But I never maximize my web browsers, either

Looks correct now on Firefox on macOS (light mode, probably)

The screenshot doesn't load for me, but I see a very dark color, maybe purple, on black background. Absolutely no way to read anything, just about able to make out that there is some text.

Firefox on android, no dark mode.

We have that here at Firezone. To deal with I/O we don't use Tokio inside the test boundary at all, just futures. So no I/O, no sleeping, etc. Thomas explained it here https://firezone-git-docs-blogsans-io-firezone.vercel.app/bl...

I haven't dealt with it directly on Firezone but I wrote one or two games this way for game jams years ago, and I keep wishing it would catch on. It was harder with the games because floating-point math doesn't like to be deterministic across platforms.

I think it's LiveView for the frontend-backend comms and Tailwind CSS for some of the frontend, not sure if that answers your question

-- (non-web) developer at Firezone

Oh so that allows it to run in-process?

That's cool, I did that for an HTTP forwarding thing a while back.

Yes, indeed, this blog gives a great view on it - https://blog.openziti.io/go-is-amazing-for-zero-trust - using Golang and HTTP examples. My favourite part:

"Now, your server has no listening ports on the underlay network. It's literally unattackable via conventional IP-based tooling. Seriously, stop and consider that for just a moment. By adopting an OpenZiti SDK into the server, all conventional network threats are immediately useless."

Well that's also true for Firezone :)

It's a tradeoff between in-process and out-of-process though. It's nice that Firezone Gateways don't have access to the service's memory space and can't crash the process, but it's also nice that an in-process Gateway equivalent doesn't need to loop through the network to reach its service.

Maybe we are referring to different things when we say 'process'... I am not aware (happy to be educated) of Firezone having SDKs to embed the zero trust overlay running directly in an application, i.e., in the app process and memory.

Do they support this?

I hear you on having 'out of process', that's why OpenZiti also has tunnellers for deploying on host as well as virtual appliances to run in the DMZ/VNET/VPC etc. I was only aware of Firezone supporting those 2 deployment models.

Hm, is Wireguard getting blocked by middleboxes or something?

Sometimes yes. MASQUE just looks like normal TLS port 443 traffic so it's less likely to be prevented. Other issues we had were just bugs with the WARP wireguard implementation regarding how the tunnel is built in Windows. I imagine it works better on Linux or MacOS which is likely what the developers were running when they designed WARP.

Depends. MASQUE implies QUIC and a lot of coporate networks still block QUIC, forcing a fallback to TCP (for web browsers).

Not sure how they want to address this in case of WARP?

Nevertheless, MASQUE is some pretty exciting development in the network space.

Ah that's tough because Wireguard being UDP is a selling point for us at Firezone

I live by but two rules, private keys stay on the storage device they're first saved to, and makeup stays with the first person to use it.

Firezone employee here. I believe we have an idea to let customers sign their keys so that they don't need to trust our portal not to rewrite keys. This is probably the same idea Tailscale hit on.

(I can't find this idea in the issue tracker and I don't think it's on the roadmap yet, but we've discussed it.)

Unfortunately there is a big convenience-security tradeoff, managing your own keys and certs is a lot of work.

> has signed a bill into law that will significantly curb the penalties companies could face for improperly collecting and using fingerprints and other biometric data from workers and consumers.

Darn. I would really like less biometrics.

I think the phrase is "zero-cost abstractions", meaning "Supposing you want bounds checks, you may as well use ours and not roll your own"

It's true that you can escape them though. There are some other small things (which AFAICT you can escape from to as well)