I am one of those users who have asked, but how can I trust that the Tailscale coordination server will not inject hidden public keys to my network.
This feature is a very good step forward in security. I will take a look and if the implementation is sound, I am going to use Tailscale (namely if the Tailscale is compromised, I will not be automatically compromised, unless I manually accept external public keys, or install a bad update).
The problem with malicious updates can be addressed by providing as easy way to check the code signature. With a standalone infrequently updated app such as an AppImage app, this can be easily done by verifying the GPG signature upon download.
If you don't want to trust the Tailscale coordination server, and decide that tailnet lock is not for you, have you taken a look at Headscale? https://github.com/juanfont/headscale
How can I trust that I can log in and administer my network when Google kills my Google Account login or Microsoft kills my GitHub Account?
Big tech surveillance orgs being the SSO is an SPoF for the administration of the network. For something as critical as L3, I can't accept that.
I just use Nebula instead. It doesn't have a spiffy web interface or ssh auth chrome bolted on, but it works great for my purposes and it doesn't involve Google or Microsoft at any point.
IdP trust is on the list. There are some "easy" things we can do that help on the surface but make life harder for users. And there are some not-so-easy things we are researching. I hope to have answers in 2023.
I recently read this blog [0] about how tailscale was thinking of open sourcing a small coordination server but headscale had already been created so that effort was put on hold.
Is tailscale at this point in any way involved in headscale or contributing to it or are there plans to fork it to keep it maintained?
We hired one of the Headscale developers and let him work on it (as part of his job, not just moonlighting) and we help out when there are issues and give them a heads-up when protocol changes/etc are coming.
This is such an outstanding response to the existence of Headscale that I struggle to understand it. Why not just open source Tailscale's control server? Don't get me wrong though, what you guys are doing now is great.
There’s another added benefit that they get two different implementations of the same protocol. When you have multiple implementations, you effectively have a double check on the protocol design. This should make the project as a whole significantly better engineered.
Yeah, that's probably very true. Our main coordination server should probably get easier to run (for our on-prem customers and our various country-specific instances we run) but Headscale is far ahead of Tailscale's on just being easy to run.
re: IdP, assuming that means signing up without Microsoft/Google (which really bother me too), would it be possible to migrate a Github account to .. whatever you all implement _(email signup/etc)_?
I totally empathize. I waffled on Tailscale for a long time, and was convinced I'd roll my own for everything.
But goddamn if that spiffy web interface is not just the bees knees. I relented and put in a Google account that I don't use very often for identity--no idea if that makes it more or less like to be arbitrarily banned by Google--and accepted the fact that access to Tailscale wasn't so critical for me that I needed to be worried about it.
But in production, I totally get it. But I'd probably still just pay for Tailscale's SAML and use Okta or something...
I have been using Tailscale since the beginning personally, and have been trying to sell it internally at work, and since we have a GitHub Community I have integrated various Tailscale machines into some of our playground environments for others to test out.
One option is don't. Run tailscaled inside a container with host network access, that way you can connect to the host, but it doesn't have the ability (unless it escapes the container) to write (ssh) keys.
I think y’all are talking about different things; the parent comment seems to be talking about injecting additional keys into the tailnet (basically, letting other devices communicate inside your Wireguard VPN).
That's actually the point of this feature. Before, the key distribution server could add unauthenticated Wireguard nodes to your peer list. Now, the tailnet administrator can tell Tailscale nodes to reject new peer public keys unless the key is cryptographically signed by a trusted node. If you don't trust the implementation, wait until it's audited, I guess.
I wonder if a third-party solution for the signature key distribution is feasible; I suppose it should be, because it's appears to be just a file.
This way, if you don't trust Tailscale to distribute these lock-controlling keys, you could run a different mechanism of your choosing that would effectively control what nodes are automatically admitted.
Based on the article, the private keys for peer enrollment signing are generated locally on each Tailscale client and aren't distributed at all. I don't see why you couldn't write a custom client that approves or denies new peers based on your own criteria. Some of the internal Tailscale API may first need to be officially documented.
It still makes me jittery how much stuff they've packed into the client. The RCE vulnerability in their windows client is pretty strong indicator that things are moving a bit too fast for comfort.
My fortinet footprint would like to assure you that stuff which moves slowly also has problems. I try not to hold a CVE against anyone unless they are extremely stupid and reveal a lack of any technical controls.
wireguard is a linux-first solution and all of the windows stuff for it is subgrade, and probably will continue to be for awhile. Still selling plenty of anyconnect/globalprotect have a stranglehold on windowsland and probably will for a long time.
