←back to thread

Tailscale has raised $160M

(tailscale.com)
655 points louis-paul | 10 comments | 08 Apr 25 10:36 UTC | HN request time: 0.158s | source | bottom
Show context
littlecranky67 ◴[09 Apr 25 07:13 UTC] No.43629616[source]
Still can't wrap my head around that TS does not allow to signup with your custom email/password combination but forces you to use bigtech (GitHub, Apple, Meta etc.) to login. Running your custom OIDC provider as a small, private person does not make any sense either.
replies(2): >>43629788 #>>43675451 #
dijit ◴[09 Apr 25 07:43 UTC] No.43629788[source]
I think that's quite smart, and OIDC is an open standard at least.

Securing usernames/passwords and handling second factors etc; is already done so well and it's hard to do.

Having a clear 'this is where we can be secure' stances is what makes me want to trust them more.

replies(3): >>43630167 #>>43630553 #>>43630731 #
lo0dot0 ◴[09 Apr 25 10:46 UTC] No.43630731[source]
Why is that smart? I signed up for a Microsoft Account with my email and I can use Microsoft Account to log in to Tail scale but I can't use the email directly? How does the middle man bring anything to the table?
replies(1): >>43631327 #
1. dijit ◴[09 Apr 25 12:31 UTC] No.43631327[source]
Because then tailscale doesn’t store a username and password for you, so unless microsoft is hacked you won’t be- theoretically.
replies(3): >>43631548 #>>43632133 #>>43641572 #
2. littlecranky67 ◴[09 Apr 25 12:59 UTC] No.43631548[source]
but at the same time, now Microsoft knows you are using Tailscale (and they use this data in their tracking + analytics). And all the other products. They get a very good insight of your online habbit, because they have a list of all other products and apps you use where you sign in with your microsoft account. And due to the way token refresh works, they even have a good idea how frequently you use each individual one.

And if you for whatever reason get locked out of your microsoft account (and I say this as someone who had this happen with a Google account) your are basically locked out of your online life.

I own my own domain for my email address (xxxx@mydomain.com). As long as I can set the MX record of that domain freely, I can always restore access to my email adress no matter what any email provider decides to do or block me for.

replies(1): >>43631564 #
3. dijit ◴[09 Apr 25 13:00 UTC] No.43631564[source]
sure, then spin up a keycloak.

Its not hard.

If you don’t feel comfortable doing so: maybe that is telling.

replies(1): >>43632158 #
4. lo0dot0 ◴[09 Apr 25 13:53 UTC] No.43632133[source]
Thank God Microsoft never got hacked
5. lo0dot0 ◴[09 Apr 25 13:55 UTC] No.43632158{3}[source]
What are you on about. For years logging in with email was possible even on the most amateurish projects. Now that's not possible for tailscale? Why
replies(1): >>43632207 #
6. dijit ◴[09 Apr 25 13:59 UTC] No.43632207{4}[source]
Because they don't want your password and as a security company, I applaud that.

Account issues, recovery, support that can be manipulated, a single breach or bad password that grants access to their admin interfaces, implementing their own 2FA.

And, serious people want SSO anyway, and most people have some kind of authentication they can lean on.

You can make a stodgy password login if you want, or you can run a keycloak yourself.

If you don't want to run an OIDC provider for yourself, why would you want them to?

Genuinely I applaud the idea that they're SSO first, and have as little information as possible to handle things. If you don't like it; well, run your own, run headscale - or, use wireguard another way.

Not every company needs their own login system. I fucking hate it.

replies(1): >>43633663 #
7. lo0dot0 ◴[09 Apr 25 16:07 UTC] No.43633663{5}[source]
Microsoft was hacked before and I don't trust them but I trust the email provider at the company I work for now what
replies(1): >>43633816 #
8. dijit ◴[09 Apr 25 16:19 UTC] No.43633816{6}[source]
Microsoft getting hacked proves my point more than you think, they're less likely to get hacked now because they have scar tissue. You're basically saying: "If you ever get hacked your reputation is burned forever, but I want these guys who have never done it before to handle logins for me even though they are saying that they are not comfortable with the extra responsibility". Get over yourself.

If you trust your email provider: Ask them to set up an OIDC provider then.

Email is insecure. I can't be the first person to tell you this.

Multiplying your logins is not more security, it's less in the majority of cases.

9. littlecranky67 ◴[10 Apr 25 07:32 UTC] No.43641572[source]
If I have to spin up a keycloak instance (you forgot to say on a public-facing data center that runs 24/7) to use a single service I would usually signup with an email and password, I might as well spin up my private vpn server.
replies(1): >>43641648 #
10. dijit ◴[10 Apr 25 07:47 UTC] No.43641648[source]
yep!

Or use a login system you already have.