Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> if an attacker is able to compromise Tailscale and add a key to your tailnet

that's why tailscale has https://tailscale.com/kb/1226/tailnet-lock

> that person will immediately have access to your network AND shell access to all of your boxes

it would be extremely weird and negligent to deploy Tailscale at a company and not have any ACLs.



Tailscale lock looks interesting -- I had not seen that before.

ACLs still come down to "just trust tailscale is working as advertised." And while I generally do (I'm a happy user), if that last few years have shown anything, for the vast majority of companies/products, it's not if you get compromised, it's when. Given that I'd prefer to have multiple distinct layers between the internet and my boxes.

Though definitely see the value in terms of being able to easily tie SSH access to ACLs and your SSO provider -- as with all things security it's a trade off between ease of use and locking everything down.


Don’t need to add a key, if you have access to the network interface on a laptop or server you are effectively that entity. ACLs are just one level of defense, and iirc you can force re-auth on SSH connections but it certainly becomes a single point of compromise.




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: