• tailscale ..impressive

    From Ogg@VERT/CAPCITY2 to All on Thursday, June 01, 2023 19:50:00
    Recently, I got the headsup on tailscale. It's a pretty nifty almost-zero-config personal VPN for the purposes of
    establishing secure and encrypted tunnels over your own
    machines as a custom network.

    Prior to tailscale, I was using AnyDesk cuz it just worked and
    did not need any port forwarding pre-considerations. (My router
    has a broken port-forwarding feature - the settings didn't
    stick - but AnyDesk overcame that.

    At some point AnyDesk deemed my usage commercial primarily
    because I was using it too regularly. :(

    Then there was several months of time that I wasn't using
    anything at all and lived without the need to reach my remote
    machines for transferring files or observing processes.

    But tailscale is looking like a great solution!

    I can launch a VNC connection from my remote pc to my home pc.

    A VNC connection from my home pc to my remote pc is having an
    issue but I can work around it by accessing the Filezilla-
    server on the remote to transfer files to and from home.

    I am operting Win7 systems on both remote and home pc.

    Tailscale is availble for Win, iOS, MacOS, Android, Linux

    See https://tailscale.com/

    For a simple home "network" of machines, the free offering
    could be all that one needs.

    Tailscale takes care of the networking authenticated machines.
    After that, you can reach any service that any machine supports
    whether it is VNC, Remote Desktop, SSH, FTP, etc.. and you
    have a fully secure, and encrypted personal VPN.

    --
    ../|ug

    --- OpenXP 5.0.57
    * Origin: Ogg's Dovenet Point (723:320/1.9)
    ■ Synchronet ■ CAPCITY2 * capcity2.synchro.net * Telnet/SSH:2022/Rlogin/HTTP
  • From Phigan@VERT/TACOPRON to Ogg on Friday, June 02, 2023 05:57:13
    Re: tailscale ..impressive
    By: Ogg to All on Thu Jun 01 2023 07:50 pm

    Recently, I got the headsup on tailscale. It's a pretty nifty almost-zero-config personal VPN for the purposes of

    Sounds pretty cool, but any time you're involving another party into the mix, there's always a chance they can evesdrop on you. Sure, they _say_ end to end encryption etc etc, but there's nothing stopping them from having a master key to all that encryption.

    Also, I would just forward one port, for SSH, to an internal host. Then, use SSH tunneling to connect to anything else from there. For Windows, RDP works better than VNC. File transfers can be done via ssh/scp, too.

    In the end, of course just use what is most comfortable and works for you. I'm just overly paranoid so using "self-hosted" things is my "comfort zone".

    ---
    ■ Synchronet ■ TIRED of waiting 2 hours for a taco? GO TO TACOPRONTO.bbs.io
  • From MRO@VERT/BBSESINF to Ogg on Friday, June 02, 2023 09:02:24
    Re: tailscale ..impressive
    By: Ogg to All on Thu Jun 01 2023 07:50 pm

    Prior to tailscale, I was using AnyDesk cuz it just worked and
    did not need any port forwarding pre-considerations. (My router
    has a broken port-forwarding feature - the settings didn't
    stick - but AnyDesk overcame that.



    why dont you just buy a new router?
    ---
    ■ Synchronet ■ ::: BBSES.info - free BBS services :::
  • From Digital Man@VERT to Phigan on Friday, June 02, 2023 18:25:52
    Re: tailscale ..impressive
    By: Phigan to Ogg on Fri Jun 02 2023 05:57 am

    Re: tailscale ..impressive
    By: Ogg to All on Thu Jun 01 2023 07:50 pm

    Recently, I got the headsup on tailscale. It's a pretty nifty almost-zero-config personal VPN for the purposes of

    Sounds pretty cool, but any time you're involving another party into the mix, there's always a chance they can evesdrop on you. Sure, they _say_ end to end encryption etc etc, but there's nothing stopping them from having a master key to all that encryption.

