security-identity-goteleport

Question

security-identity-goteleport

utterances-bot opened this issue a year ago · 3 comments

Implementing Teleport Identity Proxy behind a Router using the Traefik Reverse Proxy in an Intranet Environment: A Comprehensive Guide

How to use Teleport with a valid TLS/SSL certificate and automatic SSL certificate renewal in a pure intranet set-up behind a router.

https://weisser-zwerg.dev/posts/security-identity-goteleport/

Answer 1 · 2023-08-26T12:19:09.000Z

I am wondering, why do you feel that a public web interface is less secure than a public UDP port?

Answer 2 · 2023-08-26T14:15:34.000Z

The UDP port is from WireGuard (https://www.wireguard.com) initially released for the Linux kernel, by security minded experts. WireGuard has undergone all sorts of formal verification, covering aspects of the cryptography, protocol, and implementation: https://www.wireguard.com/formal-verification

The web interface is from JavaScript devs who do whatever they do. In addition these web interfaces often depend on (many) 3rd party libraries. Think Log4Shell (https://en.wikipedia.org/wiki/Log4Shell).

WireGuard is just much more focused and "single minded" than web applications that need to constantly adapt to new user requirements.

Answer 3 · 2023-08-26T14:43:48.000Z

Good point! Although it is of course an unsatisfying state of affairs that web applications cannot be trusted in that respect. Surely web applications, especially for software such as teleport, should also come with certain guarantees.