Recently, I got the headsup on tailscale. It's a pretty nifty ãalmost-zero-config personal VPN for the purposes of ãestablishing secure and encrypted tunnels over your own ãmachines as a custom network.ããPrior to tailscale, I was using AnyDesk cuz it just worked and ãdid not need any port forwarding pre-considerations. (My router ãhas a broken port-forwarding feature - the settings didn't ãstick - but AnyDesk overcame that.ããAt some point AnyDesk deemed my usage commercial primarily ãbecause I was using it too regularly. :(ããThen there was several months of time that I wasn't using ãanything at all and lived without the need to reach my remote ãmachines for transferring files or observing processes.ããBut tailscale is looking like a great solution!ããI can launch a VNC connection from my remote pc to my home pc.ããA VNC connection from my home pc to my remote pc is having an ãissue but I can work around it by accessing the Filezilla- ãserver on the remote to transfer files to and from home.ããI am operting Win7 systems on both remote and home pc.ããTailscale is availble for Win, iOS, MacOS, Android, LinuxããSee https://tailscale.com/ããFor a simple home "network" of machines, the free offering ãcould be all that one needs.ããTailscale takes care of the networking authenticated machines. ãAfter that, you can reach any service that any machine supports ãwhether it is VNC, Remote Desktop, SSH, FTP, etc.. and you ãhave a fully secure, and encrypted personal VPN.ãã-- ã ../|ugãã--- OpenXP 5.0.57ã * Origin: Ogg's Dovenet Point (723:320/1.9)ã þ Synchronet þ CAPCITY2 * capcity2.synchro.net * Telnet/SSH:2022/Rlogin/HTTPã

Re: tailscale ..impressiveã By: Ogg to All on Thu Jun 01 2023 07:50 pmãã > Recently, I got the headsup on tailscale. It's a pretty niftyã > almost-zero-config personal VPN for the purposes ofããSounds pretty cool, but any time you're involving another party into the mix, there's always a chance they can evesdrop on you. Sure, they _say_ end to end encryption etc etc, but there's nothing stopping them from having a master key to all that encryption.ããAlso, I would just forward one port, for SSH, to an internal host. Then, use SSH tunneling to connect to anything else from there. For Windows, RDP works better than VNC. File transfers can be done via ssh/scp, too.ããIn the end, of course just use what is most comfortable and works for you. I'm just overly paranoid so using "self-hosted" things is my "comfort zone".ãã---ã þ Synchronet þ TIRED of waiting 2 hours for a taco? GO TO TACOPRONTO.bbs.ioã

Re: tailscale ..impressiveã By: Ogg to All on Thu Jun 01 2023 07:50 pmãã > Prior to tailscale, I was using AnyDesk cuz it just worked andã > did not need any port forwarding pre-considerations. (My routerã > has a broken port-forwarding feature - the settings didn'tã > stick - but AnyDesk overcame that.ã >ãããwhy dont you just buy a new router?ã---ã þ Synchronet þ ::: BBSES.info - free BBS services :::ã

Re: tailscale ..impressiveã By: Phigan to Ogg on Fri Jun 02 2023 05:57 amãã > Re: tailscale ..impressiveã > By: Ogg to All on Thu Jun 01 2023 07:50 pmã >ã > > Recently, I got the headsup on tailscale. It's a pretty niftyã > > almost-zero-config personal VPN for the purposes ofã >ã > Sounds pretty cool, but any time you're involving another party into theã > mix, there's always a chance they can evesdrop on you. Sure, they _say_ endã > to end encryption etc etc, but there's nothing stopping them from having aã > master key to all that encryption.ããThe whole concept of "end to end encryption" is that there's no means by which a man in the middle can snoop or spoof, no matter who they are.ã-- ã digital man (rob)ããThis Is Spinal Tap quote #8:ãDerek Smalls: Making a big thing out of it would have been a good idea.ãNorco, CA WX: 70.5øF, 62.0% humidity, 5 mph SE wind, 0.00 inches rain/24hrsã---ã þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.netã

