HTTPS, SSL/TLS, Certificados, PKI, SNI, Apache VHosts, K8s Ingress...
¿cómo encaja este puzzle?
By Álvaro Iradier
Lightning DTalks by DareCode
PKI
CA & Certs
SSL/TLS
HTTPS
Vhost
K8s Ingress
SNI
What is love?
What is the smell of clouds? ®
Let's focus on computer and information Security
Preventing unauthorized access, use, disclosure, disruption, modification, inspection, recording or destruction of information
ISO/IEC 27000:2009
Confidentiality
Information is not made available or disclosed to unauthorized individuals, entities, or processes
Availability
The computing systems used to store and process the information, the security controls used to protect it, and the communication channels used to access it must be functioning correctly
Integrity
Maintaining and assuring the accuracy and completeness of data over its entire lifecycle
Confidentiality
Information is not made available or disclosed to unauthorized individuals, entities, or processes
Availability
The computing systems used to store and process the information, the security controls used to protect it, and the communication channels used to access it must be functioning correctly
Integrity
Maintaining and assuring the accuracy and completeness of data over its entire lifecycle
CIA triad, portions, and layers
Snooping / eavesdropping
Unauthorized access to another person's or company's data. Snooping can include casual observance of a screen, watching someone typing, ...
Phising
Fraudulent attempt to obtain sensitive information (user/pass, credit card) by disguising as a trustworthy entity in an electronic communication
Tampering
The act of deliberately modifying (destroying, manipulating or editing) data through unauthorized channels
Denial or reception / service
Preventing service from receiving request / legitimate users from accessing specific computer systems, devices, services or other IT resources.
Public algorithm cryptography. The key is secret.
Secret algorithms? Never. Security by obscurity.
Firewalls
Cryptography or cryptology
(from Ancient Greek: κρυπτός, translit. kryptós "hidden, secret"; and γράφειν graphein, "to write", or -λογία -logia, "study", respectively) is the practice and study of techniques for secure communication in the presence of third parties called adversaries.
Used for integrity
How to distribute the Secret key?
Algorithms: DES, 3DES, AES (Rijndael), Blowfish, RC4, IDEA, Twofish...
Public key
Can (and should) be distributed.
Private key
Must be kept secret.
How to distribute the PUBLIC key?
PKI
CA & Certs
SSL/TLS
HTTPS
Vhost
K8s Ingress
SNI
Public Key Infrastructure
How to bind identities to Public Keys
Entities: people, organizations, servers. Have an identity
RA: Registration authority. Accepts requests, validates identity
CA: Certification authority
Issuance of certificates. Binding of identity - public key
VA: Validation authority
Verify the validity of the certificate (via CRLs)
PKI
CA & Certs
SSL/TLS
HTTPS
Vhost
K8s Ingress
SNI
PKI
CA & Certs
SSL/TLS
HTTPS
Vhost
K8s Ingress
SNI
PKI
CA & Certs
SSL/TLS
HTTPS
Vhost
K8s Ingress
SNI
Let's make it simple. What is a digital certificate?
Chain of trust
and self-signed certificates
Root CA certificates are self-signed... trust?
Root CA certificates are self-signed... trust?
Root CA certificates are self-signed... trust?
Root CA certificates are self-signed... trust?
