TLS

tags : Web Authentication, Web Development, Security, Infrastructure, Networking

TLS(HTTPS) is mostly a PKI implementation.

HTTPS §

Why HTTPS on static sites? §

HTTPS on dynamic sites is obvious but not totally obvious for static sites, here are few good reasons. When using HTTPs, there is still additional metadata below the TCP level, such as DNS queries and SNI. Encrypting those is being worked on, but right now they’re often still plaintext.

• Privacy, Encrypting the content protects to some degree the privacy of the user and what content they are consuming.
• It also prevents mitm from inserting malicious code or modifying the content returned. Something that ISPs and wifi providers can do.

HSTS §

HSTS is nothing more than a header sent to the client, telling the client to only use https.

• The origin server can set this header, or the load balancer can set it; doesn’t matter.
• The client can’t tell the difference who set the header also it can’t tell if request was encrypted by LB or by origin server
• Prevents HTTPS to HTTP downgrading attacks ( See moxie0/sslstrip )

History §

• SSL was defined by Netscape Communications so they could add HTTPS to Netscape Navigator in 1994.
• They adopted the existing work for X.509 certificates for communicating identity, and a public key that can be used in cryptography.

CA §

What? §

• When a CA issues you a certificate for a given domain that means anyone who trusts that CA will automatically trust the SSL traffic you encrypt using that certificate.
• CAs are responsible for verifying that you actually own a domain
• Operating system/browsers ship with the public keys of some trusted CA

mTLS §

• mTLS: When certificate authentication is done wrong - The GitHub Blog
• What is mTLS? | Mutual TLS | Cloudflare

Self Signed Certificates §

Meta §

• On a Debian based system you’d put custom CA file in /usr/local/share/ca-certificates/ and then run update-ca-certificates
• In NixOS, this is stored in one file /etc/ssl/certs/ca-certificates.crt and can be managed using security.pki.certificates and security.pki.certificateFiles

mkcert §

• we add the root ca, and we’ll be using the rootCA.pem to sign all the random self signed certificates we generate
• the rootCA.pem is added automatically into the system and browser trust stores on mkcert -install hence the self signed certificates we generate are trusted

caddy §

• See Web Server
• Caddy default build doesn’t contain DNS challenges, only HTTP challenges

Resources §

• If OpenSSL were a GUI
• Transport Layer Security - Wikipedia

Good §

• Survival Guide - TLS/SSL and SSL (X.509) Certificates (CA-signed and Self-Signed)
• https://subtls.pages.dev/
• Why you should choose Full Strict, and only Full Strict
• https://tls13.xargs.org/
• https://jvns.ca/blog/2022/03/23/a-toy-version-of-tls/