To be fair, the exploit chain was rather complex. Had it been more straight forward I'd be worried, but with the amount of pivoting required to make the exploit work it seems more like something even a security conscious developer could miss.
Agreed: I do feel the Windows client in particular is a little scary. In general, Tailscale clients feel reasonable, if light; but the Windows client is kind of iffy. There's a bug that I believe still exists where on some machines, it will crash on startup most of the time, seemingly the result of a race condition or other bug where GetLastError returns something unexpected, in a not-very-well maintained Win32 API wrapping library for Go. This is mostly benign (although annoying) but the contrast in how competent Tailscale seems to be about the core guts vs the clients feels a little jarring at times! Still love it though.
FWIW, we've recently taken over maintenance of those Go libraries because they seem to have been abandoned upstream. And we now have people working on Windows full-time. (Early on, the Tailscale team was all primarily Linux and macOS users so Windows was admittedly neglected for too long)
There were a few things going on with that issue you mentioned; one of them is the way the wrapper library was written, the other was with some stuff in the GUI client that was happening on a background goroutine but shouldn't have been. That should be fixed in the current stable release.
As for the Windows client in general, it is going to be receiving a lot of love over the next few months!
I see; I need to update the client on one of my machines. I appreciate the heads up, as it is quite frustrating to get it to start sometimes. Thanks!
I'll have to check out the bug sometime, but it sounds like it's just bad luck with goroutine scheduling and the order things execute in, in a goroutine that isn't locked to a thread. I can see it going unnoticed on older versions of Go (especially prior to weirder things like usermode preemption.)
For personal stuff, it feels totally new. It's like having your own intranet. It's like being on LAN with all of your personal devices, plus any bridged into your tailnet, at all times, anywhere on earth. You can route your internet traffic through another machine, or not (default.) It has built-in basic file transfer, and a nice little SSH bridge.
Technologically, it's based on Wireguard. Wireguard is fast; really fast, especially compared to OpenVPN. Using cutting edge cryptography and a new UDP protocol, Wireguard connections feel roughly zero-overhead (they're not, of course.) Connections are peer-to-peer and you usually will get pretty close to the fastest reasonable route between any two devices, whether you're on LAN or overseas, whether there's a strong NAT in front or not.
They've also engineered a lot of things carefully, instead of just cobbling together existing end-user tools in Rube Goldberg arrangements. (Not saying there isn't use of existing code; there totally is. But it's all very nicely integrated from what I can see.) Doing things "the hard way" can lead to more complicated software, but the way they've architected things makes the possibilities for expanding the utility of Tailscale to be nearly limitless. It's also amazingly entertaining to read about. Seriously, just read about how their web browser SSH client works:
I tried, but I couldn't get it to work at all. I don't really know what I was doing wrong, it just hung without connecting. It's been a while and I haven't tried since.
Same. Tailscale just worked out of the box on all my devices. ZeroTier had issues connecting which I didn't bother troubleshooting because Tailscale just worked.
When I tried Zero Tier it had trouble with bonjour/rendezvouz/mDNS zeroconf host names. Getting it up and running on a new device was also a bit more complicated than Tailscale (although maybe at the expense of needing to trust TS more than you needed to trust ZT?)
Historically you had enterprise-grade VPNs that cost a lot of money, or OpenVPN. Both ran over IPSec or SSL, and neither were super straightforward to config/maintain, nor were they particularly performant.
Then came wireguard, which is awesome, but wireguard is just a transport. It doesn't have all the UX niceties built on top of it, like registering clients or generating / distributing keys. Tailscale does a lot of that lifting for you, so you can easily and quickly get a working VPN, at a low cost, with good performance.
Personally I manage wireguard myself, but I also self-host my own VMs, storage server, applications, etc.
Tailscale is like taking your car in for an oil change instead of doing it yourself, plenty of people find that worth it.
I have a Tailscale client running on my NAS at home, this allows me to access stuff at home when I am not there, mostly my Home Assistant instance but sometimes the files on the NAS as well.
Without Tailscale I would need a way to publish my routers current WAN address somehow (probably with DDNS), create a port forward rule on my ISPs router/modem and then setup a VPN server to listen to those connections.
Not to mention that the current ISP doesn't even allow me to login to their modem and setup port forwarding.
