Zero Trust

An Open-Source Solution

2025-05-27

I can think of a short list of things that are ๐™ฃ๐™ค๐™ฉ supposed to happen:

ย ย ย 

Regarding the last item on this list, Tailscale revealed, via an unintentional โ€œ๐˜ง๐˜ช๐˜ณ๐˜ฆ ๐˜ต๐˜ฆ๐˜ด๐˜ตโ€, just how completely backwards their design is.

Basically, someone signed in with an email like ๐˜ฏ๐˜ข๐˜ฎ๐˜ฆ@๐˜ฑ๐˜ฐ๐˜ค๐˜ป๐˜ต๐˜ข.๐˜ฑ๐˜ญ (a free public email provider similar to gmail) Disturbingly, they found ๐—œ๐—ผ๐—ง ๐—ฑ๐—ฒ๐˜ƒ๐—ถ๐—ฐ๐—ฒ๐˜€ ๐—ณ๐—ฟ๐—ผ๐—บ ๐—ฎ ๐—ฐ๐—ผ๐—บ๐—ฝ๐—น๐—ฒ๐˜๐—ฒ ๐˜€๐˜๐—ฟ๐—ฎ๐—ป๐—ด๐—ฒ๐—ฟ connected to their network.
You can find the full details here

You might ask, โ€œ๐˜๐˜ฐ๐˜ธ ๐˜ค๐˜ฐ๐˜ถ๐˜ญ๐˜ฅ ๐˜ข ๐˜ด๐˜ต๐˜ณ๐˜ข๐˜ฏ๐˜จ๐˜ฆ๐˜ณ ๐˜ด๐˜ช๐˜จ๐˜ฏ ๐˜ช๐˜ฏ๐˜ต๐˜ฐ ๐˜ด๐˜ฐ๐˜ฎ๐˜ฆ๐˜ฐ๐˜ฏ๐˜ฆโ€™๐˜ด ๐˜ฏ๐˜ฆ๐˜ต๐˜ธ๐˜ฐ๐˜ณ๐˜ฌ?โ€

Simply put, Tailscale assumed that ๐˜ฑ๐˜ฐ๐˜ค๐˜ป๐˜ต๐˜ข.๐˜ฑ๐˜ญ was a company/private domain and ๐—ด๐—ฟ๐—ผ๐˜‚๐—ฝ๐—ฒ๐—ฑ ๐—ฎ๐—น๐—น ๐˜‚๐˜€๐—ฒ๐—ฟ๐˜€ ๐˜„๐—ถ๐˜๐—ต ๐˜๐—ต๐—ฎ๐˜ ๐—ฑ๐—ผ๐—บ๐—ฎ๐—ถ๐—ป ๐—ถ๐—ป๐˜๐—ผ ๐˜๐—ต๐—ฒ ๐˜€๐—ฎ๐—บ๐—ฒ ๐—ง๐—ฎ๐—ถ๐—น๐—ป๐—ฒ๐˜. Apparently, that domain was not on Tailscaleโ€™s "public domains" list.

This is ๐—ฏ๐—ฎ๐—ฑ for many reasons:

  • You could be ๐˜€๐—ต๐—ฎ๐—ฟ๐—ถ๐—ป๐—ด ๐˜†๐—ผ๐˜‚๐—ฟ ๐—ฝ๐—ฟ๐—ถ๐˜ƒ๐—ฎ๐˜๐—ฒ ๐—ป๐—ฒ๐˜๐˜„๐—ผ๐—ฟ๐—ธ ๐˜„๐—ถ๐˜๐—ต ๐˜€๐˜๐—ฟ๐—ฎ๐—ป๐—ด๐—ฒ๐—ฟ๐˜€.
  • Devices connected to the network can see each other and ๐—ฐ๐—ผ๐—บ๐—บ๐˜‚๐—ป๐—ถ๐—ฐ๐—ฎ๐˜๐—ฒ ๐—ณ๐—ฟ๐—ฒ๐—ฒ๐—น๐˜†, which is not something you want unless you trust the other users.
  • You might not even notice until ๐˜€๐—ผ๐—บ๐—ฒ๐˜๐—ต๐—ถ๐—ป๐—ด ๐˜€๐˜๐—ฟ๐—ฎ๐—ป๐—ด๐—ฒ ๐—ฎ๐—ฝ๐—ฝ๐—ฒ๐—ฎ๐—ฟ๐˜€.
  • It is a huge ๐˜€๐—ฒ๐—ฐ๐˜‚๐—ฟ๐—ถ๐˜๐˜† ๐—ฎ๐—ป๐—ฑ ๐—ฝ๐—ฟ๐—ถ๐˜ƒ๐—ฎ๐—ฐ๐˜† ๐—ฟ๐—ถ๐˜€๐—ธ.

