13 pointsby eustoria4 hours ago2 comments

offmycloud3 hours ago
I've said it before, but Zero Trust is such a misnomer. It implies less trust in firewalls, VPNs, and other network controls, but much more trust in the ability of end-user devices to securely store and use private keys. Also, the server side has has to trust all incoming connections from the Internet enough to verify the certificates, and run a complicated TLS implementation, which can be a huge attack surface. We're sticking with WireGuard for all our internal users.
- parliament322 hours ago
  Unless you're storing your wireguard keys in your TPM somehow, what stops malware from just copying the keys out and connecting? Are you IP whitelisting every employee's house or what?
- hinkley2 hours ago
  Wireguard solves the data in motion problem but not the data at rest problem, doesn’t it?
parliament322 hours ago
AI slop, and marketing slop at that.
Intune and basic CA policies ensure unexportable MDM certificates in the TPM are used for all authentication events. This is like day 1 Entra ID / Intune stuff. Not sure why you'd need an external vendor for any of this (especially a vendor more expensive than the above).