One of the things that has surprised me about k8s and the CNCF projects is the love for authentication using mutual-auth TLS. Google ALTS seems to be common inspiration. I can't find many papers/blogs on why request auth is better than channel auth. Anyone have pointers?
-
-
Replying to @pzb
David Murray Retweeted Colm MacCárthaigh
https://mobile.twitter.com/colmmacc/status/1057017343438540801 … is the most comprehensive write-up I’ve seen on the topic
David Murray added,
Colm MacCárthaigh @colmmaccOk. tweet thread time! Too long ago I promised to write a screed explaining how much I hated mutual-auth TLS and why. I got distracted, and I wasn't happy with the writing, so here it is in tweet thread form instead! But basically: Client certs and Mutual-Auth TLS is TERRIBAD.Show this thread2 replies 1 retweet 5 likes -
I am not sure I get (or don't agree with) some of his arguments - like just because you can send a SQL injection over an authenticated channel, somehow that is the authentication mechansms fault? I can send an SQL injection over a channel with basic auth too.
1 reply 0 retweets 1 like -
I *think* the idea is that if you were to auth each statement instead of the channel, any injected statements would be unauthenticated? e.g. AS admin:hunter2 INSERT INTO students (name) VALUES (‘Robert’); DROP TABLE students; —‘);
2 replies 0 retweets 1 like -
I screwed up my SQL point. What I was thinking of is a truncation attack. Alice sends "DELETE FROM foo WHERE ... " but a MITM can truncate just before the WHERE and then trigger an EOF. Works over TLS if the attacker can align the records. Request auth is better.
1 reply 0 retweets 3 likes -
How is request auth here better? (I'm assuming by "request auth" you mean a bearer token.) Suffers from the same truncation attack. If you are referring to fully authenticated messages, agreed they have a number of benefits; I'm not certain why they're so thinly deployed.
1 reply 0 retweets 1 like
I definitely do not mean a bearer token. Check out our SIGv4 algorithm; https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-authenticating-requests.html …
-
-
I'm familiar with SIGv4. Am I wrong, is "request auth" a well-defined term of art? I'm not confident everyone means the same thing by the term.
1 reply 0 retweets 0 likes -
While your complaints about TLS are well founded (mea maxima culpa) the broader design questions of channel auth vs. request auth are not clear to me.
0 replies 0 retweets 1 like
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.