top | item 33285599

(no title)

imagine99 | 3 years ago

> It's an order of magnitude less effort and risk

For the developer, yeah, not for the user though. But "least-effort development" is not generally that meritorious, especially in this area, and arguably a large part of TS's value proposition is about "less effort and less risk" for the user!

For the user this means more effort and more risk if you consider that you've just multiplied your attack surface by combining internal, privileged access to your network (often without any firewalls or per-device authentication) with whatever other skimpy services you use the credentials for. I know we're all supposed to expect zero trust these days and have all these well-designed enterprise IdP systems in place but the reality is starkly different, especially in the SMB space.

I know that there are a lot of things you can do wrong with auth but a company capable of developing something as complex as a zero-config modern mesh VPN should be able to handle rolling their own auth, come on.

And by the way, it's not like they get the third-party SSO right either: Every time we log into the admin panel with our 3rd party (Microsoft/Github/Google) account, we are asked to re-authorize Tailscale ("Tailscale by Tailscale wants to access your data...").

In short, they could really throw some developer hours at this and polish it a bit, roll their own auth (again, can be a tertiary beta option with warning labels at first) etc. This would also leave a good first impression with first time and trial users, and, most importantly, give users an informed choice to leverage the solution that they consider the least effort and least risk for their use case.

discuss

PLG88|3 years ago

Fully agreed. Want you probably want is OpenZiti. It's a modern mesh overlay network which is explicitly built on zero trust principles including using strong embedded identity (with the ability to plug in 3rd party IdP). This ensures per-endpoint authentication and authorisation before any connectivity can be established on the basis of least-privilege and microsegmentation. The connectivity at source and destination is established outbound so no inbound ports are needed while providing private (magical) DNS. It's also completely open source and free. Here is an overview of some of the superpowers - https://www.youtube.com/watch?v=hLEeHit3prY&list=PLMUj_5fkla...

Disclaimer, I do work on the project so take me with a pinch of salt.

preseinger|3 years ago

> least-effort development" is not generally that meritorious, especially in this area, and arguably a large part of TS's value proposition is about "less effort and less risk" for the user!

Development effort is the dominant variable in engineering cost/benefit analysis. What do you think is the cost of what you're asking for? What do you think is the value?

I'd guess the effort is 50-100% relative to all of the auth schemes currently supported combined, and I'd guess the value is maybe one or two orders of magnitude less than the value delivered by those features.

> Every time we log into the admin panel with our 3rd party (Microsoft/Github/Google) account, we are asked to re-authorize Tailscale ("Tailscale by Tailscale wants to access your data...").

If this were a common problem, don't you think they would have addressed it? I don't have this experience, for the record.

> they could really throw some developer hours at this and polish it a bit, roll their own auth

I don't think you have a realistic understanding of what you're asking for.