←back to thread

Tailscale has raised $160M

(tailscale.com)
655 points louis-paul | 2 comments | 08 Apr 25 10:36 UTC | HN request time: 0.518s | source
1. udev4096 ◴[09 Apr 25 11:37 UTC] No.43631012[source]
You are still trusting the tailscale coordination server for proper key exchange. Yes, traffic is end-to-end encrypted and the private keys stay on the device but there's no way to verify that tailscale is negotiating keys for the machine you asked for
replies(1): >>43631130 #
2. supermatt ◴[09 Apr 25 11:57 UTC] No.43631130[source]
Im pretty sure thats not correct, as you can authorise the nodes that get added, and it is only authorised nodes that can participate in the tailnet.

The problem IIRC is that it is the coordination server that decides what is authorised, so if Tailscale was hacked (or otherwise malicious), nodes could get added to your tailnet without explicit authorisation from the tailnet "owner", which is obviously not good. To prevent this, they introduced tailnet-lock, which requires other peers to participate in node authentication: https://tailscale.com/kb/1226/tailnet-lock#how-it-works