Tailscale did respond and acknowledged the issue saying that they are ๐™ฌ๐™ค๐™ง๐™ ๐™ž๐™ฃ๐™œ ๐™ค๐™ฃ ๐™– ๐™—๐™š๐™ฉ๐™ฉ๐™š๐™ง ๐™ž๐™™๐™š๐™ฃ๐™ฉ๐™ž๐™ฉ๐™ฎ ๐™ข๐™ค๐™™๐™š๐™ก to prevent these problems in the future. The only issue is, ๐˜‚๐—ป๐—น๐—ฒ๐˜€๐˜€ ๐—ฎ ๐—ฑ๐—ผ๐—บ๐—ฎ๐—ถ๐—ป ๐—ถ๐˜€ ๐—ผ๐—ป ๐˜๐—ต๐—ฒ๐—ถ๐—ฟ ๐˜€๐—ฝ๐—ฒ๐—ฐ๐—ถ๐—ฎ๐—น ๐—น๐—ถ๐˜€๐˜, it will be regarded the same.

Something we use at Imperfektus is NetFoundry's OpenZiti.
I actually have a teaser trailer from a podcast that explains this exact pain.
Have a watch of the full episode to see more.

I am sure that Michael Kochanik will bite my head off for saying that it is a wireguard replacement (even though that makes it easy to understand), but if you are looking for a ๐—ฟ๐—ฒ๐—ฝ๐—น๐—ฎ๐—ฐ๐—ฒ๐—บ๐—ฒ๐—ป๐˜ ๐—ณ๐—ผ๐—ฟ ๐˜†๐—ผ๐˜‚๐—ฟ ๐—น๐—ฒ๐—ด๐—ฎ๐—ฐ๐˜† ๐—ฉ๐—ฃ๐—ก that only does what you tell it, do have a look at ๐—ข๐—ฝ๐—ฒ๐—ป๐—ญ๐—ถ๐˜๐—ถ.

๐˜ ๐˜ณ๐˜ฆ๐˜ค๐˜ฆ๐˜ช๐˜ท๐˜ฆ ๐˜ฏ๐˜ฐ๐˜ต๐˜ฉ๐˜ช๐˜ฏ๐˜จ ๐˜ฃ๐˜บ ๐˜ด๐˜ข๐˜บ๐˜ช๐˜ฏ๐˜จ ๐˜ต๐˜ฉ๐˜ช๐˜ด. I just ๐˜๐—ฟ๐˜‚๐—น๐˜† ๐—ฏ๐—ฒ๐—น๐—ถ๐—ฒ๐˜ƒ๐—ฒ ๐—ถ๐—ป ๐˜๐—ต๐—ฒ ๐—ฝ๐—ฟ๐—ผ๐—ฑ๐˜‚๐—ฐ๐˜.

If you are looking for a ๐—บ๐—ผ๐—ฑ๐—ฒ๐—ฟ๐—ป, ๐—ผ๐—ฝ๐—ฒ๐—ป-๐˜€๐—ผ๐˜‚๐—ฟ๐—ฐ๐—ฒ ๐˜‡๐—ฒ๐—ฟ๐—ผ-๐˜๐—ฟ๐˜‚๐˜€๐˜ ๐˜€๐—ผ๐—น๐˜‚๐˜๐—ถ๐—ผ๐—ป, have a chat with NetFoundry and tell them that I sent you :)

Back To Posts โ†‘

Go Home โ†‘