I have it on all my personal and family servers and devices. I use it so that for both myself and my family all our internal stuff (unraid network shares, jellyfin, homepages, photo backups, etc, etc) "just works" for the less technical members of the family even when they're not at home. It seamlessly detects when the peer is local so it doesn't route out to the internet and back, has an easy ACL to segment things (wife's phone doesn't need access to dd-wrt), and a bunch of other features.
We've been able to do this with existing VPNs for a long, long time, but tailscale is by far the most painless offering I've ever used and I migrated away from OpenVPN completely.
>It seamlessly detects when the peer is local so it doesn't route out to the internet and back
One of my use cases for Tailscale was connectivity between my primary NAS and an off-site NAS I use for backups. Being able to bring my NAS to the same site/network I had set-up the off-site NAS and just have things work over the LAN without reconfiguring anything was a wonderful surprise.
(Yes, I’m aware I could save some overhead by reconfiguring but looking at the network traffic monitor I was happy enough with the throughput I got though Tailscale’s LAN routing)
Can you use it like a VLAN for segmenting devices? I have eero’s and a firewalla but since my eero’s don’t support tagged vlan traffic I can’t segment my devices as much as I’d like to.
(not an expert here) but my understanding is: sort of. I believe the biggest difference is that VLAN operates at Layer 2 and Wireguard works at Layer 3.
Personally, I use it to connect my home devices as if they were always together on the same LAN, even when they're not. E.g. Raspberry Pi, home NAS, "home" server that's actually in a different physical location, etc. All accessible anywhere at any time, even (say) from my laptop in a moving vehicle, without connections dropping even when my IP changes. It really is like magic.
At work, we use it so that remote employees can access locally-hosted applications, office NAS, etc. ACLs make it easy to employ the principle of least privilege, so that having a route into the office LAN doesn't immediately mean any and every device is compromised.
- Running a Jupyterlab instance on my desktop PC (WSL) and use it through my laptop from anywhere. Can also be accessible through phone/tablet if needed
- Simple routing of other services my PC exposes (Jellyfin for now)
- Access dev services running on my laptop through my phone without checking IP all the time
- Good replacement for AirDrop using Taildrop file sharing. AirDrop errors out if I try to use it on a "public" network (ex: University Wi-Fi)
- I have a SOHO setup at home: several PCs/ my work laptop, raspberry pi, synology and ubiquiti. It means I can access ubiquiti console and synology via network as opposed to be some janky proxy that those company's provide.
- taildrop is great for sending screenshots and files from my phone to (can't wait until they let me send URLs/links/txt like KDEConnect)
- I also have a raspberry pi setup in an ABNB in another country. When I'm traveling I can use my house as a proxy for US based services and the reverse is true - if I want my browsing to look like my IP address in another country I can.
The thing that sold me on it was managing remote (and I mean remote - like in a field in west Virginia with solar + cell) nodes. We started with using manually provisioned wireguard tunnels, but wg isn't great at things like failing over. Plus, our core infrastructure is on a slightly dynamic IP and we didn't want to route image upload through GCP. Tailscale made this problem go away . And then we got hooked on it for all developer access, having GitHub actions be able to push into our deployment, etc. It's pretty magical.
Seedbox access without exposing it to the wider web.
Managing personal devices.
One day I had to go to the office and only then did I notice my keepass hadn't synced in months. My home PC was sleeping so I SSH'd to my Openwrt box, got the MAC for my PC and used etherwake to start it. From there I used RDP to login and get an updated password. All from my phone.
Tailscale is a zero-friction VPN. You just install it on every machine, login on every machine and you get your own private network that just works. When I click on one of the machines in the admin console, I get a list of things it takes care of: "Varies" (Whether the machine is behind a difficult NAT that varies the machine’s IP address depending on the destination), Hairpinning, IPv6, UDP, UPnP, PCP, NAT-PMP. I don't even know what some of them mean, I thought PCP was something to get high on.
I run it on every device I own, plus a few at my parents' place. This way I can access my PC and my NAS from my phone, and my NAS from my PC, even though the NAS is behind my home router and the PC and the phone can be connected to a bunch of different networks.
I really like their engineering blog. They aren’t afraid to share they they actually did and what results they saw, even if the “common wisdom” was against it, like, IIRC, they were using SQLite as their database for a while.
For basic tunneling into home servers, is Tailnet.. overkill? Ie i could expose my IP via Dyn DNS, or i could use something like Cloudflare or Tailnet to tunnel into the network. However.. i'm not sure what the right fit is. Would you recommend Tailnet for someone who just wants to expose some internal IPs to the public in a safe way?
