Conference:  Defcon 31

Authors: Michael Stepankin Security Researcher at GitHub

2023-08-01

Although x509 certificates have been here for a while, they have become more popular for client authentication in zero-trust networks in recent years. Mutual TLS, or authentication based on X509 certificates in general, brings advantages compared to passwords or tokens, but you get increased complexity in return. In this talk, we’ll deep dive into some novel attacks on mTLS authentication. We won’t bother you with heavy crypto stuff, but instead we’ll have a look at implementation vulnerabilities and how developers can make their mTLS systems vulnerable to user impersonation, privilege escalation and information leakages. We present some CVEs we found in popular open-source identity servers and ways to exploit them. Finally, we’ll explain how these vulnerabilities can be spotted in source code and how the safe code looks like.

Conference:  Global AppSec San Francisco 2022

Authors: Eli Nesterov

2022-11-18

Enabling production-level TLS/mTLS for applications and API often requires a lot of effort and cross-team collaboration. It is easier for south-north and Internet-facing traffic but much harder for east-west traffic and internal applications. Adding secure authentication on top of that even harder task.As developers, we want to focus on business logic, adding new features, and shipping products. So it is not a surprise that we often push adding transport level security and secure authentication till the very last moment and then rush to enable it. Sounds familiar? This situation often leads to different "bolt-on" security solutions as a compromise. It lets development teams focus on the business logic and security features added transparently through various mechanisms like side-cars, service meshes, and API gateways.What if there is a better way?What if we can build apps and APIs with automated mTLS and secure authentication without adding friction to developers?In this talk, we'll discuss SPIFFE and SPIRE and how you can use them to secure microservices communication automatically. We'll look into different SPIRE architecture models and usage scenarios and examine ways to enable it by default removing frictions for developers.I'll demonstrate different use-cases, including transparent authentication to AWS, GCP, or Azure cloud services through federation, even if you are running in your on-prem data center.

Conference:  KubeCon + CloudNativeCon North America 2021

Authors: Sanjay Pujare

2021-10-14

The presentation discusses the implementation of secure communication in gRPC using the xDS protocol and the certificate provider plug-in framework.

• gRPC uses xDS protocol to implement secure communication between clients and servers
• Certificate provider plug-in framework enables various mechanisms to obtain certificates and keys
• The framework is implemented in gRPC Go, C++, Java, and Python
• The presentation provides links to resources for more information

Conference:  KubeCon + CloudNativeCon North America 2021

Authors: William Morgan

2021-10-11

mTLS (mutual TLS) and policy are two hot topics in the Kubernetes world. In this 10-minute crash course, Linkerd creator William Morgan will teach you 90% of what you need to know about these two security concepts. He'll walk you through what mTLS is, how it works, and how to build authorization policy on top of it. He'll show you how to get mTLS and authz policy in about 5 minutes using Linkerd, the CNCF's flagship service mesh, and point out some common pitfalls and gotchas to avoid.