Upgrade to Pro — share decks privately, control downloads, hide ads and more …

The Life of a Safe Gopher

Carlisia Campos
November 18, 2017
Technology
3
270

The Life of a Safe Gopher

This talk delves into the details of what a certificate is so we can have a better understanding of how certificates play a role in a TLS connection. At the end I demo how to generate a certificate and install it on a simple Go web server.

Sample code: https://gist.github.com/carlisia/c40d9a4f2003140f8d97dd6c56e5420b

Carlisia Campos

November 18, 2017
Tweet

More Decks by Carlisia Campos

See All by Carlisia Campos
Plan to Fail: A good Captain Doesn’t Sail Without Life Rafts
carlisia
1
55
Why are your Developers Looking at Kubernetes Behind your Back
carlisia
1
110
FullStack Meetup - Go: The language, the purpose, the eco-system, and the community
carlisia
1
260
GoBridge and the Go Community: Initiatives and Opportunities
carlisia
1
260
You Found Love in a Gopher Face. Now What?
carlisia
2
370
Let’s Make The Go Remote Meetup Awesome!
carlisia
2
190

Other Decks in Technology

See All in Technology
OCI 運用監視サービス 概要
oracle4engineer
PRO
0
4.8k
Application Development WG Intro at AppDeveloperCon
salaboy
0
180
スクラム成熟度セルフチェックツールを作って得た学びとその活用法
coincheck_recruit
1
140
Amplify Gen2 Deep Dive / バックエンドの型をいかにしてフロントエンドへ伝えるか #TSKaigi #TSKaigiKansai #AWSAmplifyJP
tacck
PRO
0
370
EventHub Startup CTO of the year 2024 ピッチ資料
eventhub
0
110
エンジニア人生の拡張性を高める 「探索型キャリア設計」の提案
tenshoku_draft
1
120
Terraform Stacks入門 #HashiTalks
msato
0
350
AWS Media Services 最新サービスアップデート 2024
eijikominami
0
190
OCI Network Firewall 概要
oracle4engineer
PRO
0
4.1k
ハイパーパラメータチューニングって何をしているの
toridori_dev
0
140
第1回 国土交通省 データコンペ参加者向け勉強会③ - Snowflake x estie編 -
estie
0
120
フルカイテン株式会社 採用資料
fullkaiten
0
40k

Featured

See All Featured
Practical Tips for Bootstrapping Information Extraction Pipelines
honnibal
PRO
10
720
Save Time (by Creating Custom Rails Generators)
garrettdimon
PRO
27
840
Done Done
chrislema
181
16k
Designing Experiences People Love
moore
138
23k
Java REST API Framework Comparison - PWX 2021
mraible
PRO
28
8.2k
5 minutes of I Can Smell Your CMS
philhawksworth
202
19k
Typedesign – Prime Four
hannesfritz
40
2.4k
Principles of Awesome APIs and How to Build Them.
keavy
126
17k
jQuery: Nuts, Bolts and Bling
dougneiner
61
7.5k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
42
9.2k
Product Roadmaps are Hard
iamctodd
PRO
49
11k
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
eileencodes
16
2.1k

Transcript

  1. THE LIFE OF A SAFE GOPHER TLS, CERTIFICATES, AND SECURE

    GO APPS CARLISIA PINTO GO DEVELOPER @ FASTLY CO-HOST OF @GOTIMEFM

  2. AGENDA ▸ Information security ▸ TLS and certificates ▸ Demo

  3. BENEFITS OF
 SECURITY

  4. None

  5. SECURITY PRINCIPLES

  6. CONFIDENTIALITY INFORMATION IS NOT MADE AVAILABLE TO UNAUTHORIZED ENTITIES.

  7. INTEGRITY INFORMATION IS ACCURATE AND COMPLETE FROM ORIGIN UNTIL DESTINATION.

  8. AVAILABILITY INFORMATION IS AVAILABLE WHEN IT IS NEEDED.

  9. NON-REPUDIATION EFFORT TO VALIDATE THAT AN INTENDED RECIPIENT CAN'T DENY

    HAVING RECEIVED THE INFORMATION, AND TO VALIDATE THAT THE SENDER CAN'T DENY HAVING SENT THE INFORMATION.

  10. TLS - FTW

  11. TLS PROPERTIES ▸ Confidentiality ▸ Integrity ▸ Non-repudiation ▸ Certificates

  12. TLS CONNECTIONS HTTP • SMTP • IMAP • POP •

    SIP • XMPP

  13. NETWORK STACK

  14. TLS HANDSHAKE

  15. TLS SESSION

  16. HANDSHAKE OVERVIEW

  17. None

  18. TLS CERTIFICATE ▸ Binds a public key and an identity

    (DNS) ▸ Authenticates a connection ▸ Signed by a certificate authority
  19. None
  20. None
  21. None

  22. CERTIFICATE AUTHORITY (CA) ▸ Entity recognized as trustworthy ▸ Allowed

    to issue certificates ▸ Root CA is a (different) thing
  23. None

  24. ROOT CA ▸ Top-most certificate of a certificate chain ▸

    Confers trust: certificates inherit the same trust
  25. None

  26. CERTIFICATE STORE ▸ Exists in clients (ex: operating systems and

    web browsers) ▸ Used to validate identity

  27. DEMO

  28. GENERATE A CERTIFICATE 1. Create host key This will generate

    an RSA private/public key pair: `ssh-keygen -f example.com.key` 2. Generate a CSR (Certificate Signing Request) Using the host key created above, create the CSR `openssl req -new -key example.com.key -out example.com.csr` 3. Create a certificate (self-signed) `openssl x509 -req -days 365 -in example.com.csr -signkey example.com.key -out example.com.crt`

  29. INSTALL CERT ON THE SERVER Sample code: https://gist.github.com/carlisia/ c40d9a4f2003140f8d97dd6c56e5 420b

  30. BOOT UP THE SERVER 1. Build the program - `go

    build main.go` 2. Change permissions of the binary - `sudo chown root main` - `sudo chmod +s main` 3. Run the program - `./main` 1. Access the page - https://localhost/topconferences

  31. RESULT ‣ The client will inform that the cert has

    not be signed by a recognized authority ‣ Makes sense since ours is a self- signed cert ‣ But it still is a TLS connection

  32. RESULT

  33. TROUBLESHOOTING Troubleshoot a SSL cert installation (public hostnames only) https://www.sslshopper.com/ssl-checker.html

    https://www.ssllabs.com/ssltest/analyze.html Test how a browser implements SSL https://www.ssllabs.com/ssltest/viewMyClient.html Types of potential certificate failures, with examples https://badssl.com