←back to thread

Stop Breaking TLS

(www.markround.com)
170 points todsacerdoti | 8 comments | 10 Dec 25 07:06 UTC | HN request time: 0.001s | source | bottom
Show context
arianvanp ◴[10 Dec 25 09:43 UTC] No.46215864[source]
Complains about TLS inspection, yet fronts their website on the biggest and most widely deployed TLS introspection middle box in the world ...

Why do we all disdain local TLS inspection software yet half the Internet terminates their TLS connection at Cloudflare who are most likely giving direct access to US Intelligence?

It's so much worse as it's infringing on the privacy and security of billions of innocent people whilst inspection software only hurts some annoying enterprise folks.

I wish we all hopped off the Cloudflare bandwagon.

replies(7): >>46216030 #>>46216051 #>>46216089 #>>46217208 #>>46217601 #>>46221412 #>>46226753 #
1. phito ◴[10 Dec 25 10:07 UTC] No.46216030[source]
I wish so too, same for all the self-hosters using tailscale...
replies(3): >>46216106 #>>46216426 #>>46216429 #
2. kreetx ◴[10 Dec 25 10:18 UTC] No.46216106[source]
These are not the same thing, the parent is confused..
3. dns_snek ◴[10 Dec 25 11:07 UTC] No.46216426[source]
Tailscale connections don't get terminated by a middle box, it's just end-to-end encrypted Wireguard under the hood. Cloud-hosted control panel is a risk because they could push malicious configuration changes to your clients (ACLs and new nodes if you're not using the lock feature), but they can't do it without leaving a trace like Cloudflare can.
4. progbits ◴[10 Dec 25 11:07 UTC] No.46216429[source]
Tailscale cannot passively observe traffic.

They could inject malicious keys into your config but would be hard to mask the evidence of that.

replies(1): >>46217158 #
5. treesknees ◴[10 Dec 25 12:55 UTC] No.46217158[source]
Would it be hard? I thought the point of tailscale was not having to manage or concern yourself with key distribution.
replies(1): >>46218087 #
6. newdee ◴[10 Dec 25 14:29 UTC] No.46218087{3}[source]
Lookup the Tailnet Lock feature.
replies(1): >>46239239 #
7. yencabulator ◴[12 Dec 25 00:11 UTC] No.46239239{4}[source]
A feature in the client software they control, that you run as root, that auto-updates regularly?
replies(1): >>46254084 #
8. ◴[13 Dec 25 12:28 UTC] No.46254084{5}[source]