Saw that when it came out, yikes, but here it makes my point for me.
The zerotier software failed - as such you could (in the simplest terms) bypass the transport “firewall”. At no point could you execute code on my machines. At no point could you spoof any authorization layers outside of what’s required to reach my ports. So when the model catastrophically failed here, attackers still cannot login to my machine. Other attacks might make this possible (e.g. code exec in the agent), but were not found - I suspect due to the lack of attack surface.
All software can have serious bugs, which is why you do defense in depth. Never depend on just one thing for your entire security perimeter.
Outside narrow very well defined cases where proofs of security are possible, it might be impossible create perfectly secure computing systems due to the insolubility of the halting problem and the sheer size of the combinatorial space.
If you watch the CVE announcements it's a continuous stream of serious bugs in all kinds of major software applications including OSes, web browsers, networking hardware, VPNs, cryptographic libraries, and so on. Microsoft, Apple, Cisco, etc. have serious vulnerabilities fairly often.
Wireguard never had, and probably will not have, a serious vulnerability (one allowing bypassing a tunnel). The attack surface is small, and you can carefully review the code, even formally verify it. The devices could all tunnel out to a nearby VM in the cloud.
This vulnerability is very critical, and discovered by an undergrad (not a security team): Code execution in local machine, taking over tailscaled, hijacking the coordination server, adding nodes, SSHing into machines, SMB shares, etc. The users are owned if attacked, and this was supposed to be a security-focused product.
Part of the problem is the feature bloat, that Wireguard deliberately avoided. Like, I want a mesh VPN, not an alternative to OpenSSH or Dropbox as well. The integrations add code, and it’s hard to secure a larger code base.
The response from Tailscale has been excellent though. Hopefully they will take measures to prevent such issues. This is a VPN after all!
> Wireguard never had, and probably will not have, a serious vulnerability (one allowing bypassing a tunnel).
True, but even the bare minimum WireGuard VPN still has a lot of stuff other than WireGuard. There's going to be a configuration protocol, software to create a tunnel device on the system, a management protocol, software updates, a UI, identity management or some kind of login/auth system, etc.
No one is asking for “perfect security”. We all agree with you, that is impossible. What many security professionals want from this product is a stable network transport tunnel with well-defined attack surface. We understand defense in depth, which is why we disable ssh authZ in tailscale, for example.
Now imagine you are an enterprise user of tailscale, you diligently elected not to trust it with login to your boxes, but you still got pwned because of “taildrop”, a feature no one on your team uses, wants, or knew was enabled.
Software vulnerabilities happen at a rate that highly correlates with size of attack surface. The attack surface here is pretty clearly too high (bad “defense in depth” as you say), and I hope they provide mechanisms in the future for disabling all this bloat, otherwise offerings like zerotier will eat their lunch.
The zerotier software failed - as such you could (in the simplest terms) bypass the transport “firewall”. At no point could you execute code on my machines. At no point could you spoof any authorization layers outside of what’s required to reach my ports. So when the model catastrophically failed here, attackers still cannot login to my machine. Other attacks might make this possible (e.g. code exec in the agent), but were not found - I suspect due to the lack of attack surface.