Most active commenters
  • ncmncm(6)
  • naikrovek(3)

←back to thread

Tailscale raises $100M

(tailscale.com)
854 points gmemstr | 27 comments | 04 May 22 13:17 UTC | HN request time: 0.648s | source | bottom
Show context
boesboes ◴[04 May 22 13:43 UTC] No.31260274[source]
For anyone else who wonders wtf tailscale is:

> Tailscale is a VPN service that makes the devices and applications you own accessible anywhere in the world, securely and effortlessly. It enables encrypted point-to-point connections using the open source WireGuard protocol, which means only devices on your private network can communicate with each other.

It seems to take care of key distribution, nat-traversal, authentication etc etc

Neat! No sure how that is 'fixing internet' exactly, but really cool anyway

replies(8): >>31260403 #>>31260446 #>>31260650 #>>31260654 #>>31260970 #>>31261908 #>>31268396 #>>31268813 #
1. ncmncm ◴[04 May 22 14:09 UTC] No.31260654[source]
I thought that Tailscale was pretty interesting.

Avery Pennarun, its CTO, is somebody whose judgment I am used to trusting.

Then I learned that to use it, I would be dependent on authenticating using a login on one of the unaccountable internet behemoths who could take away my account for any random reason or no expressed reason at all.

No, thank you.

replies(10): >>31260714 #>>31260778 #>>31261024 #>>31261405 #>>31261904 #>>31262913 #>>31263886 #>>31268402 #>>31272508 #>>31275084 #
2. rrdharan ◴[04 May 22 14:13 UTC] No.31260714[source]
I agree, GitHub is awful.
3. __float ◴[04 May 22 14:18 UTC] No.31260778[source]
If you use an identity provider like Okta or OneLogin, then you're not tied to any "contentful" services like GitHub or a Google account that "historically" seem to have more problems of this type.

As far as threat models go, I can't really say I understand this one too much.

replies(3): >>31261608 #>>31262055 #>>31265188 #
4. naikrovek ◴[04 May 22 14:34 UTC] No.31261024[source]
Google does that, Microsoft doesn't. Microsoft will ban you from a particular service if you egregiously violate the terms of service for a particular application of theirs, but never the whole account.

Google will throw you on your ass in the blink of an eye.

replies(1): >>31262300 #
5. boesboes ◴[04 May 22 14:59 UTC] No.31261405[source]
Oh, that is a shame. I can see why they do it like this for businesses, but for personal accounts I refuse to use SSO. Been bitten by that a few times too many.

I _could_ use my github account, but I don't trust them at all anymore. And I'm not going to setup an account with some other service just to use this. So that is a hard pass for personal use.

For a company it makes sense to have to use whatever sso provider you are already using i guess

6. margalabargala ◴[04 May 22 15:12 UTC] No.31261608[source]
As an example: shortly after Russia invaded Ukraine, Namecheap cancelled all accounts of all of its customers who were located in Russia. This was done regardless of what content if any was hosted by the account, whether or not the person in question supported the war, or whether the person in question was actively fleeing Russia and may have been relying on technical infrastructure they had previously set up to help them do so.

Just because a service you sign up for is not contentful, does not mean that they won't choose to boot you off for some reason completely unrelated to anything you control or anything you chose to do.

replies(1): >>31264710 #
7. systemvoltage ◴[04 May 22 15:32 UTC] No.31261904[source]
Yes. If they can’t build basic auth and make sure it’s secure, it sends quite the message.

Super annoying and borderline unacceptable.

replies(1): >>31265757 #
8. DarylZero ◴[04 May 22 15:42 UTC] No.31262055[source]
Okta and OneLogin are both private corporations that have each existed for 13 years. Does your threat model include an estimate for how long they will stay in business? What if one of them puts the other out of business? Does your threat model choose a winner in that fight?

As far as paid services the possibility also is there that someday _you_ run out of money and have to stop paying them. They tend to shut down your access when that happens. Another financial threat you have to model.

These things don't happen when you use public key authentication.

9. skoskie ◴[04 May 22 16:01 UTC] No.31262300[source]
Is there anything in there TOS that states it or has this just been their practice so far?
replies(1): >>31262875 #
10. ncmncm ◴[04 May 22 16:46 UTC] No.31262875{3}[source]
Does it matter? Whether they say they will do it, or just do it without saying they will, the experience is the same.