Hello Phigan!ãã** On Friday 02.06.23 - 05:57, Phigan wrote to Ogg:ãã >> Recently, I got the headsup on tailscale. It's a pretty niftyã >> almost-zero-config personal VPN for the purposes ofãã P> Sounds pretty cool, but any time you're involving another party into theã P> mix, there's always a chance they can evesdrop on you. Sure, they _say_ã P> end to end encryption etc etc, but there's nothing stopping them fromã P> having a master key to all that encryption.ããA friend mine responds to that:ãã"yeah... but if you look at the sources or use your ownãheadscale server (headscale is completely compatible,ãapparently) [the eavesdrop] concerns are practically moot. Yes,ãthey could collect some tracking info, but likely far lessãuseful info than what google or microsoft gleen from bing orãgoogle maps or whatever."ãã"doing the investigation has convinced me that the threat of ãinterception by tailscale.com is relatively small and ãmanageable."ãã"They are after all trying to make money from services andãfeatures, and do not appear to be a fundamentally evilãorganization that is out to get all your personal info andãmonetize you like google or microsoft •r facebook."ããã P> ...For Windows, RDP works better than VNC. File transfersã P> can be done via ssh/scp, too.ããI have been disappointed in RDP in the past. I've had many ãdropped or "stuck" connections. VNC (via TightVNC) has served ãme well.ããã P> In the end, of course just use what is most comfortable andã P> works for you. I'm just overly paranoid so using "self-ã P> hosted" things is my "comfort zone".ããThen take a look at headscale. https://headscale.net/ããã--- OpenXP 5.0.57ã * Origin: Ogg's Dovenet Point (723:320/1.9)ã þ Synchronet þ CAPCITY2 * capcity2.synchro.net * Telnet/SSH:2022/Rlogin/HTTPã

Re: tailscale ..impressiveã By: Digital Man to Phigan on Fri Jun 02 2023 06:25 pmãã > The whole concept of "end to end encryption" is that there's no means byã > which a man in the middle can snoop or spoof, no matter who they are.ããSure, that's the concept. You have to have the public/private keys on each side to be able to read the encrypted data. You're not in control of the generation of those public and private key pairs, however. It is 100% possible for the system generating those key pairs to have a "master" set of keys which can read that encrypted data no matter how many times you change your personal public/private keys. Your data is still encrypted "end to end" :).ãã---ã þ Synchronet þ TIRED of waiting 2 hours for a taco? GO TO TACOPRONTO.bbs.ioã

Re: tailscale ..impressiveã By: Ogg to Phigan on Fri Jun 02 2023 07:51 pmãã > Then take a look at headscale. https://headscale.net/ããLooks right up my alley. I'll try it out soon!ãã---ã þ Synchronet þ TIRED of waiting 2 hours for a taco? GO TO TACOPRONTO.bbs.ioã

Re: tailscale ..impressiveã By: Phigan to Digital Man on Sun Jun 04 2023 10:02 amãã > Re: tailscale ..impressiveã > By: Digital Man to Phigan on Fri Jun 02 2023 06:25 pmã >ã > > The whole concept of "end to end encryption" is that there's no means byã > > which a man in the middle can snoop or spoof, no matter who they are.ã >ã > Sure, that's the concept. You have to have the public/private keys on eachã > side to be able to read the encrypted data. You're not in control of theã > generation of those public and private key pairs, however. It is 100%ã > possible for the system generating those key pairs to have a "master" set ofã > keys which can read that encrypted data no matter how many times you changeã > your personal public/private keys. Your data is still encrypted "end to end"ã > :).ããhttps://security.stackexchange.com/questions/119551/are-there-master-keys-that-can-be-used-to-generate-valid-ssl-keysã-- ã digital man (rob)ããSling Blade quote #7:ãKarl: I don't reckon the Good Lord would send anybody like you to Hades.ãNorco, CA WX: 71.1øF, 65.0% humidity, 8 mph SSE wind, 0.00 inches rain/24hrsã---ã þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.netã

Re: tailscale ..impressiveã By: Phigan to Digital Man on Sun Jun 04 2023 10:02 amãã > Sure, that's the concept. You have to have the public/private keys on eachã > side to be able to read the encrypted data. You're not in control of theã > generation of those public and private key pairs, however. It is 100%ã > possible for the system generating those key pairs to have a "master" set ofã > keys which can read that encrypted data no matter how many times you changeã > your personal public/private keys. Your data is still encrypted "end to end"ã > :).ããI've never heard of PKI, where a master key can decrypt a subordinate's key data, where data was encrypted with the subordinate's public key.ããAny references, or examples/whitepapers, that you can share?ããã...ëîåïãã---ã þ Synchronet þ AnsiTEX bringing back videotex but with ANSIã

Re: tailscale ..impressiveã By: Digital Man to Phigan on Sun Jun 04 2023 01:39 pmãã > https://security.stackexchange.com/questions/119551/are-there-master-keys-thã > at-can-be-used-to-generate-valid-ssl-keysããThat link doesn't really contradict anything I'm saying :)ããFor a certificate or key pair to be "valid" you just have to trust the authority that signed it/them. We call SSL certificates used for websites and things as "valid" because they have been signed by one of the certificate authorities that we all have stored in our operating systems and browsers, the ones we trust. It's technically possible for any of them to have master keys to the certificates they generate and sign, but as the response in the link says, it's highly unlikely they would go using those willy nilly.ããOther applications, especially those where the client and the server are proprietary, don't have to follow any rules about trusted authorities. The same company could write the client and server, generate and sign the certificates, and promise you end to end encryption. You have no guarantee that there isn't a master key. Even when the client and server are open source, the certificate signing stuff often isn't.ãã---ã þ Synchronet þ TIRED of waiting 2 hours for a taco? GO TO TACOPRONTO.bbs.ioã

