Mutual TLS | The Backend Engineering Show
Вставка
- Опубліковано 3 лип 2024
- Fundamentals of Networking for Effective Backends udemy course (link redirects to udemy with coupon)
network.husseinnasser.com
Transport Layer security or TLS is a protocol that encrypted the communication between client and server. TLS can also be used to authenticate the server, when the client also requires authentication this is called Mutual TLS and this is the topic of today’s show.
0:00 Introduction
2:00 What is TLS?
7:00 Server Authentication TLS
14:00 Advantages of one way TLS
19:44 Disadvantages of one way TLS
29:00 mTLS
31:00 Advantages of MTLS
37:00 The Problems of mTLS
43:00 Summary and my Thoughts
Fundamentals of Networking for Effective Backends udemy course (link redirects to udemy with coupon)
network.husseinnasser.com
Fundamentals of Database Engineering udemy course (link redirects to udemy with coupon)
database.husseinnasser.com
Introduction to NGINX (link redirects to udemy with coupon)
nginx.husseinnasser.com
Python on the Backend (link redirects to udemy with coupon)
python.husseinnasser.com
Become a Member on UA-cam
/ @hnasr
Arabic Software Engineering Channel
/ @husseinnasser
🔥 Members Only Content
• Members-only videos
🏭 Backend Engineering Videos in Order
backend.husseinnasser.com
💾 Database Engineering Videos
• Database Engineering
🎙️Listen to the Backend Engineering Podcast
husseinnasser.com/podcast
Gears and tools used on the Channel (affiliates)
🖼️ Slides and Thumbnail Design
Canva
partner.canva.com/c/2766475/6...
Stay Awesome,
Hussein - Наука та технологія
You do an amazing job of turning technical details into followable concepts. Reminds me of listening to Richard Feynman talk about physics. Sincere thank you.
Thank you so much to put my name next to Feynman humbled me, he is a brilliant scientists. Glad you liked the content and thanks for the support Scot.
I think its comes to how engaged The teacher in the content and I absolutely like what I talk about and maybe that shows in the videos.
Good presentation. Certificate management can be challenging. Use monitoring tools to warn you before they expire (Nagios, Zabbix, DataDog, etc). Otherwise, you will find out your certs expired during an expensive outage. Use case: Customer requires mTLS. Implement mTLS to ensure only comms between agreed upon client/servers happens. Works for several years until expiration. At that point, the original engineers who implemented are gone...Troubleshooting for hours during an outage begins - which includes many discussions about details and RTS (return to service) that should have been already known. Documentation is your friend and the friend of anyone who inherits your systems.
Hey Nasser, I used to love your old style of explaining concepts using diagrams, made it much easier to understand in the past.
Love the content! I think its great to have these long videos and dive deep into topics.
I loved this. Diving to deep always is good.
This is a chill podcast.
Nuts
Thank you for you work. Your videos somehow synchronized with what I curren work on;) watch it with big pleasure, very detailed explanation and buffed with information videos.
Thanks for the amazing video
This looks interesting.
Ur mysterious voice makes the lecture very interesting
The passwordless case that you described is more or less an idea behind web3 authentication.
You can basically prove you identity by showing that public key belongs to you ;)
To do that you obviously need to have private key, which is stored in your crypto wallet.
This guy is carryminati for Networking and systems
Minute 47
Yes, Passwordless authentication relies on device certificate created by the manufacturer, and when the device is first registered with a service like Netflix it first verifies the device certificate to make sure it's a legitimate device, the OS creates a new key pair for the user account and the service, the client sends the public key to Netflix to pair with the user account
For authentication, Netflix verifies again the device certificate, sends a challenge to be signed by the private key generated by the OS during registration, Netflix verifies the challenge
Hi Hussein,
Are the clients certificates needs to be signed by public CA's, private CA's ? I want the clients who have the cert to be able to connect with my server. If i trust public CA then all the clients whose certificate signed by public CA able to connect right. In that case for mTLS the server need to have CA and sign the certificate of the clients it allows to connect ?
You mentioned to verify certificate sent from server we will reach out to certificate authority, but how do we know its really certificate authority and not an attacker.
😀
Norton also signs google certificates for money
Btw the "t" is pronounced, it just passes by so quickly you don't notice it and it sounds like sh to you. This often happens to people who are not native speakers of any language, many times they will substitute a phantom pronunciation based upon the phonemes that their native language is familiar with. As you are familiar with Japanese you know that they do it to English substituting more easily pronounced Japanese phones to approximate the English they thought they heard and can pronounc. I studied Arabic, but only a year. I can think of many cases where initial SH are part of Arabic words, but I can't think of any where s&t are. Am I incorrect? Most likely, but you can correct me on that.
Thanks it does make sense. Its very interesting
@@hnasr Think of it as a conditioned brain's error correction algorithm ( more Arabic ) . It IS interesting. I find your videos interesting and easy to understand. Your accent is very slight, not a problem, but still reflects your Arabic background. That's great!
Arabic is a beautiful language for me. Written as well as spoken. It can be said with so much feeling and soul. I like Arabic pop music. Even the classic stuff from the 60's like Feyrouz etc. Back to tech: I have heard instructional YT videos done by non English speakers that are challanged at English pronounciation. What I find is, I have trouble following. Especially highly technical new subject videos. Why? Because, I believe technology is another language and vocabulary and "way of thinking " in and of itself. That creates a load on the I/O of my brains processing and pattern matching. Then, my brain is doing real time error correction with a guy pronouncing "w" as "v" [ error flag - resend those packets again please ] or "r" as "d" as many Hindi speakers do. When learning new technical information and terms, the parsing, (followed by in memory contextual vocabulary lookups ) [ was that a mispronunciation or a term or framework/ method I do not know yet?] {on event use best guess match and parse forward and backward for sentence logic reconstruction} and error correction put a lot of strain on the grey matter. Suffice to say your manner of discussion, thinking it through, with it's small breaks is GREAT for allowing the tech cache to catch up , recognize, store and flush for the next knowledge stream. I know this is a long response. But I started on your lectures like I do with language learning. I jump in the middle of these technical concepts. Play the talks over and over again untill it starts to make sense. Once kinda understood, I then come back to reinforce. Whew!
Root certificates are what needs to be changed about current www. Root certificate authorities are mostly government controlled. This is something WEB3 addresses
(my comment kept getting blocked/ghosted/marked as spam somehow yesterday, here is an incomplete one)
This is cool topic, only in recent years it has become better known/more used. Bootstrapping trust is hard.
13:18 Windows will automatically try to download root certificates by contacting Microsoft if it encounters a root certificate it doesn't know.
13:30 this sound familiar :-)
18:27 also why 'DNS Certification Authority Authorization' now exists, hopefully making it more secure
21:18 if you do want to be scared, look up: badBIOS. We don't know if it's real/correct, but scary if it is.
38:32 you can also have a generic configuration on the server, configure what CN-parts you want to allow and when you sign the cert of a service you add the name of for example the department (OU). That way all the services of a department are allowed to connect to a server. Thus reducing the amount of maintenance.
39:38 spiffe exists, they sort of solve it, kind of like trusted computing or a certificate chain
46:18 WebAuthn/FIDO2 are probably the closest to that we have. It's pretty much just as secure, it uses keys, etc. and the keys are per hostname.
So you have a private key per website you authenticate to. No key-reuse. Also means you can not spoof.
It could be Yubikey-like device or built-in TPM or other secure element
You just told everyone my P@sswrd1!! Now I've got to update my Pizza Hut account :(