Upgrade to Pro — share decks privately, control downloads, hide ads and more …

The Life of a Safe Gopher

Carlisia Campos
November 18, 2017
Technology
3
250

The Life of a Safe Gopher

This talk delves into the details of what a certificate is so we can have a better understanding of how certificates play a role in a TLS connection. At the end I demo how to generate a certificate and install it on a simple Go web server.

Sample code: https://gist.github.com/carlisia/c40d9a4f2003140f8d97dd6c56e5420b

Carlisia Campos

November 18, 2017
Tweet

More Decks by Carlisia Campos

See All by Carlisia Campos
Plan to Fail: A good Captain Doesn’t Sail Without Life Rafts
carlisia
1
51
Why are your Developers Looking at Kubernetes Behind your Back
carlisia
1
94
FullStack Meetup - Go: The language, the purpose, the eco-system, and the community
carlisia
1
240
GoBridge and the Go Community: Initiatives and Opportunities
carlisia
1
250
You Found Love in a Gopher Face. Now What?
carlisia
2
350
Let’s Make The Go Remote Meetup Awesome!
carlisia
2
190

Other Decks in Technology

See All in Technology
私が trocco を推す理由
__allllllllez__
1
200
Azure Container Apps + Bicep 〜 こんな感じで運用しています
kaz29
2
440
ワールドカフェI /チューターを改良する / World Café I and Improving the Tutors
ks91
PRO
0
120
オーナーシップを持つ領域を明確にする
konifar
13
3.1k
継続的な改善 x ⾮連続的な進化
sansantech
PRO
3
130
Cracking the KubeCon CfP
inductor
2
220
Google Cloud Next '24でブログを10本書いた方法と勉強会を沸かせた方法
yasumuusan
0
290
KubeCon EU 2024 Recap “Kubernetes Policy Time Machine: Where to Next?”
ryysud
0
200
開発生産性向上サービスを作るFindyが自分たちで開発生産性を爆上げした組織づくりの歩み / Findy's path to boosting its own development productivity 2024-04-17
ma3tk
3
600
アクセシビリティを考慮したUI/CSSフレームワーク・ライブラリ選定
yajihum
2
1k
サーバー間 GraphQL と webmock-graphql の話 / server-to-server graphql and webmock-graphql
qsona
2
180
複雑な構成要素を持つUIとの向き合い方 〜新・支出グラフでの実例〜 / B43 TECH TALK
nakamuuu
0
140

Featured

See All Featured
Stop Working from a Prison Cell
hatefulcrawdad
266
19k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
244
20k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
221
21k
How STYLIGHT went responsive
nonsquared
92
4.8k
Documentation Writing (for coders)
carmenintech
60
3.9k
Statistics for Hackers
jakevdp
789
220k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
34
8.9k
Music & Morning Musume
bryan
41
5.6k
The Art of Programming - Codeland 2020
erikaheidi
42
12k
Happy Clients
brianwarren
92
6.4k
A Tale of Four Properties
chriscoyier
151
22k
Embracing the Ebb and Flow
colly
80
4.1k

Transcript

  1. THE LIFE OF A SAFE GOPHER TLS, CERTIFICATES, AND SECURE

    GO APPS CARLISIA PINTO GO DEVELOPER @ FASTLY CO-HOST OF @GOTIMEFM

  2. AGENDA ▸ Information security ▸ TLS and certificates ▸ Demo

  3. BENEFITS OF
 SECURITY

  4. None

  5. SECURITY PRINCIPLES

  6. CONFIDENTIALITY INFORMATION IS NOT MADE AVAILABLE TO UNAUTHORIZED ENTITIES.

  7. INTEGRITY INFORMATION IS ACCURATE AND COMPLETE FROM ORIGIN UNTIL DESTINATION.

  8. AVAILABILITY INFORMATION IS AVAILABLE WHEN IT IS NEEDED.

  9. NON-REPUDIATION EFFORT TO VALIDATE THAT AN INTENDED RECIPIENT CAN'T DENY

    HAVING RECEIVED THE INFORMATION, AND TO VALIDATE THAT THE SENDER CAN'T DENY HAVING SENT THE INFORMATION.

  10. TLS - FTW

  11. TLS PROPERTIES ▸ Confidentiality ▸ Integrity ▸ Non-repudiation ▸ Certificates

  12. TLS CONNECTIONS HTTP • SMTP • IMAP • POP •

    SIP • XMPP

  13. NETWORK STACK

  14. TLS HANDSHAKE

  15. TLS SESSION

  16. HANDSHAKE OVERVIEW

  17. None

  18. TLS CERTIFICATE ▸ Binds a public key and an identity

    (DNS) ▸ Authenticates a connection ▸ Signed by a certificate authority
  19. None
  20. None
  21. None

  22. CERTIFICATE AUTHORITY (CA) ▸ Entity recognized as trustworthy ▸ Allowed

    to issue certificates ▸ Root CA is a (different) thing
  23. None

  24. ROOT CA ▸ Top-most certificate of a certificate chain ▸

    Confers trust: certificates inherit the same trust
  25. None

  26. CERTIFICATE STORE ▸ Exists in clients (ex: operating systems and

    web browsers) ▸ Used to validate identity

  27. DEMO

  28. GENERATE A CERTIFICATE 1. Create host key This will generate

    an RSA private/public key pair: `ssh-keygen -f example.com.key` 2. Generate a CSR (Certificate Signing Request) Using the host key created above, create the CSR `openssl req -new -key example.com.key -out example.com.csr` 3. Create a certificate (self-signed) `openssl x509 -req -days 365 -in example.com.csr -signkey example.com.key -out example.com.crt`

  29. INSTALL CERT ON THE SERVER Sample code: https://gist.github.com/carlisia/ c40d9a4f2003140f8d97dd6c56e5 420b

  30. BOOT UP THE SERVER 1. Build the program - `go

    build main.go` 2. Change permissions of the binary - `sudo chown root main` - `sudo chmod +s main` 3. Run the program - `./main` 1. Access the page - https://localhost/topconferences

  31. RESULT ‣ The client will inform that the cert has

    not be signed by a recognized authority ‣ Makes sense since ours is a self- signed cert ‣ But it still is a TLS connection

  32. RESULT

  33. TROUBLESHOOTING Troubleshoot a SSL cert installation (public hostnames only) https://www.sslshopper.com/ssl-checker.html

    https://www.ssllabs.com/ssltest/analyze.html Test how a browser implements SSL https://www.ssllabs.com/ssltest/viewMyClient.html Types of potential certificate failures, with examples https://badssl.com