    The whole concept of "end to end encryption" is that there's no means by which a man in the middle can snoop or spoof, no matter who they are.
    --
    digital man (rob)

    This Is Spinal Tap quote #8:
    Derek Smalls: Making a big thing out of it would have been a good idea.
    Norco, CA WX: 70.5°F, 62.0% humidity, 5 mph SE wind, 0.00 inches rain/24hrs
    ---
    ■ Synchronet ■ Vertrauen ■ Home of Synchronet ■ [vert/cvs/bbs].synchro.net
  • From Ogg@VERT/CAPCITY2 to Phigan on Friday, June 02, 2023 19:51:00
    Hello Phigan!

    ** On Friday 02.06.23 - 05:57, Phigan wrote to Ogg:

    Recently, I got the headsup on tailscale. It's a pretty nifty
    almost-zero-config personal VPN for the purposes of

    Sounds pretty cool, but any time you're involving another party into the mix, there's always a chance they can evesdrop on you. Sure, they _say_
    end to end encryption etc etc, but there's nothing stopping them from having a master key to all that encryption.

    A friend mine responds to that:

    "yeah... but if you look at the sources or use your own
    headscale server (headscale is completely compatible,
    apparently) [the eavesdrop] concerns are practically moot. Yes,
    they could collect some tracking info, but likely far less
    useful info than what google or microsoft gleen from bing or
    google maps or whatever."

    "doing the investigation has convinced me that the threat of
    interception by tailscale.com is relatively small and
    manageable."

    "They are after all trying to make money from services and
    features, and do not appear to be a fundamentally evil
    organization that is out to get all your personal info and
    monetize you like google or microsoft òr facebook."


    ...For Windows, RDP works better than VNC. File transfers
    can be done via ssh/scp, too.

    I have been disappointed in RDP in the past. I've had many
    dropped or "stuck" connections. VNC (via TightVNC) has served
    me well.


    In the end, of course just use what is most comfortable and
    works for you. I'm just overly paranoid so using "self-
    hosted" things is my "comfort zone".

    Then take a look at headscale. https://headscale.net/


    --- OpenXP 5.0.57
    * Origin: Ogg's Dovenet Point (723:320/1.9)
    ■ Synchronet ■ CAPCITY2 * capcity2.synchro.net * Telnet/SSH:2022/Rlogin/HTTP
  • From Phigan@VERT/TACOPRON to Digital Man on Sunday, June 04, 2023 10:02:44
    Re: tailscale ..impressive
    By: Digital Man to Phigan on Fri Jun 02 2023 06:25 pm

    The whole concept of "end to end encryption" is that there's no means by which a man in the middle can snoop or spoof, no matter who they are.

    Sure, that's the concept. You have to have the public/private keys on each side to be able to read the encrypted data. You're not in control of the generation of those public and private key pairs, however. It is 100% possible for the system generating those key pairs to have a "master" set of keys which can read that encrypted data no matter how many times you change your personal public/private keys. Your data is still encrypted "end to end" :).

    ---
    ■ Synchronet ■ TIRED of waiting 2 hours for a taco? GO TO TACOPRONTO.bbs.io
  • From Phigan@VERT/TACOPRON to Ogg on Sunday, June 04, 2023 10:17:03
    Re: tailscale ..impressive
    By: Ogg to Phigan on Fri Jun 02 2023 07:51 pm

    Then take a look at headscale. https://headscale.net/

    Looks right up my alley. I'll try it out soon!

    ---
    ■ Synchronet ■ TIRED of waiting 2 hours for a taco? GO TO TACOPRONTO.bbs.io
  • From Digital Man@VERT to Phigan on Sunday, June 04, 2023 13:39:53
    Re: tailscale ..impressive
    By: Phigan to Digital Man on Sun Jun 04 2023 10:02 am

    Re: tailscale ..impressive
    By: Digital Man to Phigan on Fri Jun 02 2023 06:25 pm

    The whole concept of "end to end encryption" is that there's no means by which a man in the middle can snoop or spoof, no matter who they are.

