Golink: A private shortlink service for tailnets (opens in new tab)

Not just Google, every prominent silicon valley company such as Twitter, Facebook, Stripe, Square even JP Morgan has an internal go/.

Fascinating history of workplace search is that at Google and Stripe if you don't find any relevant document under go/, it will take you to your workplace search portal. Both Google and Stripe has built an internal document + file + people search portal called Moma and Stripe Home respectively.

You can read more about Stripe Home here - https://stripe.com/blog/stripe-home

Huh. This is a thing I've seen at a few companies now and never seen reference to them coming out of Google. It makes sense, but it's also completely standalone - "go to the page."

Especially because Golink seems to be (at least partially) written in Go

I implemented this for my personal use and chose “aka/“ instead of “go/“. Still short, and still pretty self explanatory, but unique.

Ouch.

CVE-2022-41924 Severe 9.6

A vulnerability identified in the Tailscale Windows client allows a malicious website to reconfigure the Tailscale daemon `tailscaled`, which can then be used to remotely execute code. In the Tailscale Windows client, the local API was bound to a local TCP socket, and communicated with the Windows client GUI in cleartext with no Host header verification. This allowed an attacker-controlled website visited by the node to rebind DNS to an attacker-controlled DNS server, and then make local API requests in the client, including changing the coordination server to an attacker-controlled coordination server. An attacker-controlled coordination server can send malicious URL responses to the client, including pushing executables or installing an SMB share. These allow the attacker to remotely execute code on the node. All Windows clients prior to version v.1.32.3 are affected. If you are running Tailscale on Windows, upgrade to v1.32.3 or later to remediate the issue.

Published November 23, 2022.

Do you feel that your being “hacked” was somehow a result of your using Tailscale? I mean, that’s the obvious implication.

It originated at Google, but at this point most BigTech or places founded by former BigTech have their own version. There's even a SaaS version: https://www.golinks.io/

I wrote the one for F5, in 2011 I believe. I didn't know specifically about Google's at the time, but the general concept was in the air. I was inspired by the old-schoool CompuServe (or was it AOL?) "go <keyword>" command. Bill Booth worked to get f5go open-sourced a few years after that [1].

And I'm glad you appreciated f5go's additional features; my personal favorite is the "lists" feature: a single go/ link can become a list of links very easily. Very useful for gathering research on a topic into a single place. I keep wanting to setup a personal f5go server so I can share short mnemonic links that might be lists lke this.

[1] https://github.com/f5devcentral/f5go

Yeah I had this in Square and at Twitter

On chrome at least, you can go setup custom search engines, so for example instead of ‘go/‘, you would type ‘go<TAB>query’, and then you can configure that to open whichever fully qualifies uri you want.

If you have the domain in your dns suffix list for resolution (ie: foo.bar.net), you can just type `go/` in the browser... and it should resolve go.foo.bar.net.

nebula[0] may be interesting; you can allow list connectivity for specific groups, all burned into the cert used to join the network. It uses some NAT hole punching orchestration to accomplish connectivity between hosts without opening ports.

The main painful thing I've found has been cert management. PKI, as usual, is not a solved problem.

I've managed to do some fun stuff using salt + nebula on the hobby side.

[0] https://github.com/slackhq/nebula

I forgot to add a link to our recent announcement blog post to the project README. I've added that now, and I think it may help explain why we specifically built a service like this on top of Tailscale to take advantage of Magic DNS, automatically authenticated connections, etc. https://tailscale.com/blog/golink/

Zero trust doesn't mean abandoning defense-in-depth.

Stay tuned, I have plans :)

Tailscale is an alternative architectural approach to doing exactly that. It's a single point-of-auth for a lot of internal services, that you can access from anywhere. It handles it at a completely different layer, but isn't fundamentally different.

"On the other hand, the former might be just to expensive for smaller organisations."

GCP's Identity Aware Proxy (IAP) comes free with the load balancer

No reason you can’t do both.

cloudflared

A huge one is documentation linking. By having the indirection in one place you don’t have to swap all the various places that might be linked to something, you just switch the go link.

This is especially valuable when switching cms/erp/ticket systems etc where you may not have a lot of ability to manipulate generated links.

Typing go/wiki is faster than typing "wiki" in my search bar and hitting the down arrow 5 times for the correct autocomplete answer. I found the bigger (unexpected) value of something like this to be that when I don't know what I want, someone else is likely to have defined it already. E.g. go/401k at my employer takes me right to the wiki page about our 401k plan with a link to our provider prominently at the top. Nobody told me this existed, I simply needed info about our 401k plan and assumed someone, at some point, would have created it. Sure, I could bookmark it or something, but simply typing go/401k "just works" for me. It's also really nice for new hires who don't have some super robust autocomplete history already built up.

That's the value prop.

One thing I miss from fburl (Facebook's go-links) is that pretty much EVERY internal system had built-in support for creating them.

A perfect example would be the Scuba and OBS observability UIs. Instead of sharing a gnarly 500-character URL in chat to point someone to a specific query, you click "generate fburl" and get a short link.

More and more commercial/open-source software has built-in support for creating their own short links these days (Grafana and Kibana both do), but having it be ubiquitous -- and easy to integrate into new tools -- was really nice.

Take documents for example. You can have go/feature1-design-doc that points to a Google doc with the design discussion for feature 1.

No need to find it on Google Drive (where the title may or may not follow consistent patterns) or remember which of the many Google doc links in autocomplete is the correct one.

It's really nice if you have a big company with many centralized systems. For example, if you want to book PTO but you don't know the specific link, you can just do go/pto or go/vacation and it will probably work.

this is great summary of what you're asking for! https://golinks.com/blog/the-ultimate-guide-to-go-links/

It's a term they've had to invent because the term "VPN" has been twisted into being synonymous with "proxy server" nowadays, but really a tailnet is a VPN (not a proxy!)

A tailnet is a true "virtual private network" in the sense that it's a non-physically defined network to which which numerous devices can connect and see each other directly. The underlying physical network, a layer below, is (mostly) irrelevant to the operation of this network, and that's the part that's beautiful about Tailscale's implementation in particular. You could have a Pi Zero in your garage, a VPS in Australia, and your laptop in New York all joining the same private network ('tailnet') and interact as if they were on the same local physical network (in most respects).

A tailnet is sometimes also called an 'overlay network'. The tailscale system sets up VPN links from all your devices to each other. This means they can act like they are all on one local network together, while not having to worry about the physical network setup the traffic is being carried on.

I was thinking about asking here if anyone could give a brief yet full overview of what exactly tailscale is and who/how it benefits. I've read about it, but I still don't get it.

Is knorton some combination of Knuth and Norton antivirus?

golinks.io is a close copy.

It would also be pretty ironic if so, given that the idea was basically lifted from Google internal infra.

Trademark was found via a Hackernews thread? You guys are good :) We have three trademarks that we've defended successfully before. Would encourage anyone wanting to try to use go/links, to just sign up to https://www.golinks.io ... it's completely free to use, forever and you can get started in a few seconds. We're trying to get go/links everywhere and are happy to be at the forefront of that :)

I was going to say the terminology comes from inside Google, where afaik go links were invented. However, yeah, that's straight up a trademark. You'd need a lawyer to know whether the trademark would survive litigation, and whether the s on those trademarks makes a material difference. (OP isn't plural, those trademarks are)

More like a shared bookmark service, aligned to the peculiarities of tailscale's DNS.