Can Pluggie See Your Traffic? A Honest Answer

We built Pluggie around privacy. So it would be wrong of us not to answer this question completely honestly — including the parts that are uncomfortable. Here is the full technical picture, what we commit to as operators, and how you can verify our commitment for yourself.

How Pluggie's encryption actually works

When you install Pluggie as a Home Assistant app or a Docker container, the very first thing it does is generate a TLS private key on your device. That key never leaves your machine. It is used to obtain a Let's Encrypt certificate — also stored locally — and to terminate all TLS connections directly on your hardware.

Pluggie's relay servers sit in the middle of the connection between your device and your browser. But from a TLS perspective, they are transparent: they forward encrypted bytes without being able to read them. The TLS handshake happens directly between your browser and your local Pluggie instance. Our servers never see plaintext.

🔒 Pluggie

Relay sees only ciphertext

🌍

Your Browser

🔒 TLS encrypted

☁️

Pluggie Relay Forwards encrypted bytes — cannot read them

🔒 Still encrypted

🏠

Your Device TLS terminates here — only your device decrypts

⚠️ Cloudflare Tunnel

Traffic decrypted at the edge

🌍

Your Browser

🔒 TLS encrypted

⚠️

Cloudflare Edge TLS terminates HERE — traffic is readable

🔓 Re-encrypted to device

🏠

Your Device

This is a meaningful architectural difference from services like Cloudflare Tunnel, where TLS terminates at Cloudflare's edge — meaning Cloudflare genuinely can read your traffic. With Pluggie, the relay sees only ciphertext.

So what are the limits of end-to-end encryption?

Both Pluggie and Nabu Casa show a green checkmark for end-to-end encryption in our comparison table. But we think you deserve to know what that claim actually covers — and where its limits are.

The limitation is this: Pluggie operates the pluggie.net domain and its DNS. That means we could, in theory, issue a new TLS certificate for any *.pluggie.net subdomain through Let's Encrypt or any other CA, point that certificate to our relay server, and perform a man-in-the-middle attack on your connection.

This is not a Pluggie-specific weakness. It applies equally to:

Nabu Casa and *.nabu.casa — they acknowledge this themselves
Any domain pointed to Pluggie via CNAME — because CNAME delegation gives us enough control to request certificates
Your web hosting provider, your CDN, your DNS provider — any of them could do the same thing to any website you run

⚠️ The honest summary

Pluggie's architecture does not give us routine access to your traffic. But it does not make MITM technically impossible. Your trust in Pluggie is ultimately trust in us as operators — not a cryptographic guarantee. The same is true of every tunnel provider that controls your domain or DNS.

What would it take for us to intercept your traffic?

To be specific about what "theoretically possible" actually requires on our end:

We would need to issue a new certificate for your subdomain through a certificate authority
We would need to modify our relay to perform active TLS termination and re-encryption for your specific tunnel
We would need to do this without your device detecting it — which Pluggie's automated self-verification system is specifically designed to catch (more on this below)

This is not something that happens passively or accidentally. It would require deliberate, targeted action against a specific user. The architecture actively prevents passive surveillance of all users at once.

Our commitment as operators

🔒 Pluggie's Privacy Commitments

We do not inspect, log, or store your traffic. Our relay forwards encrypted bytes. We have no infrastructure built to do otherwise.
We will not perform MITM attacks on users. Not for advertising, not for analytics, not for any commercial reason.
We will only act on your data if compelled by a valid legal order from UK law enforcement or a competent court — and even then, what we could provide is limited to connection metadata (timestamps, IP addresses, data volumes), not traffic content, because we genuinely do not have access to it.
If we ever receive such an order, we will inform affected users to the maximum extent permitted by law.
We will never voluntarily cooperate with surveillance programmes or provide bulk access to any government or third party.
We have implemented verifiable certificate fingerprinting — you can confirm that the certificate your browser sees matches the one generated on your device, making any MITM detectable. This is visible in the Pluggie web dashboard, Home Assistant app sidebar, and Docker local UI.

How to verify us

A promise is only as good as the ability to verify it. Here is what Pluggie provides:

Manual verification

Check the TLS certificate your browser presents when you connect to your Pluggie tunnel. In any browser, click the padlock icon → "Certificate" → view the fingerprint. This certificate was generated on your device. If Pluggie were performing MITM, the certificate would be different — issued by a different CA or with a different key fingerprint.

Compare that fingerprint against what your Pluggie app or container reports locally. They should match exactly.

Automatic verification

The Pluggie dashboard, Home Assistant app sidebar, and Docker local UI now display an active encryption integrity status. You can verify at a glance that your connection is secure and that the certificate your browser sees matches the one generated on your device.

On top of the visual indicator, Pluggie has deployed automated self-verification. The Pluggie app periodically makes a test connection to itself through the relay — exactly as your browser would from the internet — and compares the certificate fingerprint it receives against the locally-generated one. If the fingerprints don't match, it means someone has intercepted the connection and replaced the certificate. The app immediately flags this in the UI, so you know your connection has been compromised without having to do anything manually.

This mechanism runs continuously in the background. It doesn't rely on you remembering to check — it checks for you and alerts you proactively.

✓ What this means in practice

With automated self-verification live, any MITM attack against a Pluggie user triggers an immediate alert from their own device. This moves the trust model from "trust us" to "verify us" — which is exactly where we want to be.

How does Pluggie compare to the alternatives?

Cloudflare Tunnel terminates TLS at Cloudflare's edge. They can read your traffic. This is not a theoretical possibility — it is how the product works architecturally. It is a trade-off many are comfortable making; just understand what you are accepting.

Nabu Casa has a very similar architecture to Pluggie — they also generate SSL certificates on your device and relay encrypted traffic through a proxy server that never decrypts your data. They share the same theoretical MITM capability via domain control and have been transparent about it. Nabu Casa offers a manual certificate fingerprint comparison for verification, and has mentioned exploring automatic Certificate Transparency auditing, though this has not yet been implemented.

Tailscale uses WireGuard, which provides genuine end-to-end encryption where MITM by the operator is cryptographically impossible — but it requires the Tailscale client on every device that accesses your services, making it a VPN rather than a web-accessible tunnel. Tailscale's coordination servers also handle key exchange and metadata.

Homeway is a community-funded remote access service for Home Assistant. Homeway's security documentation describes a relay architecture where requests are tunneled through their servers to your device. Their security model is based on two-factor authentication rather than end-to-end encryption — meaning their relay infrastructure can technically access the traffic passing through it.

Self-hosted solutions (your own VPS with WireGuard, your own Cloudflare-equivalent) remove the operator trust problem entirely — but require significant networking knowledge and ongoing maintenance. Pluggie exists precisely for people who want strong privacy without that complexity.

Why we are writing this

We could have slapped an unqualified "End-to-End Encrypted" label on our comparison table and most visitors would not have questioned it. We chose to go further — to explain where the limits are, what we've built to make interception detectable, and what you should ask of any provider making similar claims.

The people who use Pluggie tend to care deeply about privacy. They run Home Assistant instead of cloud-dependent smart home platforms. They self-host Nextcloud instead of Google Drive. They think carefully about what data leaves their home network and where it goes.

Those users will eventually ask these questions. We would rather answer them proactively and accurately than be caught overstating our privacy properties. Trust built on accurate information is durable. Trust built on marketing language is not.

📬 Questions or feedback?

If you have technical questions about Pluggie's encryption model, or if something in this post is inaccurate or unclear, please reach out at support@pluggie.net. We will update this post as our architecture evolves.