Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

An interesting article overall, but I think authenticating a user based on their IP address is probably the worst security advice I've seen. It's probably ripe for attack with ARP poisoning, IP spoofing, etc.


(I work at Tailscale)

It only authenticates it _after_ all the WireGuard bits. So it's not really auth by IP address, but auth by wireguard key identity, from which we know your identity. There's no IP spoofing possible. And ARP isn't even in the picture for an L3 protocol.


How do you prevent other processes (or other apps on mobile) from connecting to the service?

A malicious game on my phone can't ssh to my server if I do normal authentication, but with this IP/WG authentication it can...


You can configure ACLs. By default devices that aren’t tagged with an ACL tag are available to other devices authenticated by the same user. If you tag a device, you have to write explicit ACLs to permit access from other users/devices.


How does this solve the problem of a malicious process inside the whitelisted device.


That would of course be beyond the scope of the network layer itself.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: