Golink: A private shortlink service for tailnets
github.comThis made me wonder what the oldest go-link (from inside Google) discoverable on the public internet is. The earliest I've found is from Nov 2009: https://github.com/google/closure-library/blame/11ed104958a2.... (The second closest I've found in another repo is in RE2 from Mar 2010, https://github.com/google/re2/blame/954656f47fe8fb505d4818da... - and yes, both of these existed prior to the listed date, but I'm going off associated timestamps.)
(Fun fact: go-links are so critical to Google ops, that they're expected to be accessible in a "everything is down" scenario.)
Not just Google, every prominent silicon valley company such as Twitter, Facebook, Stripe, Square even JP Morgan has an internal go/.
Fascinating history of workplace search is that at Google and Stripe if you don't find any relevant document under go/, it will take you to your workplace search portal. Both Google and Stripe has built an internal document + file + people search portal called Moma and Stripe Home respectively.
You can read more about Stripe Home here - https://stripe.com/blog/stripe-home
Facebook/Meta also has one called Intern (horrendously confusing name I know) that has profiles, doc/wiki search and all the other associated data types. One nice feature of Intern is that you can link to bugs, code changes, etc in any surface just by pasting the formatted ID and it will parse the link the automatically. There's also a shared notif system which is convenient.
Source: Former PM for part of Intern
Nitpick: Google's go/ links don't automatically point to Moma Search if no result is found.
Wow that's a cool idea to make little services accessible over your tailscale network. Kind of reminds me of tor hidden services for your own private use but wayyyyy better UI and experience.
More "Go"ogle culture out in the wild.
I've seen these at a few companies now. I'm a little surprised they're still called "go"-links, though I suppose the name works everywhere.
Huh. This is a thing I've seen at a few companies now and never seen reference to them coming out of Google. It makes sense, but it's also completely standalone - "go to the page."
A couple of the startups that do go links have blog posts on the history:
Those 2 stories kind of contradict each other. One says Benjamin Staffin invented golinks, then later another Googler built golinks in 2006. The other says Benjamin Staffin created golinks around 2009/2010.
Original author of https://github.com/trotto/go-links here! We spoke with Benjamin directly, so I trust his recollection.
It was one of the most popular “mini-services” at google along side less useful things like percent/ (which shows your tenure percentile), memegen and bunch of others, maintained by like a single engineer on the side. These were (at least to me) what was so great about Google’s early engineer-driven culture. It was like the early web app age in a sense…
Especially because Golink seems to be (at least partially) written in Go
Pretty sure orignal google’s golinks predates Go the language by many years
I implemented this for my personal use and chose “aka/“ instead of “go/“. Still short, and still pretty self explanatory, but unique.
A few weeks back, I installed Tailscale on a Friday and the following Sunday my machine (ubuntu 22.10) was hacked and running mining/tracking software and rsyslog. I only noticed because my fans were spinning harder than usual.
caveat emptor
Ouch.
CVE-2022-41924 Severe 9.6
A vulnerability identified in the Tailscale Windows client allows a malicious website to reconfigure the Tailscale daemon `tailscaled`, which can then be used to remotely execute code. In the Tailscale Windows client, the local API was bound to a local TCP socket, and communicated with the Windows client GUI in cleartext with no Host header verification. This allowed an attacker-controlled website visited by the node to rebind DNS to an attacker-controlled DNS server, and then make local API requests in the client, including changing the coordination server to an attacker-controlled coordination server. An attacker-controlled coordination server can send malicious URL responses to the client, including pushing executables or installing an SMB share. These allow the attacker to remotely execute code on the node. All Windows clients prior to version v.1.32.3 are affected. If you are running Tailscale on Windows, upgrade to v1.32.3 or later to remediate the issue.
Published November 23, 2022.
That is pretty bad. How the heck can a page in a browser send requests to a listening socket on my machine, bound to 127.0.0.1?
Also how does an attacker "rebind DNS"? What does this even mean?
EDIT: more details here: https://emily.id.au/tailscale
Only affected Windows though. The user is on ubuntu
but given what Tailscale does, lateral movement street compromising a windows host in the network seems entirely possible.
I wonder if this golink service is also vulnerable to DNS rebinding. Briefly looking at the code, it seems likely: it relies on Tailscale's usual "assume anyone who can connect to the service is authorized" security model and doesn't check the Host header. But maybe there's some mitigation I'm missing.
Do you feel that your being “hacked” was somehow a result of your using Tailscale? I mean, that’s the obvious implication.
I tend to think so but I am not sure. It was the only change I made on the machine for a long time and the only public internet exposure allowed on the machine.
Is this a general thing? I thought it was specific to my former employer (F5). We used go/(foo) extensively and there was numerous hotlinks for all sorts of internal services as well as a pretty interesting interface to design your own. I had thought it was an internal service developed internally. It looks like our internal version was a lot better than this open source version, at least by the screenshots.
