Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Related: note also that tailscale's tailnet 100.* subnet is som form of CGNAT public ip block. I think Tailscale thought long and hard about this, and landed on it because it was a path of lesser resistance to break fewer things. And if you squint they fit the stated purpose.

But even if browsers now implement PNA the tailnet itself is public address space, so that vector still exists. I wonder if browsers (and eventually standards) will be pressured to treat those blocks as private.



The real takeaway here is that you should never treat any network boundary as critical for security. This is true whether it's a physical boundary or a virtual one (with TS being one example of the latter).

If your private net is full of trivial to access things with no access control or horribly insecure services, that's a huge problem. There are many many many ways to hop over firewalls. Hostile JS on web sites is just one.

Network boundaries are only first lines of defense in what should be a defense in depth strategy. Never depend on any one single boundary completely.

My personal criteria is: if it's not secure enough to be connected directly to the Internet with no firewall, it's broken. Make it that secure and then put it on a secure network.


We're crazy to allow any program to talk on the network by default. Then when we run js we allow the browser, a user executed program, to decide what level of network control it will exercise. This laissez-faire attitude to controlling communication paths, or even awareness, makes lateral movement so much easier.

The lack of integrated authentication services is one reason why so many things are completely open. It's too hard to set up and manage user credentials, and in any case, programs shouldn't have access to user credentials, they should get delegated permission. AD has made everything too hard, we need a TOFU like dynamic machine identity exchange, which then allows individuals users to execute programs with particular network capabilities.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: