←back to thread

The New Internet

(tailscale.com)
517 points ingve | 3 comments | 26 Jul 24 18:29 UTC | HN request time: 0.611s | source
Show context
teddyh ◴[27 Jul 24 03:19 UTC] No.41084227[source]
The eternal problem with companies like Tailscale (and Cloudflare, Google, etc. etc.) is that, by solving a problem with the modern internet which the internet should have been designed to solve by itself, like simple end-to-end secure connectivity, Tailscale becomes incentivized to keep the problem. What the internet would need is something like IPv6 with automatic encryption via IPsec, with PKI provided by DNSSEC. But Tailscale has every incentive to prevent such things to be widely and compatibly implemented, because it would destroy their business. Their whole business depends on the problem persisting.

(Repost of <https://news.ycombinator.com/item?id=38570370>)

replies(14): >>41084990 #>>41084996 #>>41085022 #>>41085061 #>>41085166 #>>41085236 #>>41085716 #>>41085987 #>>41086195 #>>41086648 #>>41087141 #>>41087359 #>>41089848 #>>41092877 #
tomjen3 ◴[27 Jul 24 11:58 UTC] No.41085987[source]
I think that is excessively negative take. Tailscales value proposition is also "you can connect to your network wherever you are, safely, and others cannot". That does not go away because of IPsec.
replies(1): >>41086095 #
teddyh ◴[27 Jul 24 12:19 UTC] No.41086095[source]
Network- and location-based security is ultimately unworkable. It’s like if you, in order to work, had to go to a ”virtual office” to even send mail to your colleagues. Mail, and related internet-enabled services, should be accessible from anywhere, and be secured at the end points, not at the network layer. (Most attacks are internal, anyway.)
replies(4): >>41086192 #>>41086878 #>>41092961 #>>41099063 #
1. tomjen3 ◴[27 Jul 24 12:38 UTC] No.41086192[source]
Why should you have access to the SSH host for my pie?

Or, more to the point, the server that I use to run my RSS feed reader?

Or my NAS?

Tailscale makes these more secure and more accessible for me. They are never meant to have the world access them.

Now for email and a few other things, sure, their nature is that they need to access the world.

replies(1): >>41086455 #
2. teddyh ◴[27 Jul 24 13:27 UTC] No.41086455[source]
> Why should you have access to the SSH host for my pie?

Because that is how the internet is meant to work. It is an end-to-end network. If SSH would not be secure enough to handle this, it would need a secure replacement.

> Or my NAS? […] They are never meant to have the world access them.

What is a NAS, if not a Network-Attached Storage, i.e. meant to be accessed from the network? The concept of a ”local”, ”secure” network is a dangerous illusion. Embrace ”zero trust” networking.

replies(1): >>41092972 #
3. otabdeveloper4 ◴[28 Jul 24 13:26 UTC] No.41092972[source]
> Because that is how the internet is meant to work.

No. The "internet" is literally the "inter-network", a way to connect private networks between each other.

The fact that VPN technologies sit behind proprietary corporate intellectual property is not by design, it is a failure of the internet standardization process as it was gamed by corporate interests.