It originated at Google, but at this point most BigTech or places founded by former BigTech have their own version. There's even a SaaS version: https://www.golinks.io/
Hey! I work for GoLinks, just wanted to thank you for the shout-out!
I wrote the one for F5, in 2011 I believe. I didn't know specifically about Google's at the time, but the general concept was in the air. I was inspired by the old-schoool CompuServe (or was it AOL?) "go <keyword>" command. Bill Booth worked to get f5go open-sourced a few years after that [1].
And I'm glad you appreciated f5go's additional features; my personal favorite is the "lists" feature: a single go/ link can become a list of links very easily. Very useful for gathering research on a topic into a single place. I keep wanting to setup a personal f5go server so I can share short mnemonic links that might be lists lke this.
Hello fellow former F5er! I was there from late 2016 through early 2021. I left as I wasn't a fan of how things were heading and I also found the general software hygine to be quite bad and I kept wanting to use more local static analysis as a normal part of development, which was difficult given the convoluted build process for the software. I worked on TMM.
Yeah I had this in Square and at Twitter
One gripe I have when using my own private golinks is that browsers take me to go.com/ instead of go/ if I don't prefix it with https://. So I end up having to type 8 additional characters.
On chrome at least, you can go setup custom search engines, so for example instead of ‘go/‘, you would type ‘go<TAB>query’, and then you can configure that to open whichever fully qualifies uri you want.
If you have the domain in your dns suffix list for resolution (ie: foo.bar.net), you can just type `go/` in the browser... and it should resolve go.foo.bar.net.
Big fan of Tailscale, yet I wonder whether it wouldn’t be better to make internal services securely available over the internet (zero trust rather than castle-and-moat). On the other hand, the former might be just to expensive for smaller organisations.
nebula[0] may be interesting; you can allow list connectivity for specific groups, all burned into the cert used to join the network. It uses some NAT hole punching orchestration to accomplish connectivity between hosts without opening ports.
The main painful thing I've found has been cert management. PKI, as usual, is not a solved problem.
I've managed to do some fun stuff using salt + nebula on the hobby side.
I forgot to add a link to our recent announcement blog post to the project README. I've added that now, and I think it may help explain why we specifically built a service like this on top of Tailscale to take advantage of Magic DNS, automatically authenticated connections, etc. https://tailscale.com/blog/golink/
Zero trust doesn't mean abandoning defense-in-depth.
Stay tuned, I have plans :)
Tailscale is an alternative architectural approach to doing exactly that. It's a single point-of-auth for a lot of internal services, that you can access from anywhere. It handles it at a completely different layer, but isn't fundamentally different.
"On the other hand, the former might be just to expensive for smaller organisations."
GCP's Identity Aware Proxy (IAP) comes free with the load balancer
No reason you can’t do both.
cloudflared
I've never worked at a company that uses go links so I have to ask - what problem do these solve? Every URL I visit frequently automatically shows up in auto complete suggestions in my browser.
A huge one is documentation linking. By having the indirection in one place you don’t have to swap all the various places that might be linked to something, you just switch the go link.
This is especially valuable when switching cms/erp/ticket systems etc where you may not have a lot of ability to manipulate generated links.
Typing go/wiki is faster than typing "wiki" in my search bar and hitting the down arrow 5 times for the correct autocomplete answer. I found the bigger (unexpected) value of something like this to be that when I don't know what I want, someone else is likely to have defined it already. E.g. go/401k at my employer takes me right to the wiki page about our 401k plan with a link to our provider prominently at the top. Nobody told me this existed, I simply needed info about our 401k plan and assumed someone, at some point, would have created it. Sure, I could bookmark it or something, but simply typing go/401k "just works" for me. It's also really nice for new hires who don't have some super robust autocomplete history already built up.
That's the value prop.
One thing I miss from fburl (Facebook's go-links) is that pretty much EVERY internal system had built-in support for creating them.
A perfect example would be the Scuba and OBS observability UIs. Instead of sharing a gnarly 500-character URL in chat to point someone to a specific query, you click "generate fburl" and get a short link.
More and more commercial/open-source software has built-in support for creating their own short links these days (Grafana and Kibana both do), but having it be ubiquitous -- and easy to integrate into new tools -- was really nice.
Was at FB for many years, and I so miss this, getting an fburl from almost anywhere I am and quickly being able to send that over to someone. Now whenever I try to share some link (eg a Datadog dashboard link), I have to send over humongous urls over slack / wherever.
Take documents for example. You can have go/feature1-design-doc that points to a Google doc with the design discussion for feature 1.
No need to find it on Google Drive (where the title may or may not follow consistent patterns) or remember which of the many Google doc links in autocomplete is the correct one.
It's really nice if you have a big company with many centralized systems. For example, if you want to book PTO but you don't know the specific link, you can just do go/pto or go/vacation and it will probably work.
this is great summary of what you're asking for! https://golinks.com/blog/the-ultimate-guide-to-go-links/
I started reading bout tailnet and still have no clue what it is
It's a term they've had to invent because the term "VPN" has been twisted into being synonymous with "proxy server" nowadays, but really a tailnet is a VPN (not a proxy!)