Re: tailscale ..impressiveã By: Phigan to Digital Man on Sun Jun 04 2023 04:40 pmãã > > https://security.stackexchange.com/questions/119551/are-there-master-keysã > > -th at-can-be-used-to-generate-valid-ssl-keysã >ã > That link doesn't really contradict anything I'm saying :)ã >ã > For a certificate or key pair to be "valid" you just have to trust theã > authority that signed it/them. We call SSL certificates used for websitesã > and things as "valid" because they have been signed by one of theã > certificate authorities that we all have stored in our operating systems andã > browsers, the ones we trust. It's technically possible for any of them toã > have master keys to the certificates they generate and sign, but as theã > response in the link says, it's highly unlikely they would go using thoseã > willy nilly.ããYou've lost me on the point I thought you were making.ããThe topic was "end to end encryption" - and I thought you made the comment that a "master key" is also available.ããThis implies that you are saying that a master key can decrypt data that is being intended for an end user, that is encrypted with their public key.ããOr are you saying something else?ããã...ëîåïãã---ã þ Synchronet þ AnsiTEX bringing back videotex but with ANSIã

On 04 Jun 2023, Phigan said the following...ã ã Ph> systems and browsers, the ones we trust. It's technically possible forã Ph> any of them to have master keys to the certificates they generate andã Ph> sign, but as the response in the link says, it's highly unlikely theyã Ph> would go using those willy nilly.ããno, that is not the case at all.ããyou send a CSR and the public key to the CA. that's it. there is no "master key". the CA's only purpose and capability is to validate the owner of a public key. they are incapable of decrypting anything.ããnow, lets say the kitchensync.net bbs has a certificate/public/private key they use. i can encrypt stuff all day long with the public key (in theãcertificate) and nobody but that bbs would ever be able to see it. remember the CA doesn't have the private key.ããnow, if a shitty CA decides to sign a certificate for kitchensync.net with a different public key, that's an entirely different thing. since suddenly someone else can pretend to be them, and they have a separate private key that can decrypt data encrypted with the fake certificate. but in no way does this mean that the real certificate or private key are no longer secure. youãcan't decrypt stuff from the original with the new ones.ãã--- Mystic BBS v1.12 A47 2021/12/25 (Windows/32)ã * Origin: cold fusion - cfbbs.net - grand rapids, miã

Re: tailscale ..impressiveã By: deon to Phigan on Mon Jun 05 2023 09:12 amãã > I've never heard of PKI, where a master key can decrypt a subordinate's keyã > data, where data was encrypted with the subordinate's public key.ããIt's more a hierarchy kind of thing. The sub keys signed by the master key could be stored with the data they're signing. Or they could just be sent encrypted to whoever has the master. You get the sub keys then you get the data. No, I don't have any white papers :). I can guess this sort of thing isn't going to be well documented all over the place.ãã---ã þ Synchronet þ TIRED of waiting 2 hours for a taco? GO TO TACOPRONTO.bbs.ioã

Re: tailscale ..impressiveã By: deon to Phigan on Mon Jun 05 2023 11:56 amãã > This implies that you are saying that a master key can decrypt data that isã > being intended for an end user, that is encrypted with their public key.ããThat is what I'm saying. Whether it can happen directly or indirectly is up to the implementation, but that is the end result.ãã---ã þ Synchronet þ TIRED of waiting 2 hours for a taco? GO TO TACOPRONTO.bbs.ioã

Re: Re: tailscale ..impressiveã By: fusion to Phigan on Mon Jun 05 2023 05:14 amãã > you send a CSR and the public key to the CA. that's it. there is no "masterã > key". the CA's only purpose and capability is to validate the owner of aã > public key. they are incapable of decrypting anything.ããThat's when you're the one generating the cert request. What if some application or service is doing it for you? My point is more for messaging and other communication apps that tout "end to end encryption" vs SSL used for HTTPS.ãã---ã þ Synchronet þ TIRED of waiting 2 hours for a taco? GO TO TACOPRONTO.bbs.ioã

Re: tailscale ..impressiveã By: Ogg to All on Thu Jun 01 2023 19:50:00ãã Og> Recently, I got the headsup on tailscale. It's a pretty niftyã Og> almost-zero-config personal VPN for the purposes of ã Og> establishing secure and encrypted tunnels over your own ã Og> machines as a custom network.ããYeah, tailscale looks nifty AF, have though about getting it running on my hosted server(s). Right now, I tunnel through SSH the client I use for the one windows vm rdp (Remmina) has built in support for running through an SSH tunnel.ããFor home, I've been using Wireguard for my phone and laptop when I'm travelling, which isn't much.ã ã ã-- ãMichael J. Ryan ã+o roughneckbbs.com ãtracker1@roughneckbbs.comãã---ã þ Synchronet þ Roughneck BBS - roughneckbbs.comã