Tunneling compared to Dyn DNS at least has the advantage of more security via reduced access to ports. So maybe that alone is worth $5/m. .. well, $10/m, since i have two users. $10/m seems a bit steep just for some small access to my internal network for things like Camera Feeds, etc.
Dyn DNS + some safe self hosted VPN might be more affordable and just as safe compared to Tailscale.
.. thoughts on the best service to price ratio for my needs?
Depends on whether you're talking about stuff that you actually want to be "exposed to the public" (i.e. can receive traffic from any IP) or just "accessible from outside the LAN."
If the former, Tailscale isn't really a good fit since it only permits access to authenticated devices.
If the latter, Tailscale is perfect. It's a VPN in the original sense of the world, "private" being the operative term - your devices can communicate as if they were all on the same LAN, without worrying about their traffic being eavesdropped.
As for the pricing, I'm fairly confident that Tailscale won't mind if you're sharing a free plan (so single-user) across e.g. your laptop and your wife's, even though there are technically two "users" there. They've made it pretty clear that the divide they care about is "personal use free, company use paid."
On the note of free plan. It's actually a bit of a shame.. i want to pay, i like $5/m, but it looks like $5/m is less devices than if i used free?
Though i just noticed that the Personal Pro plan works with up to 100 devices for $4/m. Might give that a try. I really like paying.. as i hate free VC services.
edit: Wow, the signup requirement is bizarre though. I don't have or want Google or Microsoft.. i do have a Github, which i guess i'll have to use... but what the hell? So odd that i can't just signup with my email.
Yeah, they get a lot of flak for that from HN. Doesn't bother me personally, but I can see why it would be a dealbreaker for some people. On the other hand, I sympathize with their decision to just not have to worry about storing passwords, account recovery, and all the associated headaches, because I hate those headaches too.
My guess is they will eventually add a sign-up-with-email option, but it's pretty far from the top of their priority list.
In researching the email issue i saw a fair number of people arguing to decouple accounts from identities. I thought that was fair. I use Github and i have no problem there, but i didn't want some snafu on my account (Github) to somehow block my home network access.
So i just signed up with an alternate Github "Identity" account to use with Tailscale. Still feels weird, but we'll see how it goes.
Dynamic DNS with wireguard works great, especially for a small footprint (sounds like you only have one LAN you want to access remotely, not multiple sites). It'll be free, and you won't have any cloud centralized service you're dependant on.
Personally I host both of these services (dynamic DNS client, wireguard server) right on my WAN edge router, but you could also run it on a host (e.g., VM or raspberry pi) inside the LAN.
I'd say it depends on how many remote clients you plan to have, since you have to manually configure the associated key per client. Unlike a traditional VPN which was just username/password based (from the user perspective, anyway) wireguard is based on keys, which means if you want to get in remotely, you need to have a key which has been configured. If you only have a few clients, this is easy enough to get going. If you have lots of clients, or want to be able to easily add new clients, I can see it becoming cumbersome.
As far as setting it up securely, I don't think you're any worse off doing it yourself compared to using tailscale. You can define what networks each client may access. Personally I run wireguard on top of OpnSense, so I also have firewall rules in place to limit what any client can do from my remote-access network towards other parts of my network.
An interesting collab between cloudflare and tailscale could be to add cloudflare tunnel as a tailnet node to proxy public traffic into your private tailnet (with acls managed by your tailnet) as an alternative to opening ports on your firewall. This would give you true public access (if that's what you want) but also hide your ip and protect you from ddos etc. https://www.cloudflare.com/products/tunnel/
> For basic tunneling into home servers, is Tailnet.. overkill
It's a service. You just pay money and they take care of it, instead of running this all by yourself.
> thoughts on the best service to price ratio for my needs?
You can buy VPS for $14/3m = $4.66/m and configure Headscale or whatever on it. Fixed public IP, no need for DynDNS, no user/$ limit except CPU/RAM - you can have whatever you want on it.
EDIT: found out they even have a $11/3m plan = $3.66/m.
I found the blog post slightly confusing because it never explicitly spells out that endorsing a new node is a manual operation that the administrator has to perform from one of the trusted nodes. Of course this is what you'd want, anything automatic would ruin the purpose of tailnet lock. But still not seeing it mentioned, neither in the text nor in the pictures, made me wonder what I had missed, until I watched the video which features that very step as part of the demo.
I had the same issue. I think the idea is that you build something yourself on a trusted node that decides whether or not to endorse a new node.
