Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

That's unnecessary sensationalism. Most of those vectors are behind an SSO login and are not exposed to Internet at all (from the article: "your browser becomes a Tailscale client, and joins your tailnet in the same way as any other device that you run Tailscale on").

Or, did you mean attacks on SSO? If that's the case, then SSH web wouldn't make any difference. Someone authenticating themselves could use regular SSH or whatever.

Similarly, Tailscale backend is already subject to the vectors you mentioned (API, side-channel attacks). This feature doesn't add any new attack vectors.

Again, attacks on browser means end of game already. Someone can use that vector to access to your local network in other ways. They don't need Tailscale's SSH web client for that.



> Again, attacks on browser means end of game already.

A bad Chrome extension does not allow the bad guys to open a terminal on my machine, load my ssh keys, launch an authenticated SSH connection, and launch an authenticated SSH connection into an enumerated list of remote servers.


A malicious browser extension can access your email, SSO prompts, password manager, etc, and therefore gain access to your Tailscale network anyway. SSH web doesn't add a new threat vector here. It's already game over.


A browser extension cannot access your email or password manager. But it can use this new security hole created by tailscale.


If the extension in question has the read/modify all websites permission, why would it not be able to access your email or password manager?


Not OP, but...my email and password managers are not websites. I have a local app that does email, I have a local app that does password management. So the extension could certainly access passwords I put into my browser, but I don't see a vector to the "keys to the kingdom" so to speak.


The most popular password managers (1Password, Bitwarden, Lastpass) have a web UI.


Sure, and I use Bitwarden. I just don't use the web UI, specifically to avoid issues like malicious extensions, Firefox exploits, etc.

I'm aware that web-based email and credential managers exist, but GP asked "...why would it not be able to access your email or password manager?" I answered that, with my app choice, I don't see how they could.


Who's using extensions in a work context anyway? I only use an ad-blocker because it's safer from a malware perspective.


> Who's using extensions in a work context anyway?

literally everyone?


React Developer Tools, for example.


Ah, thanks. I'm more on sysadmin side for my day job, and didn't even know about this. I'll have to keep it in mind as I've been dabbling with learning a modern web framework and React was a candidate.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: