Hacker News new | ask | show | jobs
by Alupis 762 days ago
Can you elaborate for those of us who aren't up to speed on the TLS + HTTP/3 situation? Is there a problem somewhere?

Also - are people still doing TLS in their app directly? Modern setups often terminate TLS at the gateway/edge/ingress instead of at the app level. If you use something like k8s, you can even do m2m TLS within your cluster via sidecars - with your app knowing absolutely nothing about TLS.
2 comments
tsimionescu 762 days ago
As defense in depth becomes more and more important, in-app TLS is becoming more, not less common. Especially as Zero Trust Network Access (ZTNA) is being mandated by the US federal government for contracts, the idea that you would terminate TLS at the edge and send unencrypted network traffic inside the server network is becoming a thing of the past.

This remains true even inside of a Kubernetes cluster. You shouldn't trust the network there any more than you should trust your enterprise network. I'm less sure about the implications of sending unencrypted traffic between a container and its sidecar, but certainly pods should be talking to each other over TLS.

link
arianvanp 762 days ago
The sidecar and the main container run in the same network namespace. They can reach eachother over the loopback interface. It's "safe".

However I'm also of the opinion you should just be mounting tls certs in your container and use your TLS stack of whatever language you're using directly instead. It's a lot simpler

link
Alupis 762 days ago
> but certainly pods should be talking to each other over TLS

They do under that scheme. TLS is terminated at the gateway, but k8s/sidecars handle m2m TLS. This provides some advantages for automating short-lived certs, makes deployments more simple, etc and helps your pods remain unaware they are pods (kind of the holy grail of "cloud").

A lot of your edge/serverless stuff will be similar from my understanding.

link
apantel 762 days ago
How about on one machine internally, for example, using NGINX to handle HTTPS then doing an HTTP proxy pass to another process on localhost?
link
tsimionescu 762 days ago
It's up to you how much you trust the traffic on that machine and how you've set up access rights etc. In principle, a process with the right capabilities could snoop on the unencrypted traffic but might not be able to snoop on encrypted traffic. However, given how common local privilege escalations bugs are, if an attacker process is running on the same system, you have probably already lost (especially one that has enough privileges to capture network traffic).
link
exabrial 762 days ago
QUIC has no unencrypted mode as one of its more controversial decisions, and nobody has braved the backlash to propose it despite obvious use cases.
link