Tailscale requires Google or Microsoft authentication, why is that?
This basicly means Google/Microsoft can access my Umbrel Node at any time.
Is there any alternative?
I don’t believe that using any Ms or Google auth, allows them to read your tail scale.
It’s also not required. You can use email address.
But Can others address this Q: Does 3rd party auth allow that 3rd party in? I think if this was the case then it would have been pointed out as a security hole for hundreds of sites already.
M
Even if you use e-mail address, it still uses Microsoft/Google Auth, don’t trust me verify your self.
You are 100% required to use Big Tech to authenticate into your Tailscale, which means at any moment these big companys can log-in to your Tailscale and acess your Umbrel.
Tailscale is a HUGE security hole.
I strongly disagree with your assessment.
- umbrel has its own password and OTP.
- tail scale will alert me if a new device joins my tail scale. Every device must authenticate first. There are lots of additional security options that can be configured.
- you can definitely use regular email address and password instead of an oAuth provider (sign in with)
- If you are concerned about entry via the OAuth provider, then you are effectively describing a state level attack on an individual name, for which many of us it is not a viable threat. There is no stopping state level attack on an individual without incredible resources. A rogue MS/Google company employee, being able to bypass my MFA and delete Tailscales notifications, is not part of my (and many others) threat model.
So I don’t agree with your threat Assessment as realistic for most umbrel users.
SSO and oAuth are convenience security methods that are typically better than most users will make for email and password. Skip them if you choose to, but its not a threat against Tailscale. It’s the equivalent of you having chosen a weak password for your Tailscale login, and no one except you can help you if you do that.
M
M
2 Likes
Hey @MarcG , thank you for the detailed answer, i appreciate it very much.
As for your points, here are my responses.
-
Even if Umbrel has its own password and OTP, I don’t want there to be any possibility of any third-party even accessing the page. It’s a security hole in my eyes.
-
It may take hours before i see and react to those alerts, again, there should be no possibility for anyone else to acess my Tailscale, big tech AUTH is a security hole in my eyes. Also, you mention there are a lot of additional security options, can you provide more detail? I don’t see any.
-
This is what i see when i try to log in:
(edit: image removed)
Hi, sure thing. I can conclude that at this point, umbrel is not your issue, its your entire tailscale you want VERY secure.
I do see that regular email auth is not available. it likely never was and i was mistaken. you are correct that the screenshot shows the identity provider is MS.
I’m no expert on this so i will defer to others now to help you more, but custom authentications are available even in the free plan, even some that use OpenID Connect (OIDC)
You are likely best to follow those instructions and tie it into your own domain, or use a totally different VPN. if you do drop tailscale, try to use one that uses the wireshark protocol however.
ALSO, please be sure that this avenue (A security-hole in your eyes) is even the lowest hanging fruit that you are tackling. I have had many people tell me that pre-boxed solutions like umbrel are not the best, but are the fastest to get running. Those people seem to use full linux boxes and dont do near pre-packaged solutions and will pull the distributions from source repo’s, having verified the signed signatures, or even build it themselves from source.
I personally suspect that tailscale is not your biggest security hole: its you and me behind the keyboard making mistakes. Notably, please redact your full email from your screenshots, else its there forever.
Best,
M
1 Like
This also surprised me at first. It’s been a while since I looked at this, however, I think the way the single signon works is that your browser will contact Google/Github/etc and ask “Can you tell me who this clown is?” If you are already logged in, they will respond “clown@hacker.com” or if you aren’t logged in they will ask you to log in. Then Tailscale continues with “ok now I know who this is”. There is no access granted to Google/Github.
The OAuth protocol is pretty secure and state-of-the-art. Like I said, I got freaked out too but once I thought it through I calmed down. They are only asking the Authentication Providers to verify your identity, and that identity (email) is used to log into Tailscale.
It would be interesting to open a support ticket with them and see what they say.
What stops Google/GitHub/Microsoft from trying to acess my tailscale? Nothing. They have acess to my credentials and password, they can very well pretend to be me and tailscale won’t know if it’s really me or them.
Hi, all. I bring great news today! It’s now moot. Passkeys have arrived for all Tailscale plans.!!
And it is the secure, very-phishing-resistant, sovereign identity provider, we have needed for many years!!
Details to create it here!
The future is SECURE, and with an unchained identity!
Well done to Tailscale!
Lots more sites supporting Passkeys are at https://Passkeys.Directory
NOTE: we now gotta worry about umbrel harvesting IP addresses every hour . That is now the problem.
Marc.
1 Like
I don’t get it… what exactly is a passkey and how do i create one? As far as i understand you still need a Big Tech account to use passkeys…