The Backend Engineering Show with Hussein Nasser The Cloudflare mTLS vulnerability - A Deep Dive Analysis
Apr 6, 2023
Chapters
Transcript
Episode notes
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
Introduction
00:00 • 3min
CloudFlare's MTLS Client Certificate Revocation Vulnerability With TLS Session Resumption
02:57 • 4min
Cloudflare Discovered a Vulnerability That Prevented Some Users With Revoked Certificates From Resuming a Session via Mutual TLS
06:51 • 3min
How to Revocation a Client Certificate
09:38 • 3min
Cloudfare's Certificate Rejection Check
12:42 • 2min
How to Use Client Certificates to Authenticate Users
14:17 • 4min
Cloudflare Dashboard: How to Revoke a Client Certificate
17:49 • 3min
How to Trust Root Certificates
20:29 • 2min
The Difference Between the Serial Number and the Public Key
22:31 • 2min
TLS Session Resumption
24:59 • 2min
TLS Session Resumption and Legoland
27:17 • 2min
The Stateless Way to Encrypt a Session
29:45 • 3min
How to Decrypt a Session Ticket
32:16 • 2min
The Importance of Session Resumption
34:22 • 3min
How to Safely Re-Enable Resumption for MTLs
37:29 • 2min
Cloudfit's Fix for Session Resumption
39:48 • 3min
Cloudflare's Fix for Session Resumption and Revocation
42:32 • 2min