Is insecure DERP secure?

[hellodword]

• https://tailscale.com/security#tailscale-sees-your-metadata-not-your-data
• https://github.com/tailscale/tailscale/issues/3701#issuecomment-1010206678

DERP relay servers do not log your data — you can confirm this yourself as the code is open-source. Even when your connection uses a DERP relay server, the only data Tailscale could see and capture is encrypted.

InsecureForTests might go away in the future. It's really just for tests.

I'm curious about what's the worst thing when:

1. The connection is insecure, I mean, not protected by well-configured TLS, so bad guy is able to do MITM attack.
2. The DERP relay server is insecure, bad guys may do MITM attack on it.

So will people be well protected by the end-to-end encryption feature of tailscale in these cases?

[hellodword]

And I'll explain how these cases are useful in real-world:

1. In some countries of the world, all domains are required to obtain a license, with crazy internet censorship, so people may use self-signed certs. Yeah we could add the custom CA's roots to client machines, but most of us can not maintain certificates' stuff in the right way, it will cause insecure connection.

2. Not all user want to maintain a DERP relay server, so it'll be shared with friends, or provided as a public welfare server. In this case, the DERP relay server is insecure.

3. Servers maybe hacked by hackers, or by the cloud providers.

And I hope tailscale could provide the thread model because I didn't find it, correct me if I missed anything :)

[bradfitz]

Yes, it's still secure without https. The second layer of encryption isn't required.

Well, one place it's required: the web based wasm SSH client runs Tailscale in the browser where there's no UDP available to wasm so it can only use DERP. And the browser won't permit a websocket connection to http from https (at least without increasingly scary warnings)

And some firewalls only permit outbound TCP 443.

So https it is.