Off the top of my head I'd do something dead simple like verify the user account matches our domain and then also query an inventory system to verify it is indeed a device we manage through MDM (though I'm not sure how this will work for mobile devices. We don't MDM those).
When a new device attempts to join you should have some data on it via the API (User, OS, Tailscale version, source IP, machine name). You could use that data to decide to endorse it or not.
You could also use tailnet lock in this fashion, by issuing a `tailscale lock sign` command for the new node once you've verified the provenance of the new device. Because it involves signatures with keys on your device it could never be as simple as a REST API, but maybe we could offer a more easy to automate command or better client library support (suggestions welcome!)
Thanks for the feedback!! Writing the documentation for how this worked was a challenge, and its good to hear what pieces we need to call out more strongly in the future.
I have little to no idea what Tailscale does. Is it a VPN like Mullvad? What makes it so special?
Ive heard a bit about tailscale networks connecting devices together easily. Is it for your own network only, or can other people access your tailscale devices directly as well?
Ie, I host a minecraft server on my linux desktop. Can tailscale help me in the use case of providing an IP to people to connect to it? Or am I just back to regular old port forwading and my external IP?
Tailscale is just fancy software that creates peer to peer encrypted tunnels between your devices using wireguard.
You can think of it as a LAN for all your devices regardless of what network they’re physically connected to.
The default use case of Tailscale is to have a private LAN, just for you, not your friends. This is changing now, though.
Tailscale does as of recently have the ability to do what you’re saying for Minecraft. It’s called Tailscale Funnel. This lets you expose a port on any of your devices to the public internet with a TLS enabled host name.
Another option for your Minecraft server is to use Cloudflare Tunnel. Works great for this kind of thing and is pretty much functionally equivalent to Tailscale Funnel.
I recommend against using Funnel for this use case (because it exposes your server to everyone in the world, not just your trusted users). Tailscale node sharing is free and secure for private networks of friends, and there are lots of people using it with Minecraft: https://tailscale.com/kb/1084/sharing/
To answer the question in another thread, node sharing also works with UDP. (Funnel is TCP-only due to the vagaries of IP addresses and TLS certificates when facing the outside world, sigh.)
Does either Funnel or Tunnel allow this use case for old UDP-based games like Quake etc?
I would like to just be able to send strangers a temporary permalink to my server for a one-off session, then turn it off or have it expire automatically once we're finished. This would not be feasible if I have to also ask whomever I come across to install clients, as opposed to just connecting from within the game.
If you want to host a Minecraft server, ZeroTier is probably better. It has a couple of options that make it easier for third parties to be able to connect including automatically authorizing new connecting nodes, or an option where if you connect to a particular ZeroTier network, anyone with your ZeroTier IPv6 can connect to the corresponding port (I forget their exact name, but it's pretty slick).
Wow, I was advocating for switching to Tailscale (from just manual SSH key management) and was asked if we could do pretty much exactly this. Great to see such quick progress.
From a business sense, it would likely be a reasonable and profitable acquisition for both parties.
From a personal standpoint, I would like to see Cloudflare (among others) smashed into a neutral backbone provider and all its product offerings spun off, ala https://en.wikipedia.org/wiki/Breakup_of_the_Bell_System. It's dangerous for one company to control so much of the internet's infrastructure and it's causing massive problems (like https://news.ycombinator.com/item?id=32912075). Tailscale should remain independent.
“@dang” doesn’t do anything on HN. Emailing the mods using the footer Contact link is the fastest way – and the only certain way – to get the mod team’s attention (including but not limited to dang).
I think he does have a script checking for mentions because he does tend to reply to <at>dang, which is fairly easy to set up even if no infra on hn itself supports it.
There are more mods than just dang. Emailing the contact address notifies all of them, and lets them make more rapid fixes, than depending on one single person to write tooling for what you describe.
If mentioning dang does work, why didn’t it work for the forty-five minutes prior to my reply, and then work five minutes after?
I’ve emailed the mods tens of times over the years to point out a thread that has a correction, or that I think dang may want to reply to, without saying that I’ve done so. Did I do so this time? (Y/N)
Assigning meaning to the timing is inappropriate, as it disregards the possibility of coincidence (he found the thread organically), unstated actions (someone emailed the mods), and/or human distraction (he was at lunch) by the however-notified dang.
I also view it as impolite to try using @dang to burden all mod duties onto one person rather than to a team of mods. Whether it works or not, it’s evidence of site users setting dang up in their minds as a single point of failure – either because they think it’s the only way, or for the convenience of not having to write a two sentence email to the mod team. That irks me, and so I occasionally post a reminder about the contact form, phrased to allow for the cases where the @ is just a learned behavior and they just don’t know about the contact link in the footer yet.
