Tailscale raises $100M

With such a huge investment comes the obligation to eventually pay it back. Is this another one of my favourite tools going the way of Dropbox, 1Password and all other companies that were formed around what should be a platform feature, which took on way too large investment sums and were eventually forced to become the everything, losing sight of their core values?

I sincerely hope not, but there's so much bad precedent.

> should be a platform feature

OK, but it's not. Now what? Do we just live without until the platform overlords provide it, or does someone build it on top of the platform?

What even is the "platform", when my Android phone is connecting to my iPad and my Windows laptop and Linux desktop and Amazon cloud server?

$100M = ~$0.20 / computer user in US and western Europe (wealthy countries in connected software markets)

I haven't really felt like 1Password's product materially strayed from the original mission. If anything, I'm even more delighted with the team functionality, shared vaults, quick keyboard access in 1Password 8, etc.

I wouldn't put them in the Dropbox bucket.

Also, I think the value Tailscale provides is fairly unique and far from obviously a platform feature like file storage and perhaps even password management.

Indeed, 1Password is practically a utility at this point, as far as I'm concerned. I really like the direction they're heading and they're solving some pretty tricky problems without compromising on security, predominantly in the enterprise domain. The experience is the same regardless of whether you're an enterprise user or a personal or family user. It's polished enough that my grandma can use it.

> I really like the direction [1Password] is heading

I thought customers were complainingly loudly against their new direction of making 1Password an Electron app. Is that not the case?

Note: I'm not a 1Password customer.

It's been [0] days since the last time 1Password randomly bombarded me with a "Upgrade to 1Password subscription today" dialog. Not talking about the banner in the corner of the app. this was a dialog that had to specifically be dismissed

How has 1Password lost sight of its core values?

Perhaps you refer to loss of local vaults? If so, they were never really a viable option for me - I needed the app syncing across multiple devices, including mobile, and doing so with a third party sync solution wasn't suitable.

Fully agree. I'm a very happy 1Password customer, and I rarely praise software.

I heard some people complaining a bit for a moment when they made the transition, but that happens anytime anyone changes anything and doubly so when that change is Electron. But that faded quickly.

1Password went from being buy once upgrade forever to SaaS. A lot of folks bought back when that was the package (and business model) so it's viewed relatively negatively here from some folks. I don't blame them, but also, I think 1Password is a success. I just don't think they'd have been viable under their original business model.

1password took away the ability to have offline vaults, so i don't know how you can say they didn't compromised on security, since they cut off the most secure way you can store your vault chasing the solving of the tricky problem of monetizing a key value store.

It’s a basic web UX over a built in Linux kernel feature

There are Docker containerized apps that manage Wireguard too

Maybe contribute to one and fret less about behavior of VC funded business and wondering if they’re actually respecting your privacy to accomplish finance goals

I didn't even notice... 1Password is great. There are some minor issues here and there but it always feels like they very quickly patch it up.

Modern 1password using Electron is sad in some respects, but hardly surprising. Even people who use Electron hate Electron. The real differentiating factor is those who understand why.

For me, it was their switch to an Electron app. "High security" and "built from dozens of third party libraries and running on a browser" don't belong together.

I...don't think it's faded. I could totally be wrong here, but I don't think they'd actually made a transition yet; the complaining you're talking about was over the 1Password 8 beta. That actually just went GA this week, and people were still upset.

I get why they're doing it (or, at least, think I do), and I'm not angry enough to go get angry on Twitter, but I am going to avoid the upgrade for as long as I can. That's kind of a bummer to get there with a product you've historically really liked.

Dropbox has been fine ish? Like not stellar but it’s still something I use as one of my core tools and pay for.

Honestly I haven't noticed and I use 1Password on all of my devices every day. I heard some grumblings about 1Password changing to electron months ago and just assumed that they already made the transition. In whatever case, I haven't heard a peep until this thread. I don't like electron in theory and the industry should collectively come up with a solution that incentivizes app developers away from electron rather than hoping they swim against the current of incentive.

It handles a lot more than that, right? It does all of the key distribution and rotation which is a pain.

The choice of tech stack for a desktop application seems like an interesting basis to claim a company has lost touch with its core values.

If they can do it it’s not impossible (they’re just people after all).

With an open source implementation out there, anyone can do it merely pulling a Docker container, and without paying Tailscale.

Regardless I manage a dozen users with no issue using Embarks container; once they’re setup I touch nothing.

Paying people is not working with people; it’s working with a specific group. Open source is working with people.

Removing the ability to use it in a non-saas (local vaults, vaults shared by other syncing solutions) capacity is what drove the final nail into the 1password coffin for me. I can't trust that they don't hold master keys to all the vaults on their saas offerings.

The swap from native to electron on macos was hugely disappointing but something I could have probably lived with if they hadn't gone full saas no alternative.

> ... and doing so with a third party sync solution wasn't suitable.

why not?

