I was not referring to docker-machine here, I'm not sure why you think I was referring to it (I didn't even mention it). I was talking about people who do `dockerd -H tcp://:8080` and ignore the warning that tells them this is insecure. This is not a strawman, there were blog posts in the past few months where they mentioned in passing that their firewall was misconfigured and allowed unauthenticated access to their Docker hosts[1].
I didn't mention TLS certificates with -H tcp:// because it wasn't really related to the main point I was making -- yes you can configure it to be secure but again security is not the default. I felt so strongly about this I pushed for having a required flag to allow insecure TCP access[2]. I am more than aware this can be done safely, it just isn't done safely often enough that you see this type of misconfiguration in blog posts.
Security with client certificates is the default using the vendor-supplied tooling for bringing up remote docket hosts, docker-machine. This is why I brought it up. It’s not some 3p whatever, this is the vendor’s tooling and it is not insecure by default.
I didn't mention TLS certificates with -H tcp:// because it wasn't really related to the main point I was making -- yes you can configure it to be secure but again security is not the default. I felt so strongly about this I pushed for having a required flag to allow insecure TCP access[2]. I am more than aware this can be done safely, it just isn't done safely often enough that you see this type of misconfiguration in blog posts.
[1]: https://kromtech.com/blog/security-center/cryptojacking-inva... [2]: https://github.com/moby/moby/pull/37299