Tailscale are _the_ company pushing the state of the art in VPN's, and they write great, detailed technical articles and whitepapers about it. As someone who has worked on a different, more traditional, enterprise VPN product, this is extremely interesting to me. Most other companies have neither the cool tech (most haven't even switched from IPsec), nor the ability to put out anything other than marketing fluff, nor the focus to actually keep working on the core VPN tech instead of trying to check all boxes (monitoring/firewalling/device management/...) but not innovating anywhere. Tailscale also scales down to individual, private users, has a free plan, some open source code and an open source reimplementation, all of which appeals to the HN audience.
This article in particular is interesting because Tailscale inserting malicious nodes is the #1 concern I had around their product, and their solution (tailnet locks) is interesting and probably better than the solution I would have come up with (using Wireguard's support for additional symmetric secrets).
Obviously "every single day" is hyperbole, but I agree with you that a much higher proportion of Tailscale blog posts end up on the front page than most corporate blogs.
Finally I think it comes down to this: Tailscale is full of the same kind of people who tend to hang out on Hackernews. HN loves Tailscale because Tailscale is HN's ingroup.
Fly.io is in a similar situation, and similarly sees a higher-than-average fraction of their blog posts getting traction on HN.
For an interesting counterexample, look at warp.dev. They have a lot of the same markers - tackling an interesting problem that affects many HNers daily (the limitations of the terminal), building things from the ground up in Rust, and writing highly technical blog posts about it - but at the same time, it's clear that as an organization, they don't quite get it. They can't understand, for instance, why putting telemetry in their terminal emulator is absolute suicide as far as HN is concerned, or why "moving the terminal to the cloud" is a phrase that will never make HN happy. Unlike Tailscale and Fly, they are not "of the race that knows Joseph", as it were.
That's not to say that there aren't individuals at Warp who are members of the HN ingroup. But at the organizational level, Warp just isn't quite it.
Excellent counterexample. I think they made a huge mistake by not only sticking to their guns on telemetry, but also building a terminal client that you need to log in to even to use it.
I remember opening it, seeing a GitHub login page and instantly closing it.
As a (typical?) HNer, there are many reasons. (a) TailScale was founded and is populated by people I followed online before, during, and after my and their tenures at Google, or just followed online already if they're not Xooglers (b) their product is extremely useful, and almost every non-enterprisey new feature they add is immediately or potentially useful to me, and I'm only running a couple of Raspberry Pis and a Minecraft server (c) I like Go, and they use Go extensively, often improving Go in the process, or at least documenting interesting performance characteristics and application design architectures (d) they have managed to find an interesting and rare balance point, to applying commercially viable product funding to a whole host of open source improvements and contributions, and (e) the basic components of their product (Wireguard, networking details, Kernel integration, etc.) are extremely in my areas of interest even independent of the product itself.
They're not. It's just roughly when the post a new blog entry, which is... usually about once a week? Sometimes it's about new features, sometimes it's about internals which might be helpful for other people to know about (like the previous entry was about internals of the TUN/TAP, and how they managed to speed it up a bunch).
Because someone submits them, and others upvote them. It's really not complicated. There's no deep conspiracy to promote Tailscale here. They're not even a YC company.
> ...by architecting our infrastructure with security and privacy in mind.
The blog and the website loads in so many trackers (reasonable, given metrics are important when you're busy hyperscaling a venture-backed startup), that folks at Tailscale should seriously reconsider positioning themselves as some paragons of privacy. No offence (:
> ...practice perfect anonymity to sell a product which does have security/privacy in mind?
So are free users "the product?" No. If we're going to fix the Internet, there's no point only fixing it for big companies who can pay a lot. That misses the point of the whole adventure. The Internet is for everyone. We have to fix it for everyone, or why bother? We knew we had to design a business model and a technical architecture that removes any incentive to abuse your privacy. - CEO at Tailscale, https://archive.is/R7jqw
This feature is a very good step forward in security. I will take a look and if the implementation is sound, I am going to use Tailscale (namely if the Tailscale is compromised, I will not be automatically compromised, unless I manually accept external public keys, or install a bad update).
The problem with malicious updates can be addressed by providing as easy way to check the code signature. With a standalone infrequently updated app such as an AppImage app, this can be easily done by verifying the GPG signature upon download.