More importantly why was it necessary to remove the local vaults feature (I don't need it to integrate with any particular 3rd party syncing solution, I can handle that myself without any features from them) entirely?

Moving from a native app to an Electron-based one has a definitive impact on usability. Calling it a tech stack choice is a bit dismissive.

They used to have a kick-ass Mac app. That appealed to a considerable amount of their users. Then they ditched the native app for Electron, and those same users were disappointed.

You might double check which version you’re on. Might still be on v7.

> the industry should collectively come up with a solution that incentivizes app developers away from electron rather than hoping they swim against the current of incentive.

They have the financial resources to build it in ~Rust but still chose electron. It’s a mind boggling decision.

Maybe technical customers who knew it were Electron. I knew, and don't really care. My wife doesn't even know what Electron is- everything is just another app to her.

I’m fully in the camp who believes critical, top-level security should not co-exist with npm pulling dozens of 3rd party libraries which each pull even more 4th party code.

Is there anyone here with a counter argument? Has a security review been performed on each dependency? Any reason to think my fear is unfounded?

Ditto, but the fact that they still can’t handle more than ~300k files is a long-standing problem they have yet to solve. I have close to a million syncing files and startup time for the app takes about 20 minutes on a brand new MBP, and CPU and overall energy usage is ridiculously high. All while they keep pushing me to backup more files.

I pay over $700/ yr for their business plan and would like to have better performance for it.

I think they changed from their mission to make password management easy and secure to extracting service fees forever.

I don’t necessarily blame them but think their decision was pushed along by the need for big money.

For example, I think they’d still be able to do the pay once model if they abstracted they storage to work with Dropbox/icloud/OneDrive/whatever.

There’s really no value add as a user for a monthly fee. Although lots of people don’t mind. I’d rather not pay for something as essential and simple as a synchronized, encrypted data blob. I literally replaced it with a Google doc and cutting and pasting more. A filter over Google docs does not require a monthly fee.

I have this problem with lots of SaaS products that could be software if they didn’t want or need lots of money.

> They have the financial resources to build it in ~Rust but still chose electron. It’s a mind boggling decision.

Respectfully, I think you may misunderstand the company’s mission.

I haven't payed them a penny despite using their product for a while. And now that I've realized this, I've signed up for their personal pro plan.

1Password is a phenomenal product. Idk what HN's obsession with ragging on it is about.

And what should replace it? Rust? Cargo? Oops. (I believe 1Password uses Rust for security-sensitive parts too, btw.) I'd genuinely like to know what the correct tech stack for a password manager is today because using the right one is important to my current endeavor.

Regardless at Uno we're working on a password manager with a native app and rust core. It's geared more towards everyday consumers than power HN users, but you might find it interesting. The rust core including api server is open source right now because that's one point where we diverge from 1P. Whatever tech stack you choose, it needs to be openly auditable so that the community can collectively ensure it remains secure. https://github.com/withuno/identity

Which functionality was removed by switch stacks? What is the actual usability impact? I currently use 1Password7 and haven't updated to 8 so I'd like to know before updating.

Even if it does go away, youre not loosing anything. Its functionality can be replicated with a USD 5 VPS using Slack's nebula (not wireguard based) or any wireguard based tool like headscale, innernet, netmaker or plain old wireguard.

> I thought customers were complainingly loudly against ...

No, you confuse "customers" with a vocal minority.

But is "buy once, upgrade forever" really a viable long term business model?

I dunno, but you ought to figure it out (for your business) before you make that offer!

Electron actually offers some of the best dependency-isolation capabilities of any language/platform given that you can set a content-security policy and leverage Chrome's extremely robust sandboxing to prevent front-end dependencies from accessing the file system, making network calls to untrusted domains, making system calls, calling 'eval', etc.

A fully native app will offer you no such protection. If a dependency used for styling or animations or whatever is compromised, it will have total access to the system and be able to exfiltrate at will to any location. In Electron, the equivalent dependencies can instead run inside the CSP sandbox, preventing them from doing any serious harm.

Supply chain vulnerabilities also aren't unique to npm. Any project that uses dependencies (in any language) has the same issue.

If the open source implementation is equally good, I'm sure people will use that instead of Tailscale. That Tailscale exists makes me suspect that the open source implementation - as is usually the case with these "just use curlftpfs!" comments – is not equally good.

The reality is that making software, like any other human endeavour, takes time and energy. Paying one another money is a rather well-established mechanism of rewarding and incentivising that time and energy (since not everyone wants to work free of charge to make and maintain software for you, out of the goodness of their hearts, no matter how much you insist that you're owed their unpaid labour).

There are small and local means of getting free food, or free woodworking, etc, but the general reality is that a high-quality high-dependency maintained product, over the long term, is more feasible when it's paid.

"It's just FTP with curlftpfs and SVN"

> I can't trust that they don't hold master keys to all the vaults on their saas offerings.