    Sure, that's the concept. You have to have the public/private keys on each side to be able to read the encrypted data. You're not in control of the generation of those public and private key pairs, however. It is 100% possible for the system generating those key pairs to have a "master" set of keys which can read that encrypted data no matter how many times you change your personal public/private keys. Your data is still encrypted "end to end" :).

    https://security.stackexchange.com/questions/119551/are-there-master-keys-that-can-be-used-to-generate-valid-ssl-keys
    --
    digital man (rob)

    Sling Blade quote #7:
    Karl: I don't reckon the Good Lord would send anybody like you to Hades.
    Norco, CA WX: 71.1°F, 65.0% humidity, 8 mph SSE wind, 0.00 inches rain/24hrs ---
    ■ Synchronet ■ Vertrauen ■ Home of Synchronet ■ [vert/cvs/bbs].synchro.net
  • From deon@VERT/ALTERANT to Phigan on Monday, June 05, 2023 09:12:04
    Re: tailscale ..impressive
    By: Phigan to Digital Man on Sun Jun 04 2023 10:02 am

    Sure, that's the concept. You have to have the public/private keys on each side to be able to read the encrypted data. You're not in control of the generation of those public and private key pairs, however. It is 100% possible for the system generating those key pairs to have a "master" set of keys which can read that encrypted data no matter how many times you change your personal public/private keys. Your data is still encrypted "end to end" :).

    I've never heard of PKI, where a master key can decrypt a subordinate's key data, where data was encrypted with the subordinate's public key.

    Any references, or examples/whitepapers, that you can share?


    ...δεσ∩

    ---
    ■ Synchronet ■ AnsiTEX bringing back videotex but with ANSI
  • From Phigan@VERT/TACOPRON to Digital Man on Sunday, June 04, 2023 16:40:16
    Re: tailscale ..impressive
    By: Digital Man to Phigan on Sun Jun 04 2023 01:39 pm

    https://security.stackexchange.com/questions/119551/are-there-master-keys-th at-can-be-used-to-generate-valid-ssl-keys

    That link doesn't really contradict anything I'm saying :)

    For a certificate or key pair to be "valid" you just have to trust the authority that signed it/them. We call SSL certificates used for websites and things as "valid" because they have been signed by one of the certificate authorities that we all have stored in our operating systems and browsers, the ones we trust. It's technically possible for any of them to have master keys to the certificates they generate and sign, but as the response in the link says, it's highly unlikely they would go using those willy nilly.

    Other applications, especially those where the client and the server are proprietary, don't have to follow any rules about trusted authorities. The same company could write the client and server, generate and sign the certificates, and promise you end to end encryption. You have no guarantee that there isn't a master key. Even when the client and server are open source, the certificate signing stuff often isn't.

    ---
    ■ Synchronet ■ TIRED of waiting 2 hours for a taco? GO TO TACOPRONTO.bbs.io
  • From deon@VERT/ALTERANT to Phigan on Monday, June 05, 2023 11:56:23
    Re: tailscale ..impressive
    By: Phigan to Digital Man on Sun Jun 04 2023 04:40 pm

    https://security.stackexchange.com/questions/119551/are-there-master-keys -th at-can-be-used-to-generate-valid-ssl-keys

    That link doesn't really contradict anything I'm saying :)

    For a certificate or key pair to be "valid" you just have to trust the authority that signed it/them. We call SSL certificates used for websites and things as "valid" because they have been signed by one of the certificate authorities that we all have stored in our operating systems and browsers, the ones we trust. It's technically possible for any of them to have master keys to the certificates they generate and sign, but as the response in the link says, it's highly unlikely they would go using those willy nilly.

    You've lost me on the point I thought you were making.

    The topic was "end to end encryption" - and I thought you made the comment that a "master key" is also available.

    This implies that you are saying that a master key can decrypt data that is being intended for an end user, that is encrypted with their public key.

    Or are you saying something else?


