effectively lumped Fastmail into the same category as one person operating out of their garage, which isn’t very fair! They’ve hosted one of my domains for years and I’m confident they run a tight ship - I’m not aware of any incidents at least. My point was to compare with something like GMail. Imagine a world where Fastmail’s web UI wasn’t vastly better and more configurable than Google’s. All else being equal, it would be selfishly logical to keep your data with the biggest, scariest, most experienced operator. Still, there are plenty of other ways to differentiate and my “hard sell” comment is probably a bit too strong.
Have you considered keeping your services locked up behind Tailscale but perhaps using something like CloudFlare Tunnel
It’s an interesting option! Personally if I was trying to gain security through self-hosting I wouldn’t want to use Cloudflare for TLS termination, but others might. You make a good incidental point that you can choose different approaches for different individual services.
It’s an interesting option! Personally if I was trying to gain security through self-hosting I wouldn’t want to use Cloudflare for TLS termination, but others might. You make a good incidental point that you can choose different approaches for different individual services.
Like anything, it depends on the nature of the service you’re exposing, right?
I’ve currently got a Miniflux RSS reader set up on my LAN that I’d like to expose the webserver port of to the outside world with https so it can have a publicly resolvable FQDN so I could integrate with commercial services.
I know I could go through the hassle of setting up a Wireguard tunnel to expose the endpoint, but then I’m opening holes in my NAT, and CloudFlare tunnels do NAT traversal.
So like everything else it’s a cost/value/convenience calculation :)
Anyway, thanks for the great article. It’s a neat thought experiment.
There is a nice upside to working with a small provider: the complete absence of caveats and bullshit. I host a bunch of stuff with (edit: erm, a small hosting vendor – not sure if it’s okay to post the link here after all?) and it’s super refreshing:
Overall it’s far less time-consuming than way more famous alternatives, and bear in mind that I routinely have to go through Google Translate because they’re a Swedish company and I don’t speak any Swedish. Hell I’ve never even been to Sweden. I don’t even know how I found out about them and why I have an account in the first place.
Edit: I routinely go by this route with lots of things I do. E.g. for a long time I purchased all my computers from a small local shop (no sad story, the owner eventually got tired and sold it to a pretty big company, everyone got a fat bonus and promptly left). It was a little pricier (5-10% at most) and sometimes not as convenient (shipping was expensive so I usually had to pick things up). On the upside, I got warranty services pretty much on the spot, I don’t think I ever waited more than a day for anything, unless it literally required shipping new hardware from God knows where.
I know small vendors are scary in a world of big companies but give it a try, you’ll be surprised!
I totally agree that the pricing is way more attractive with the smaller players. It’s why I used Digital Ocean and Linode for my hobby projects.
However I think the author’s point still stands: The smaller providers might not have the army of infosec professionals that the MegaCorps do, and if you’re auditing STRICTLY against security, that’s, like, a thing to be reckoned with IMO.
Oh, absolutely, there’s all sorts of compliance, erm, activity I guess I might call it? that large vendors are way better at providing, and not just in security, even stuff like financial paperwork tends to be way less of a headache when there’s a whole department that has SOPs for it.
I’d like to know what provider it was just for reference; DM me if you don’t want to post it openly? I had very similar experiences with a small hosting provider before they sadly had to close down and I meandered over to Linode. RIP Betaforce.
You know, I think it’s fine to post it after all, I’m not affiliated with them in any way, they’re not that big, everything I said above applies to them but many other smaller vendors, and I think lobste.rs isn’t getting crawled anyway, so why the hell not: it’s inleed.net.
Great article!
One point stood out:
Is this actually true? You cite Fastmail specifically. Are we then comparing it to something like GMail, or instead to hosting your own e-mail server?
I ask only because Fastmail’s brand marketing heavily emphasizes user privacy and data security/integrity. IT’s a small company with a ton of skin in the game and a reputation to protect. Am I actually safer keeping my data with a BigCorp than with a small company which, sure, may have fewer QA resources?
Also, under the “Self Managed VPN” section:
Have you considered keeping your services locked up behind Tailscale but perhaps using something like CloudFlare Tunnel to provide https protected external access for at least those services you’re willing to expose to a modicum of risk?
I’ve effectively lumped Fastmail into the same category as one person operating out of their garage, which isn’t very fair! They’ve hosted one of my domains for years and I’m confident they run a tight ship - I’m not aware of any incidents at least. My point was to compare with something like GMail. Imagine a world where Fastmail’s web UI wasn’t vastly better and more configurable than Google’s. All else being equal, it would be selfishly logical to keep your data with the biggest, scariest, most experienced operator. Still, there are plenty of other ways to differentiate and my “hard sell” comment is probably a bit too strong.
It’s an interesting option! Personally if I was trying to gain security through self-hosting I wouldn’t want to use Cloudflare for TLS termination, but others might. You make a good incidental point that you can choose different approaches for different individual services.
Like anything, it depends on the nature of the service you’re exposing, right?
I’ve currently got a Miniflux RSS reader set up on my LAN that I’d like to expose the webserver port of to the outside world with https so it can have a publicly resolvable FQDN so I could integrate with commercial services.
I know I could go through the hassle of setting up a Wireguard tunnel to expose the endpoint, but then I’m opening holes in my NAT, and CloudFlare tunnels do NAT traversal.
So like everything else it’s a cost/value/convenience calculation :)
Anyway, thanks for the great article. It’s a neat thought experiment.