zlacker

I wonder who's going to have to end up hiding out in a US-hostile part of the world for us to read this part of the cloudflare FAQ: https://developers.cloudflare.com/ssl/troubleshooting/faq/#w...

replies(3): >>wutwut+C4 >>kuschk+Zq >>rolph+eC

>>whatsh+(OP)
The world’s largest MITM

replies(2): >>pbhjpb+d5 >>chgs+j5

>>wutwut+C4
Lol, I'm a bit slow ... some USA TLA runs Cloudflare, right?

replies(1): >>wutwut+Ug2

>>wutwut+C4
Tech bros love it. And tailscale. And saas as a whole. Data sovereignty means you can’t be kind by the adtech industry so it’s not cool.

replies(2): >>vitno+vc >>j45+IE

>>chgs+j5
Calling out tailscale here is odd considering it's peer-to-peer and encrypted.

replies(1): >>chgs+Tc

>>vitno+vc
With keys controlled by a central entity

replies(1): >>Handpr+Tg

>>chgs+Tc
do you have a source for that?

replies(1): >>mikeho+Ft

>>whatsh+(OP)
See https://github.com/justjanne/stickers/blob/main/designs/ssl%...

>>Handpr+Tg
Tailscale [0] says the private keys never leave the device.

“Security

Tailscale and WireGuard offer identical point-to-point traffic encryption.

Using Tailscale introduces a dependency on Tailscale’s security. Using WireGuard directly does not. It is important to note that a device’s private key never leaves the device and thus Tailscale cannot decrypt network traffic. Our client code is open source, so you can confirm that yourself.”

0. https://tailscale.com/compare/wireguard

replies(2): >>sdht0+bJ >>d-z-m+fV2

>>whatsh+(OP)
a single encryption is for the stone age.

if [pecadillo] must remain secret when your nieghbour is investigated for [crime?] then encrypt at least twice, and obfusicate the original message

>>chgs+j5
Not sure what the issue is with Tailscale, especially since you can self-host Headscale server locally to get the same effect.

replies(1): >>chgs+Oj2

>>mikeho+Ft
To add to that, they also provides Tailnet lock [0], which protects from the only way the coordination server can mess with the tailnets, by connecting unauthorized nodes.

[0] https://tailscale.com/kb/1226/tailnet-lock

>>pbhjpb+d5
tin foil hat time, but who do you think the MITM is for?

>>j45+IE
Headscale is fine. With tailscale they control the deployment of public keys to devices, and can thus deploy anything they want to.

replies(1): >>j45+4J2

>>chgs+Oj2
Good to know.

Have they ever deployed anything they want to devices?

replies(1): >>broken+0K3

>>mikeho+Ft
That is true as far as it goes, but how does your node learn the public keys of the other nodes in your tailnet? My understanding is that they are provided by the coordination server, so you have to trust that the public key the coordination server gives you is actually the one for your peer device.

Tailnet lock helps mitigate this by requiring that node public keys are signed by a trusted signing node, but it isn't bulletproof.

replies(1): >>Aerbil+8L3

>>j45+4J2
The direction you're heading in sounds very similar to the arguments that may have been made pre-Snowden about mass-surveillance.

>>d-z-m+fV2
Public key cryptography doesn’t work like that. If you were given wrong public keys you wouldn’t be able to connect to start with.

replies(1): >>d-z-m+Tv4

>>Aerbil+8L3
> Public key cryptography doesn’t work like that

Like what? I'm saying both sides of the connection would be given the wrong public keys by the coordination server. The private keys of which would be held by a MITM.