    ...δεσ∩

    ---
    ■ Synchronet ■ AnsiTEX bringing back videotex but with ANSI
  • From fusion@VERT/CFBBS to Phigan on Monday, June 05, 2023 05:14:00
    On 04 Jun 2023, Phigan said the following...

    systems and browsers, the ones we trust. It's technically possible for
    any of them to have master keys to the certificates they generate and sign, but as the response in the link says, it's highly unlikely they would go using those willy nilly.

    no, that is not the case at all.

    you send a CSR and the public key to the CA. that's it. there is no "master key". the CA's only purpose and capability is to validate the owner of a public key. they are incapable of decrypting anything.

    now, lets say the kitchensync.net bbs has a certificate/public/private key they use. i can encrypt stuff all day long with the public key (in the
    certificate) and nobody but that bbs would ever be able to see it. remember the CA doesn't have the private key.

    now, if a shitty CA decides to sign a certificate for kitchensync.net with a different public key, that's an entirely different thing. since suddenly someone else can pretend to be them, and they have a separate private key that can decrypt data encrypted with the fake certificate. but in no way does this mean that the real certificate or private key are no longer secure. you
    can't decrypt stuff from the original with the new ones.

    --- Mystic BBS v1.12 A47 2021/12/25 (Windows/32)
    * Origin: cold fusion - cfbbs.net - grand rapids, mi
  • From Phigan@VERT/TACOPRON to deon on Monday, June 05, 2023 11:12:26
    Re: tailscale ..impressive
    By: deon to Phigan on Mon Jun 05 2023 09:12 am

    I've never heard of PKI, where a master key can decrypt a subordinate's key data, where data was encrypted with the subordinate's public key.

    It's more a hierarchy kind of thing. The sub keys signed by the master key could be stored with the data they're signing. Or they could just be sent encrypted to whoever has the master. You get the sub keys then you get the data. No, I don't have any white papers :). I can guess this sort of thing isn't going to be well documented all over the place.

    ---
    ■ Synchronet ■ TIRED of waiting 2 hours for a taco? GO TO TACOPRONTO.bbs.io
  • From Phigan@VERT/TACOPRON to deon on Monday, June 05, 2023 11:16:08
    Re: tailscale ..impressive
    By: deon to Phigan on Mon Jun 05 2023 11:56 am

    This implies that you are saying that a master key can decrypt data that is being intended for an end user, that is encrypted with their public key.

    That is what I'm saying. Whether it can happen directly or indirectly is up to the implementation, but that is the end result.

    ---
    ■ Synchronet ■ TIRED of waiting 2 hours for a taco? GO TO TACOPRONTO.bbs.io
  • From Phigan@VERT/TACOPRON to fusion on Monday, June 05, 2023 11:19:38
    Re: Re: tailscale ..impressive
    By: fusion to Phigan on Mon Jun 05 2023 05:14 am

    you send a CSR and the public key to the CA. that's it. there is no "master key". the CA's only purpose and capability is to validate the owner of a public key. they are incapable of decrypting anything.

    That's when you're the one generating the cert request. What if some application or service is doing it for you? My point is more for messaging and other communication apps that tout "end to end encryption" vs SSL used for HTTPS.

    ---
    ■ Synchronet ■ TIRED of waiting 2 hours for a taco? GO TO TACOPRONTO.bbs.io
  • From Tracker1@VERT/TRN to Ogg on Friday, June 16, 2023 11:14:19
    Re: tailscale ..impressive
    By: Ogg to All on Thu Jun 01 2023 19:50:00

    Recently, I got the headsup on tailscale. It's a pretty nifty almost-zero-config personal VPN for the purposes of
    establishing secure and encrypted tunnels over your own
    machines as a custom network.

    Yeah, tailscale looks nifty AF, have though about getting it running on my hosted server(s). Right now, I tunnel through SSH the client I use for the one windows vm rdp (Remmina) has built in support for running through an SSH tunnel.

    For home, I've been using Wireguard for my phone and laptop when I'm travelling, which isn't much.


    --
    Michael J. Ryan
    +o roughneckbbs.com
    tracker1@roughneckbbs.com

    ---
    ■ Synchronet ■ Roughneck BBS - roughneckbbs.com