(Repost of <https://news.ycombinator.com/item?id=38570370>)
(Repost of <https://news.ycombinator.com/item?id=38570370>)
Or, more to the point, the server that I use to run my RSS feed reader?
Or my NAS?
Tailscale makes these more secure and more accessible for me. They are never meant to have the world access them.
Now for email and a few other things, sure, their nature is that they need to access the world.
Because that is how the internet is meant to work. It is an end-to-end network. If SSH would not be secure enough to handle this, it would need a secure replacement.
> Or my NAS? […] They are never meant to have the world access them.
What is a NAS, if not a Network-Attached Storage, i.e. meant to be accessed from the network? The concept of a ”local”, ”secure” network is a dangerous illusion. Embrace ”zero trust” networking.
> should be accessible from anywhere, and be secured at the end points, not at the network layer
If you're not securing at both the network layer and the endpoints, then you have utterly failed security and you need to go sit in the dunce corner.
No. The "internet" is literally the "inter-network", a way to connect private networks between each other.
The fact that VPN technologies sit behind proprietary corporate intellectual property is not by design, it is a failure of the internet standardization process as it was gamed by corporate interests.
If you do this, your application has no listening ports on the WAN, LAN, or host OS network and thus cannot be attacked from the external network/IP.
The asymmetry of risk now favours the defender, not attacker. Oh, plus we also have pre-built tunnelers for endpoints if you cannot do app embedded.