So you think they could be lying about their fundamental selling point, and hiding it in all of their audits? Personally, I'd trust them more than Apple/Google/etc.

https://support.1password.com/1password-security/

https://1passwordstatic.com/files/security/1password-white-p...

https://support.1password.com/security-assessments/

It's the same argument as the famous Dropbox comment[0]. I'm generally going to prefer a polished service over a technical solution.

[0]: https://news.ycombinator.com/item?id=9224

That happened long before they took outside money, so it’s not related.

Why? 1PW is succeeding. They didn’t do some huge moral quandary either that would make stopping the one time buying product a moral failing. People like the first commenter and myself have used 1PW for many years too and are fine with what has gone down.

Vs a clear moral screw up like the big tech companies colluding to not hire one another’s employees.

A small vocal minority. The company’s two relatively recent fund raises are massive.

Really? I have more than 1000k files and I have never faced issues for more than 7 years.

> For example, I think they’d still be able to do the pay once model if they abstracted they storage to work with Dropbox/icloud/OneDrive/whatever.

I get why they don't but I often wish more SaaS companies had a bring your own computer & storage model. It doesn't make sense for 95% of customers and the 5% of us who might like it and have the tech chops to use it would just complain about having to pay more because we are outliers. But I wish it was offered!

I found 1Passwords UI/UX and development tooling choices... not ideal, as of 1P v8. I miss the native apps, and the latest iOS app/integration had far too many bugs initially (I just use autofill alone now, on my iPhone. Not ideal, but good enough)

> Any project that uses dependencies (in any language) has the same issue.

While that's absolutely true, the Node ecosystem (which I use, love, and make my money in) definitely takes the sheer dependencies of dependencies of dependencies problem to a rather fascinating extreme, compared to nearly any other language I use.

Haha, yup, that's what I was quoting in my comment ("just use curlftpfs!").

It would be interesting to see some data. Node definitely has that reputation, but every other language I’ve worked in—ruby, python, golang, clojure, hell even objective c—all have rich library ecosystems and most libraries include other libraries. They also all have plenty of small, single-purpose libraries. Perhaps node is a bit worse, but it’s not like it’s in a different category. Most popular languages/ecosystems are like this.

IMO it's still the best pw manager by a fair margin.

Node/JS definitely is a lot worse and in a different category by several orders of magnitude.

My theory is that this is because there is no standard library in Node.

My JS frontend has something like 20,000 packages that need to be installed to build the app. The next highest-dependency lang I use is python, where my average python app will have approx 100 packages all in. And then it only goes down from there with other systems.

I suppose a lot of that can be chalked up to the overall size of the ecosystem (and also the complexity of frontends).

There's an exponential effect at work based on the number of libraries that do any one thing. If in python you have (for sake of argument) an average of 5, and in node an average of 25, the downstream effect is that you have massively more dependencies in your tree (many, many, more than 5x), just like you're seeing.

I still don't think the O(n) properties of dependency trees are any different in other languages though. Node just has the largest scale. If python had as many total packages as node, and was also as popular for building frontends, I think you'd have exactly the same situation. That's what I meant by "not in a different category". Node's scale/popularity is in a different category than python's, but its approach to dependencies is basically the same.

Seemed to work for a lot software before SaaS ate the world. But who wants viable when you can bleed you customers for 10-1000x the would have paid for the software once? /s

It makes sense because they make less money that way. It seems like they have some cognitive dissonance where they try to explain their SaaS fee because of the “features” that require SaaS. If they supported bring your own storage then that cuts out the main reason for the SaaS fees.

Also sad because bring your own storage is more secure to me than trusting a company with all of my passwords. So they are reducing security and increasing price.

If agency to make a thing must be purchased the long term viability of the thing is suspect. The work becomes about payments not the thing.

If it’s a real human problem, humans will solve it. If it’s instigated due to someone with coins in their pocket to mesmerize lizard brains, it’s a synthetic solution that will vanish with the synthetic driver of the work; payments.

Just because paying for things is common throughout history does not mean it’s necessary or the best choice long term; see Netflix propping up payment flows churning out crap. It means meat based tape recorders simply LARP the past.

Apples and oranges

A fully functional web app in a Docker image is what wg-ui is.

Web companies could probably just provide API keys for customers at this point and abandon UX teams.

If they said "buy once, get upgrades forever" and didn't provide that, then yeah, that's definitely a very plain example of immoral dealing. The future service is exactly what the purchasers were buying - not a nice-to-have add-on.

Yep, ramming online vaults down everyone's throat is also what killed it for me. Since then I've gone from a massive supporter to recommending everyone look elsewhere.

Their online security-related UX is also a freaking nightmare. The desktop and mobile apps are excellent and still clearly the best, but yikes, their password plus secret uuid plus device identity is awful. I know multiple people who permanently lost everything thanks to that (remember, no local backups any more! That's what cloud storage almost always guarantees!), and they now push others away too.

I'm now a (relatively) happy KeePass user.