Hacker News new | past | comments | ask | show | jobs | submit login

I think that is excessively negative take. Tailscales value proposition is also "you can connect to your network wherever you are, safely, and others cannot". That does not go away because of IPsec.



Network- and location-based security is ultimately unworkable. It’s like if you, in order to work, had to go to a ”virtual office” to even send mail to your colleagues. Mail, and related internet-enabled services, should be accessible from anywhere, and be secured at the end points, not at the network layer. (Most attacks are internal, anyway.)


Most people do need to be on a VPN or in an office to work. That's entirely normal, and makes sense even if you also require authentication for applications.


Why should you have access to the SSH host for my pie?

Or, more to the point, the server that I use to run my RSS feed reader?

Or my NAS?

Tailscale makes these more secure and more accessible for me. They are never meant to have the world access them.

Now for email and a few other things, sure, their nature is that they need to access the world.


> Why should you have access to the SSH host for my pie?

Because that is how the internet is meant to work. It is an end-to-end network. If SSH would not be secure enough to handle this, it would need a secure replacement.

> Or my NAS? […] They are never meant to have the world access them.

What is a NAS, if not a Network-Attached Storage, i.e. meant to be accessed from the network? The concept of a ”local”, ”secure” network is a dangerous illusion. Embrace ”zero trust” networking.


> Because that is how the internet is meant to work.

No. The "internet" is literally the "inter-network", a way to connect private networks between each other.

The fact that VPN technologies sit behind proprietary corporate intellectual property is not by design, it is a failure of the internet standardization process as it was gamed by corporate interests.


No, network- and location-based security is a necessary and indispensable layer in your security stack.

> should be accessible from anywhere, and be secured at the end points, not at the network layer

If you're not securing at both the network layer and the endpoints, then you have utterly failed security and you need to go sit in the dunce corner.


secured at the endpoints yes... I would argue you can go one step further, doing it at the application level. This is what we built (and open sourced) with OpenZiti (https://openziti.io/), the ability to embed an overlay network, built on zero trust and deny by default principles, directly into the app as part of the SDLC.

If you do this, your application has no listening ports on the WAN, LAN, or host OS network and thus cannot be attacked from the external network/IP.

The asymmetry of risk now favours the defender, not attacker. Oh, plus we also have pre-built tunnelers for endpoints if you cannot do app embedded.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: