[exabrial]

Site is having issues atm... but I'll throw something out there I'd really like to see.

We encrypt 100% of our machine-to-machine traffic at the TCP level. There's a lot of shuffling of certs around to get some webapp to talk to postgres, then have that webapp serve https to haproxy, etc.

I'd be awesome if there was a way your cloud servers could just talk to each other using wiregaurd by default. We looked at setting it up, but it'd need to be automated somehow for anything above a handful of systems :/

[stargrazer]

How about MacSec? Supported by Linux as well as various router vendors. https://nextheader.net/2016/10/14/macsec-on-linux/

[KaiserPro]

> just talk to each other using wiregaurd by default

I don't understand why you'd want to do this?

I use wireguard to join machines on disparate networks into one.

However to do it inside the same VPC, I just don't get. If you don't trust your VPC surely you need to be moving off the cloud?

[ctrlc-root]

I agree with your viewpoint but I'm also aware of several security standards that explicitly specify all traffic between hosts needs to be encrypted. Sometimes it's easier to meet the standard verbatim than try and justify an exception. If you already use a configuration management tool it shouldn't be a lot more overhead to install some certificates.

[ownagefool]

If you think about these things like physical networks, you can do things like run an interface in promiscious mode and sniff traffic.

Further, leaving your VM, you hit a shared NIC and network cables, so you start to worry about phyiscal layer attacks.

Amazon specifically states they handle these issues, and indeed they likely do, but how do you know? If you're able to easily encrypt by using something like istio, then why not?

More specifically:

"Packet sniffing by other tenants: It is not possible for a virtual instance running in promiscuous mode to receive or“sniff” traffic that is intended for a different virtual instance. While customers can place their interfaces into promiscuous mode, the hypervisor will not deliver any traffic to them that is not addressed to them. This includes two virtual instances that are owned by the same customer, even if they are located on the same physical host. Attacks such as ARP cache poisoning do not work within EC2. While Amazon EC2 does provide ample protection against one customer inadvertently or maliciously attempting to view another’s data, as a standard practice customers should encrypt sensitive traffic."

[amaccuish]

https://en.wikipedia.org/wiki/Tcpcrypt

[pixl97]

How does opportunistic encryption prevent a MITM from forcing the session into unencrypted mode when its established?

[amaccuish]

It doesn't, but that's not the point of it. It's to prevent passive spying, like opportunistic TLS for SMTP.

I merely pointed it out because the OP was talking about encryption done at the TCP layer. :)

[stefan_]

http://www.tarsnap.com/spiped.html

[exabrial]

This still has the same problems as distributing certs and setting everything up :/ was looking for something that "encrypts literally everything" when it goes out to another machine on the cloud

[stefan_]

At the end of the day, there needs to be a trust root.