Conference:  Defcon 31

Authors: Aapo Oksman Senior Security Specialist, Nixu Corporation

2023-08-01

TLS is the de facto way of securing network connections. It provides an easy way of ensuring confidentiality, integrity and authentication for any type of communication. However, like most things in life, this is also too good to be true. TLS allows communicating parties to uniquely authenticate each other by validating each other's certificate. However, many TLS libraries and frameworks have insecure default settings or allow for the developers to skip important aspects of certificate validation in their client implementations. This talk explores issues in TLS client certificate validation and the underlying reasons why developers still fail to implement TLS correctly. Most importantly, we hack all the things with a new TLS mitm tool: certmitm. certmitm automatically discovers and exploits insecure certificate validation vulnerabilities in TLS clients. Let's use the tool to hack iOS, Windows 11 and more while we deep dive into the world of insecure TLS certificate validation.

Conference:  Global AppSec San Francisco 2022

Authors: Eli Nesterov

2022-11-18

Enabling production-level TLS/mTLS for applications and API often requires a lot of effort and cross-team collaboration. It is easier for south-north and Internet-facing traffic but much harder for east-west traffic and internal applications. Adding secure authentication on top of that even harder task.As developers, we want to focus on business logic, adding new features, and shipping products. So it is not a surprise that we often push adding transport level security and secure authentication till the very last moment and then rush to enable it. Sounds familiar? This situation often leads to different "bolt-on" security solutions as a compromise. It lets development teams focus on the business logic and security features added transparently through various mechanisms like side-cars, service meshes, and API gateways.What if there is a better way?What if we can build apps and APIs with automated mTLS and secure authentication without adding friction to developers?In this talk, we'll discuss SPIFFE and SPIRE and how you can use them to secure microservices communication automatically. We'll look into different SPIRE architecture models and usage scenarios and examine ways to enable it by default removing frictions for developers.I'll demonstrate different use-cases, including transparent authentication to AWS, GCP, or Azure cloud services through federation, even if you are running in your on-prem data center.

Conference:  KubeCon + CloudNativeCon North America 2021

Authors: Andrew Harding

2021-10-15

The presentation discusses the use of SPIFFE/SPIRE for cross-cluster authentication in Kubernetes.

• SPIFFE is a set of specifications for getting a cryptographic identity for workloads to authenticate with other workloads
• SPIRE is a tool that implements SPIFFE specifications
• Cross-cluster authentication is complicated, but can be solved with SPIFFE/SPIRE
• The presentation includes a live coding and demo session to show how easy it is to use SPIFFE/SPIRE in Kubernetes workloads

Conference:  KubeCon + CloudNativeCon North America 2021

Authors: Ryan Turner

2021-10-15

Spiffy is a secure production identity framework that provides a new model for identifying workloads to enable strong authentication in service-to-service communication.

• Spiffy is an open-source set of specifications that defines what is a workload identity and how to represent it
• Spiffy allows identifying workloads in a microservices container-based world without relying on network-level constructs like IP address or DNS name
• Spiffy describes a workload identity through a Spiffy ID, which is an identifier string represented as a URI
• Spiffy enables federation to allow workloads running in different trust domains to talk to each other and trust each other
• Spiffy is working on improving attestation of supply chain provenance, enabling secretless authentication to GCP using OpenID Connect Federation, and improving key revocation and forced rotation within Spire
• Spiffy is also working on enabling secretless authentication to Azure using OIDC Federation and improving the health check subsystem and error messages