PKI
CA & Certs
SSL/TLS
HTTPS
Vhost
K8s Ingress
SNI
PKI
CA & Certs
SSL/TLS
HTTPS
Vhost
K8s Ingress
SNI
Transport Layer Security (TLS 1.3, 1.2, 1.1, 1.0), and its now-deprecated predecessor, Secure Sockets Layer (SSL 3.0, 2.0, 1.0), are cryptographic protocols designed to provide communications security over a computer network
PKI
CA & Certs
SSL/TLS
HTTPS
Vhost
K8s Ingress
SNI
PKI
CA & Certs
SSL/TLS
HTTPS
Vhost
K8s Ingress
SNI
PKI
CA & Certs
SSL/TLS
HTTPS
Vhost
K8s Ingress
SNI
PKI
CA & Certs
SSL/TLS
HTTPS
Vhost
K8s Ingress
SNI
Virtual hosting is a method for hosting multiple domain names (with separate handling of each name) on a single server (or pool of servers)
Port based
IP based
Name based
PKI
CA & Certs
SSL/TLS
HTTPS
Vhost
K8s Ingress
SNI
Use Host: header in HTTP request
Requires HTTP version 1.1 (not a problem)
PKI
CA & Certs
SSL/TLS
HTTPS
Vhost
K8s Ingress
SNI
PKI
CA & Certs
SSL/TLS
HTTPS
Vhost
K8s Ingress
SNI
IP
TCP
TLS/SSL
HTTPS
Network connectivity
Socket connected
TCP Handshake
TSL Handshake
Certificates exchanged
HTTP Request
HTTP Response
IP
TCP
TLS/SSL
HTTPS
Network connectivity
Socket connected
TCP Handshake
TSL Handshake
Certificates exchanged
HTTP Request
HTTP Response
But what vhost? Host: header is in HTTP Request
PKI
CA & Certs
SSL/TLS
HTTPS
Vhost
K8s Ingress
SNI
PKI
CA & Certs
SSL/TLS
HTTPS
Vhost
K8s Ingress
SNI
Server Name Indication (SNI) is an extension to the TLS computer networking protocol by which a client indicates which hostname it is attempting to connect to at the start of the handshaking process.[1] This allows a server to present multiple certificates on the same IP address and TCP port number and hence allows multiple secure (HTTPS) websites (or any other service over TLS) to be served by the same IP address without requiring all those sites to use the same certificate. It is the conceptual equivalent to HTTP/1.1 name-based virtual hosting, but for HTTPS. The desired hostname is not encrypted in original SNI extension, so an eavesdropper can see which site is being requested
https://en.wikipedia.org/wiki/Server_Name_Indication
PKI
CA & Certs
SSL/TLS
HTTPS
Vhost
K8s Ingress
SNI
IP
TCP
TLS/SSL
HTTPS
Network connectivity
Socket connected
TCP Handshake
TSL Handshake
Host name via SNI
Certificates exchanged
HTTP Request
HTTP Response
PKI
CA & Certs
SSL/TLS
HTTPS
Vhost
SNI
K8s Ingress
PKI
CA & Certs
SSL/TLS
HTTPS
Vhost
SNI
K8s Ingress
Exposes the service on a cluster-internal IP. Choosing this value makes the service only reachable from within the cluster.
PKI
CA & Certs
SSL/TLS
HTTPS
Vhost
SNI
K8s Ingress
Exposes the service on each Node’s IP at a static port (the NodePort). A ClusterIP service, to which the NodePort service will route, is automatically created. You’ll be able to contact the NodePort service, from outside the cluster, by requesting <NodeIP>:<NodePort>
PKI
CA & Certs
SSL/TLS
HTTPS
Vhost
SNI
K8s Ingress
Exposes the service externally using a cloud provider’s load balancer. NodePort and ClusterIP services, to which the external load balancer will route, are automatically created.
Warning
NOT INCLUDED in K8s. Load Balancer is a service from provider, i.e. AWS, GKE, F5 Load Balancer, etc.
PKI
CA & Certs
SSL/TLS
HTTPS
Vhost
SNI
K8s Ingress
Ingress exposes HTTP and HTTPS routes from outside the cluster to services within the cluster. Traffic routing is controlled by rules defined on the ingress resource.
PKI
CA & Certs
SSL/TLS
HTTPS
Vhost
SNI
K8s Ingress
Kubernetes as a project currently supports and maintains GCE and nginx controllers
NO MAGIC!
PKI
CA & Certs
SSL/TLS
HTTPS
Vhost
SNI
K8s Ingress
https://kubernetes.github.io/ingress-nginx/how-it-works/
PKI
CA & Certs
SSL/TLS
HTTPS
Vhost
SNI
K8s Ingress
Other Ingress Controllers
PKI
CA & Certs
SSL/TLS
HTTPS
Vhost
SNI
K8s Ingress