←back to thread

The New Internet

(tailscale.com)
517 points ingve | 4 comments | 26 Jul 24 18:29 UTC | HN request time: 0s | source
Show context
teddyh ◴[27 Jul 24 03:19 UTC] No.41084227[source]
The eternal problem with companies like Tailscale (and Cloudflare, Google, etc. etc.) is that, by solving a problem with the modern internet which the internet should have been designed to solve by itself, like simple end-to-end secure connectivity, Tailscale becomes incentivized to keep the problem. What the internet would need is something like IPv6 with automatic encryption via IPsec, with PKI provided by DNSSEC. But Tailscale has every incentive to prevent such things to be widely and compatibly implemented, because it would destroy their business. Their whole business depends on the problem persisting.

(Repost of <https://news.ycombinator.com/item?id=38570370>)

replies(14): >>41084990 #>>41084996 #>>41085022 #>>41085061 #>>41085166 #>>41085236 #>>41085716 #>>41085987 #>>41086195 #>>41086648 #>>41087141 #>>41087359 #>>41089848 #>>41092877 #
DyslexicAtheist ◴[27 Jul 24 07:26 UTC] No.41084996[source]
I never thought of this. Forces me to rethink every negative post people made against DNSSEC which shaped my opinion. I still think that IPv6 and DNSSEC do more harm in practice than what they solve. Maybe the SCW podcast can do a deepdive on this together with somebody who is militantly-pro DNSSEC. <3 ...

edit: maybe even invite 2 or 3 DNSSEC advocates @tptacek :)

replies(3): >>41086078 #>>41087825 #>>41092402 #
1. tptacek ◴[27 Jul 24 16:55 UTC] No.41087825[source]
I don't think the analysis upthread should make you rethink DNSSEC, since it, too, is a centralized system; rather than being controlled by Avery Pennarun (you could do worse), it's controlled by an unholy alliance of world governments and companies like Verisign.

If we could find a credible DNSSEC advocate (for our audience; that is: a cryptography engineer, vulnerability researcher, or an engineering leader at a major firm), we would absolutely invite them on.

'teddyh below gave you links to two pro-DNSSEC resources; fun note: the latter source (Geoff Huston, one of the world's more respected networking researchers) has since then written this:

https://blog.apnic.net/2024/05/28/calling-time-on-dnssec/.

replies(2): >>41095703 #>>41096325 #
2. DyslexicAtheist ◴[28 Jul 24 20:22 UTC] No.41095703[source]
thanks much appreciated to you and teddyh for these links. really needed this opposite views.
3. teddyh ◴[28 Jul 24 22:04 UTC] No.41096325[source]
The title of that article which you link to is “Calling time on DNSSEC?”, and Betteridge's law of headlines applies to it. Here’s the final paragraphs from that article:

I guess the question we should be asking is — if we want a secured namespace what aspects should we change about the way DNSSEC is used to make it simpler, faster, and more robust?

replies(1): >>41097248 #
4. tptacek ◴[29 Jul 24 01:13 UTC] No.41097248[source]
I'm happy just to see more people reading it. People can make their own call about it.