A tailnet is a true "virtual private network" in the sense that it's a non-physically defined network to which which numerous devices can connect and see each other directly. The underlying physical network, a layer below, is (mostly) irrelevant to the operation of this network, and that's the part that's beautiful about Tailscale's implementation in particular. You could have a Pi Zero in your garage, a VPS in Australia, and your laptop in New York all joining the same private network ('tailnet') and interact as if they were on the same local physical network (in most respects).
From a purely networking perspective, there are far better solutions than tailscale.
Have a look at full mesh VPNs like:
https://github.com/cjdelisle/cjdns
https://github.com/yggdrasil-network/yggdrasil-go
https://github.com/gsliepen/tinc
https://github.com/costela/wesher
These build actual mesh networks where every node is equal and can serve as a router for other nodes to resolve difficult network topologies (where some nodes might not be connected to the internet, but do have connections to other nodes with an internet connection — I work with networks like that every day).
Sending data through multiple routers is also possible. They also deal with nodes disappearing and change routes accordingly.
tailscale (and similar solutions like netbird) still use a bunch of "proxy servers" for that. You can set them up on intermediate nodes, but that have to be dealt with manually (and you get two kinds of nodes). You also have to create routes for the node to be able to access the control server.
Tailscalar here.
Tailscale traffic flows directly between your devices in every situation we can make it work. E2E encrypted packets are relayed by our proxies (DERP servers) only when we cannot make a direct connection. This is rare, currently less than 5% of bytes get relayed and we hope to keep pushing that number lower.
For more details see https://tailscale.com/blog/how-tailscale-works/
A tailnet is sometimes also called an 'overlay network'. The tailscale system sets up VPN links from all your devices to each other. This means they can act like they are all on one local network together, while not having to worry about the physical network setup the traffic is being carried on.
I was thinking about asking here if anyone could give a brief yet full overview of what exactly tailscale is and who/how it benefits. I've read about it, but I still don't get it.
Assume all your machines have Internet access, which they probably do these days. Instead of having to create firewall rules and routes and that whole mess in order to connect to a machine on "the inside" somewhere, the machine reaches out to the Internet and creates a tunnel, and you connect to the machine through that tunnel.
Isn't that a VPN?
Yes... but a painless and damn near zeroconf one. It's wireguard underneath.
i use it to access my NAS/network drive when im away from home.
when im at home i can access it no problem since im connected to my home network and so is the NAS. when im away its not possible to connect to it because im on a completely different network.
with tailscale installed on each device makes it seem like im still on my home network even when im away.
So its a bit like a VPN? Except that you can join specific devices from a multitude of networks?
This is great. I love go links ever since knorton turned me on to them.
I will give this a spin first thing in the morning.
Is knorton some combination of Knuth and Norton antivirus?
Sorry, Kelly Norton, I didn't realize his username on here and github is kellegous not knorton.
I would never run Norton, but if it was combined with Knuth... that's a strong maybe.
ha!
A few months ago I tried to find a URL shortner that fit the bill, I was reading "Software Engineering at Google" and came across information regarding their internal `go/` URL.
I couldn't find anything, so I threw something together with Rust (using rocket), and gave it the ability to have static and dynamic backends, the dynamic backend would allow you to submit a link very easily.
a working example (with a static backend) is here: https://go.competition.company
I never got access to the real go/ service from google, so I wonder what I'm missing.
Heres the code: https://github.com/dijit/redirector-rs
golinks.io is a close copy.
Tailscale has been so great at all the tools they build and release upon tailscale itself. The real magic here is magicdns which is where all the heavy lifting is being done.
The name is going to be quickly problematic if the trademark holder for golinks.io decides to get litigious:
It would also be pretty ironic if so, given that the idea was basically lifted from Google internal infra.
Don't confuse a trademark with a patent. Even if Google uses "go links" internally, the fact remains that the trademark is registered and in use by another entity.
I mean, TinyURL launched in 2002.
Point taken, but I think it's a different concept -- named internal short-links versus randomly generated small strings for longer links.
Trademark was found via a Hackernews thread? You guys are good :) We have three trademarks that we've defended successfully before. Would encourage anyone wanting to try to use go/links, to just sign up to https://www.golinks.io ... it's completely free to use, forever and you can get started in a few seconds. We're trying to get go/links everywhere and are happy to be at the forefront of that :)
I was going to say the terminology comes from inside Google, where afaik go links were invented. However, yeah, that's straight up a trademark. You'd need a lawyer to know whether the trademark would survive litigation, and whether the s on those trademarks makes a material difference. (OP isn't plural, those trademarks are)
How can they defend a trademark that people used (at Google) before them?
A trademark is not a patent, you don't need to prove you were first to have "the idea". [IANAL] It's the first to use the term in a commercial context, which Google has not.
this is super cute, shout-out to the tailscale team!
dnsmasq?
More like a shared bookmark service, aligned to the peculiarities of tailscale's DNS.