Question about security warning for VS code tunnels

[jprorama]

What is inaccurate?

We should provide a more clarity on what is insecure about dev tunnels so that it's not a reactionary security warning.

Where is the inaccuracy?

As I understand, dev tunnels are end-to-end encrypted between the users client desktop and the vscode app on the cluster. This makes it no less secure than any other security mechanism to access the cluster for PHI use (ssh, https). It seems like just a mechanism to route communication between two NAT'd end points by connecting to a public IP based TCP interconnect.

We should clarify if this is true and work to remove the warning if so.

Here's is MS overview of security https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/security They don't send "end to end" explicitly. They do say it in the dev issue https://github.com/microsoft/vscode/issues/168370#issuecomment-1343028222.

[connor4312]

Happened to see this while updating the linked issue. Happy to answer any questions.

This makes it no less secure than any other security mechanism to access the cluster for PHI use (ssh, https)

Like the others, it should be as secure as the credential (Github/Microsoft) you use to authenticate, although the credential is arbitrated by a 3rd party unlike an SSH key.