Hacker Newsnew | past | comments | ask | show | jobs | submit | dgentry's commentslogin

https://tailscale.com/blog/free-plan/

Being a mesh means most connections are direct and do not go through any infrastructure which costs Tailscale money, making a Free tier economically workable.


(Tailscale employee)

It is not a web page with a shell open.

It is the Tailscale client, compiled to WASM, maintaining the keys for connections to nodes on the tailnet. Connections opened from the browser engine don't get the ability to reach the tailnet.


Given the apparent (yet possibly unfounded) concern, it might be useful to discuss this issue in the blog post. Would you consider updating it?


Doesn't the post say exactly what the parent comment did? It explains the process that they came up with the WASM Tailscale, and how it authorizes and works. If anything, the parent comment just paraphrased the article.


It doesn't paragraph, this is the important sentence

> Connections opened from the browser engine don't get the ability to reach the tailnet.

That was not really explained in the article. Maybe it's obvious to some people, but I'm sure it's not for many.


The Tailscale VPN client, the same one which runs on other devices, is compiled to WASM. It handles all of the key exchanges to connect to the tailnet. The SSH session is running as a WASM Tailscale client.

The browser, opening connections from within the browser engine, doesn't have the keys for SSH or VPN access.


Sounds like about "as good as this gets" if you happen to want to do this in browsers. Good job.


It doesn’t have the keys, but it can inject any javascript and do whatever the user can do.


Like intercepting your oauth token next time you login into SSO and then use that to access your tailnet.

This was true even before this new feature.

The new threat model is entirely psychological.


To me it seems they've taken all precautions they can reasonably take -- "what if the user installs a keylogger" isn't fixable by anyone.


"Installing a keylogger" is a vast oversimplification, even if it is outside of their threat model.

Installing almost anything in your browser is usually a matter of a couple of clicks.


The wasm code runs in the browser, hence the keys live in browser memory, so the browser has access to the keys.


And then the addon intercepts the loading of the Wasm code, injects it’s own payload into it and has access to the keys.


What keys? I think the implementation does not use regular SSH keys for SSH authentication, but rather something custom (I believe traffic to port 22 on each SSH enabled client is intercepted and the daemon handles authentication itself).


For the downvotes: Am I misunderstanding Tailscale's implementation?

I'm not commenting on whether it's a good or bad idea, but we should at least be talking about the same thing.


citation needed


For me it was trying to build an AWS Lambda function where I'd deploy a new version and visit the URL, then wait for the CloudWatch logs. And wait. And wait. It might only be two minutes but that is long enough for me to want some tea, maybe look at some other issue filed that morning and see if I can make progress in diagnosing it, and WHOOPS I GOT DISTRACTED FOR HALF AN HOUR.

fly.io is instantaneous. I deploy, I see the result, I fix it, I deploy again and figure out the next problem. It is a pleasant environment to develop in.


I've noticed the time for new logs to appear is proportionally related to the number of log streams you have in that container already. If you eagerly spool your logs out of there and keep a short threshold for automatic deletion the request to log delay for a lambda serving something like API Gateway is, in my experience, only a few milliseconds.


> fly.io is instantaneous. I deploy, I see the result, I fix it, I deploy again and figure out the next problem.

Clearly, you haven't hit those spontaneous fly.io bugs, yet ;)


If you'd like to contact info@tailscale.com we can set up a time to talk.


I'll mention one more time: if you'd like to contact info@tailscale.com we can set up a time to talk about upcoming features and philosophy on releasing them.


Because if you are an IoT service with one human and 100,000 devices, the amount of support you may need is more dependent on the 100,000 than on the 1. Very large numbers of devices per human need somewhat different pricing.


If thats what he thought in 1996, I wonder what the 2008 version would say?


I do write a blog. As tx observed earlier 99.9% of blogs are crap, including mine. Nonetheless I think it has been a worthwhile use of time, and I'll continue doing it for a while. Written communication skills are very important, an "essay" style of blog can exercise those skills whether anyone reads what I write or not.

The discipline of having to write it all down does certainly sharpen ones thoughts, and comments often supply links to other material on the topic. In my case commenters also point out ghastly errors I've made, but thats probably just me.


Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: