The Cloudflare mTLS vulnerability - A Deep Dive Analysis
Vložit
- čas přidán 7. 06. 2024
- Cloudflare released a blog detailing a vulnerability that has been in their system for nearly two years. it is related to mTLS or mutual TLS and specifically client certificate revocation. I explore this in details
0:00 Intro
3:00 The Vulnerability
7:00 What happened?
8:50 Certificate Revocation
12:30 Rejecting certain endpoints
17:00 Certificate Authentication
20:30 Certificate serial number
24:00 Session Resumption (PSK)
35:00 The bug
37:00 How they addressed the problem
blog.cloudflare.com/mtls-clie...
Fundamentals of Backend Engineering Design patterns udemy course (link redirects to udemy with coupon)
backend.husseinnasser.com
Fundamentals of Networking for Effective Backends udemy course (link redirects to udemy with coupon)
network.husseinnasser.com
Fundamentals of Database Engineering udemy course (link redirects to udemy with coupon)
database.husseinnasser.com
Follow me on Medium
/ membership
Introduction to NGINX (link redirects to udemy with coupon)
nginx.husseinnasser.com
Python on the Backend (link redirects to udemy with coupon)
python.husseinnasser.com
Become a Member on CZcams
/ @hnasr
Buy me a coffee if you liked this
www.buymeacoffee.com/hnasr
Arabic Software Engineering Channel
/ @husseinnasser
🔥 Members Only Content
• Members-only videos
🏭 Backend Engineering Videos in Order
backend.husseinnasser.com
💾 Database Engineering Videos
• Database Engineering
🎙️Listen to the Backend Engineering Podcast
husseinnasser.com/podcast
Gears and tools used on the Channel (affiliates)
🖼️ Slides and Thumbnail Design
Canva
partner.canva.com/c/2766475/6...
Stay Awesome,
Hussein - Věda a technologie
Hussein Bro, your dedication to sharing valuable knowledge and insights on your channel is truly remarkable - you are a vast ocean of knowledge and an inspiration to many! Love you bro...
True ❤
It's great that Cloudflare wasn't able to detect any exploitation when they found this vulnerability. Makes you think with the mass layoffs that's currently happening in big tech, what are the possibilities that an engineer who's responsibility it was to find things like this didn't have the opportunity to.
The cost of visiting a disneyland is out of hand. Even if you arrive at the gate before the park opens, it can take 1 800 000ms just to verify your certificate
Interesting! Thank you so much, Hussein!
Viscerally easy to imagine the original design conversation at Cloudflare between the Product Manager and the Security Engineer:
Product Manager: Wah, wahh, wahh, wahh, ... customer demands feature ... wah, wah, wahhhh, wah, wah.
Security Engineer: But, but ... mTLS doesn't work like that!
Product manager:
Can You Please make a detailed video about how ZERO-TIER exactly works. How UDP hole punching, SDWAN, VPN all works together in Zero-Tier. I didn't find any detailed video explaining about the architecture behind it. Thanks
I thought I understood this, but I can’t figure out how the vulnerability works on the most basic level.
I suppose I just am missing some crucial detail here, which causes the confusion. But based on the video I understood that checking the validity of the certificate was not the responsibility of this edge service: passing it forward in the HTTP header was.
If the certificate was expected to be checked before, that would mean one couldn’t handle it with firewall rule, as this header was meant to be used by the firewall. So I ruled that out as it would defeat the whole point of the system.
If the check is done after this point, I can’t see why empty header would be evaluated as if it was a valid client certificate.
As I understood it, the intended behaviour would have been the exact same, except the header would contain an invalid certificate instead of nothing. Which is why I don’t see the explained step, even when working correctly, checking anything at all.
"That Root certificate is self-signed because who God is going to assign certificates now?" LMAO
10:13 LOOL sure you aren’t ;)