What matters most is if they can. Then, if they ever have done. What I want is that they can't.

replies(1): >>31265442 #
11. ibejoeb ◴[04 May 22 16:49 UTC] No.31262913[source]
Is that generally true? A third-party authentication servive is needed just to get it going, or is that needed for specific use cases?
replies(1): >>31263532 #
12. ncmncm ◴[04 May 22 17:38 UTC] No.31263532[source]
Apparently the third-party authentication service is needed just to get it going. If you get an "enterprise license" you can choose among more authentication services, but not yourself.

Some people suggest trying Nebula instead.

13. kyawzazaw ◴[04 May 22 18:10 UTC] No.31263886[source]
Avery Pennarun is CEO.

David Crawshaw is CTO.

replies(1): >>31263956 #
14. ncmncm ◴[04 May 22 18:16 UTC] No.31263956[source]
I am corrected.
15. woodruffw ◴[04 May 22 19:21 UTC] No.31264710{3}[source]
This is a strange example to pick given that (1) it's a war, and (2) a significant percentage (majority?) of Namecheap's employees and offices are in Ukraine.

If we (the US) decided to invade Canada tomorrow, you can be certain that the maple syrup would stop flowing.

Edit: According to their website[1], the overwhelming majority of their employees are in Ukraine. Two of the three cities they have offices in are on the current combat front.

[1]: https://www.namecheap.com/careers/ukraine

replies(1): >>31268264 #
16. orojackson ◴[04 May 22 20:09 UTC] No.31265188[source]
For enterprise, sure, using a separate IDM provider works, but last I checked, neither Okta nor OneLogin cater to individuals and their personal accounts. So as far as threat models go, I understand why people view this requirement from Tailscale as utter garbage for personal accounts.
17. naikrovek ◴[04 May 22 20:31 UTC] No.31265442{4}[source]
you want a free service written, maintained, and hosted by others that they don't control. Am I understanding you?
replies(1): >>31265589 #
18. ncmncm ◴[04 May 22 20:42 UTC] No.31265589{5}[source]
No. I would be happy to pay for service, but they offer no choice but to rely on somebody else's authentication, regardless.
replies(1): >>31265854 #
19. chipsa ◴[04 May 22 20:55 UTC] No.31265757[source]
They don't want to build basic auth. They probably could, but it gives them more headaches and customer service touch points compared to delegating that out. Like: what if the user forgets their password? Or what if they lose their 2FA device?
replies(1): >>31265792 #
20. systemvoltage ◴[04 May 22 20:59 UTC] No.31265792{3}[source]
Yes, welcome to operating a SaaS.
21. naikrovek ◴[04 May 22 21:06 UTC] No.31265854{6}[source]
read harder next time. https://tailscale.com/kb/1119/sso-saml-oidc/
replies(2): >>31270238 #>>31270408 #
22. klabb3 ◴[05 May 22 01:28 UTC] No.31268264{4}[source]
I don't think parent is saying it's unexpected, but rather that having a third-party identity provider (especially a corporation) is an unwarrented and/or unwanted political dependency. I deeply empathize with this sentiment but also recognize why many companies choose to rely on them (identity is very difficult).
23. stavrianos ◴[05 May 22 01:48 UTC] No.31268402[source]
What precisely are the consequences of the third-party auth? Is it, they get an IP ping each time a device connects or does anything? Or, does that only happen once, but they can revoke access at any time? *Surely* they aren't granted access to the content? That would be mindboggling.
24. Handytinge ◴[05 May 22 06:30 UTC] No.31270238{7}[source]
This isn't a very nice comment (from my reading anyway).

> Be kind. Don't be snarky. Have curious conversation; don't cross-examine. Please don't fulminate. Please don't sneer, including at the rest of the community.

> Comments should get more thoughtful and substantive, not less, as a topic gets more divisive.

25. ncmncm ◴[05 May 22 06:56 UTC] No.31270408{7}[source]
Thank you. It is hard to interpret what this might mean, for me.
26. PLG88 ◴[05 May 22 12:33 UTC] No.31272508[source]
You should checkout the opensource project OpenZiti (https://openziti.github.io/). It has its own internal PKI system so you dont need to (but can) like to an external 3rd party. It also allows you to close all inbound ports and link listeners (as every endpoint has embedded identity so makes outbound only connections) and can be embedded directly into apps with SDKs as well as deploy on any popular OS or as a virtual appliance.
27. dstanbro ◴[05 May 22 16:03 UTC] No.31275084[source]
If you're that concerned with 3rd party auth, I'm surprised you're not more concerned about trusting your virtual network to a SaaS platform (who could definitely decrypt the traffic). For those more privacy minded, they'd probably wanna go with one of the self-hosted alternatives, of which there are now a few.