Closed hellodword closed 1 month ago
And I'll explain how these cases are useful in real-world:
In some countries of the world, all domains are required to obtain a license, with crazy internet censorship, so people may use self-signed certs. Yeah we could add the custom CA's roots to client machines
, but most of us can not maintain certificates' stuff in the right way, it will cause insecure connection.
Not all user want to maintain a DERP relay server, so it'll be shared with friends, or provided as a public welfare server. In this case, the DERP relay server is insecure.
Servers maybe hacked by hackers, or by the cloud providers.
And I hope tailscale could provide the thread model because I didn't find it, correct me if I missed anything :)
Yes, it's still secure without https. The second layer of encryption isn't required.
Well, one place it's required: the web based wasm SSH client runs Tailscale in the browser where there's no UDP available to wasm so it can only use DERP. And the browser won't permit a websocket connection to http from https (at least without increasingly scary warnings)
And some firewalls only permit outbound TCP 443.
So https it is.
I'm curious about what's the worst thing when:
So will people be well protected by the end-to-end encryption feature of tailscale in these cases?