> Their security thinking though is pretty bad - they've had a sequence of pretty serious security flaws
They are targeting 6 OSes plus web, each of which has unique ways to get security wrong. On its own, that's one hell of an attack surface and I'd say the rate of vulnerabilities reflects that.
However, I'd say their security _posture_ is pretty good - from what I've seen, reported issues are typically patched within 48h of initial report (most companies ask for a 90 day window before bug reporters go public with issues, and often let it pass without fixing the issue).
They've had many flaws become widely publicized because they have great writeups of the issue, but I think I've only seen one critical-severity issue - most are low-impact. EG in this case you need to make requests until you guess an int64 correctly - which on average would 'only' take a year if you could somehow make ten trillion requests per second without being detected.
> However, I'd say their security _posture_ is pretty good
The clients for Windows, iOS and macOS are closed-source.
As a general rule, a closed-source server is bad, but ultimately it's somewhat tolerable. A closed-source client for a product or service that appears to have an acknowledged security posture is full-on unacceptable. I can't fanthom why they would shoot themselves in the foot like this.
Not clear on why they made that call, but those are incidentally the exact set of platforms where they can't rapidly ship security updates (it's dependent on the vagaries of the platforms store).
> Mostly. Tailscale daemon client code is open source. Where the operating system is open source, the daemon and GUI are open source, and where the operating system is closed, the daemon is open source and the GUI is closed source.
You can run just the tailscaled daemons on Windows, it just wouldn't have a GUI, and that's fully open source[1].
The client daemon is open source. Generally you shouldn't be increasing attack surface with the introduction of a GUI (the closed-source part), so gonna have to strongly disagree with you here.
They are targeting 6 OSes plus web, each of which has unique ways to get security wrong. On its own, that's one hell of an attack surface and I'd say the rate of vulnerabilities reflects that.
However, I'd say their security _posture_ is pretty good - from what I've seen, reported issues are typically patched within 48h of initial report (most companies ask for a 90 day window before bug reporters go public with issues, and often let it pass without fixing the issue).
They've had many flaws become widely publicized because they have great writeups of the issue, but I think I've only seen one critical-severity issue - most are low-impact. EG in this case you need to make requests until you guess an int64 correctly - which on average would 'only' take a year if you could somehow make ten trillion requests per second without being detected.