by darthShadow on 10/27/22, 5:13 PM with 102 comments
by PaulWaldman on 10/27/22, 10:12 PM
Would it be possible to bundle the same into a portable application allowing you to use Tailscale without installing it? My understanding is that currently if you can't install Tailscale on a client you need to use Subnet Router. https://tailscale.com/kb/1109/devices-without-tailscale/
by easton on 10/27/22, 6:38 PM
by vngzs on 10/27/22, 6:18 PM
If, say, the adblock Chrome extension you're using gets bought by a malware operator and backdoored[0], now it also has SSH and VPN access.
[0]: https://www.wired.co.uk/article/fake-chrome-extensions-malwa...
by kybernetyk on 10/28/22, 8:09 AM
Wow, and they're proud of it.
by chatmasta on 10/27/22, 9:44 PM
Did you experiment with the new WebTransport API [0] at all? It's only supported in Chromium browsers, but seems promising for this kind of use case.
by amluto on 10/27/22, 6:27 PM
If Tailscale's client was a userspace construct bound to a specific user SSH program, maybe fine. But Tailscale's client is a regular VPN client. What happens if you connect to the Tailscale VPN, open a malicious but sandboxed app of some sort, and that app connects to the target on TCP port 22.
For all that it's a seriously unfinished product, Cloudflare's SSH offering seems better thought out. Perhaps Tailscale should find a way to issue a short-lived certificate and use that in addition?
(It looks like regular sshd could almost be convinced to handle this. If the SSH_CONNECTION environment variable were passed to the AuthorizedPrincipalsCommand helper or if the source and destination were available as '%' tokens, then AuthorizedPrincipalsCommand could do the Tailscale tuple lookup and use it as a second factor in addition to a short-lived certificate (or regular SSH key or whatever). I bet openssh would accept a patch for this.)
by gunapologist99 on 10/27/22, 10:55 PM
* garden-variety web attacks (i.e., XSS, CRSF, etc)
* attacks that might become viable against the browser (for example, Mobile Safari has a history of vulnerabilities)
* various attacks against the backend web server (API attacks)
* attacks against the WASM layer
* CDN injections
* Tailscale's backend (various types of injections, timing attacks, or deeper attacks on Tailscale's infrastructure like the nightmares of HeartBleed, Shellshock, Meltdown, etc)
Realistically, this essentially (actually, literally) opens a remote root shell into your entire infrastructure through a web page, with apparently nothing more than matching an IP address pair (https://news.ycombinator.com/item?id=33361837) to authenticate.
What could go wrong?
This design with its loose coupling between authenticated user and IP addresses for high-value targets makes me view Tailscale's security model in a whole new light.
by aliqot on 10/28/22, 4:21 AM
Let me say again, though I admire it, I'd never use this. I like to sleep soundly, as irrational as that may be.
by dekhn on 10/28/22, 4:04 PM
I think this should be compiled with WASM and deployed via web page. Then we can explore the idea of browser-hosted POSIX kernels.
by Spivak on 10/27/22, 8:41 PM
I love that they were clearly inspired by fly.io. Warms my heart that a random blog post with a good idea can spread like this.
by heliophobicdude on 10/27/22, 7:05 PM
Forgive my ignorance but is there any sort of native client besides the browser running in the background to help with websocket to tcp? Or a tunnel to a cloud service to help there?
by skybrian on 10/27/22, 7:37 PM
by ice3 on 10/28/22, 7:47 AM
One of the things that Teleport lacks (IMO) is Wireguard
by cynix on 10/28/22, 11:41 AM
by Scarbutt on 10/27/22, 7:31 PM
by dekhn on 10/27/22, 5:43 PM
Having an SSH client in your browser join your VPN violates all the principles of modern computing.