If your threat model includes "OpenSSH might have an RCE" then "Tailscale might have an RCE" belongs there too.
If you are exposing a handful of hardened services on infrastructure you control, Tailscale adds complexity for no gain. If you are connecting machines across networks you do not control, or want zero-config access to internal services, then I can see its appeal.
These days, that seems insane.
As the traffic grew, as speeds increased, licensing became necessary.
I think, these days, we're almost into that category. I don't say this happily. But having unrestricted access seems like an era coming to an end.
I realise this seems unworkable. But so was the idea of a driver's license. Sometimes society and safety comes first.
I'm willing to bet that in under a decade, something akin to this will happen.
The point of a driver's license is that driving a ton of steel around at >50mph presents risk of harm to others.
Not knowing how to use a computer - driving it "poorly" - does not risk harm to others. Why does it merit restriction, based on the topic of this post?
It’s why Cloudflare exists, which in itself is another form of harm, in centralising a decentralised network.
1. "Unpatched servers become botnet hosts" - true, but Tailscale does not prevent this. A compromised machine on your tailnet is still compromised. The botnet argument applies regardless of how you access your server.
2. Following this logic, you would need to license all internet-connected devices: phones, smart TVs, IoT. They get pwned and join botnets constantly. Are we licensing grandma's router?
3. The Cloudflare point undermines the argument: "botnets cause centralization (Cloudflare), which is harm", so the solution is... licensing, which would centralize infrastructure further? That is the same outcome being called harmful.
4. Corporate servers get compromised constantly. Should only "licensed" corporations run services? They already are, and they are not doing better.
Back to the topic: I have no clue what you think Tailscale is, but it does increase security, only convenience.
Are you saying "unlicensed" where you mean "untrained?"
If someone breaks regs, you want to be able to levy fines or jail. If they do it a lot, you want an inability to drive at all.
It's about regulating poor drivers. And yes, initially vetting a driver too.
I don't think it's about driving ability, besides the initial vetting.
As an aside, I dislike tailscale, and use wireguard directly.
Back to the topic: Your connected device can harm others if used poorly. I am not proposing licensing requirements.
Understand, I am not advocating this. I said I did not like it. Neirher of those statements have anything totk do with whether I think it will come to pass, or not.