Developing with
HTTPS in Containers

by Rob Richardson

  @rob_rich

https://robrich.org/

About Me

Rob Richardson is a software craftsman building web properties in ASP.NET and Node, React and Vue. He's a frequent speaker at conferences, user groups, and community events, and a diligent teacher and student of high quality software development. You can find this and other talks on https://robrich.org/presentations and follow him on twitter at @rob_rich.

Developing with HTTPS in Containers

Agenda

• Why certificates?
• What's in a certificate?
• How does ASP.NET do https "In the box"?
• How does this work in Docker?
• What can we do to fix it?
• You give me 5 stars on Yelp

Why Certificates?

Why Certificates?

Because Troy told me to.

TL;DR: this is a great reason

Why Certificates?

• Encrypt the message
• Validate the authenticity of the message

Encrypt the Message: Firesheep

A Firefox extension

Spied on open wifi networks

Stole session cookies

Then login as them

Encrypt the Message: Pineapple

A small wifi device

Listen for authentication requests

Answer "Yes, I'm that wifi"

Then proxy traffic to the real server

Encrypt the Message

Certificates create an encryped tunnel
between the user and the web server

People in the middle
can't see the contents of the message

Man in the Middle

Man in the Middle

Man in the Middle

Vaidate the Authenticity

Vaidate the Authenticity

Vaidate the Authenticity

Vaidate the Authenticity

Certificates

• Trust chain
• Thumbprint
• Subject (domain and location)
• Subject Alternate Names
• Not before (start date)
• Not after (expiration date)

What can go wrong?

• Expired certificate
• Insecure algorithm
• Untrusted / broken trust chain

https://badssl.com/ is a great sandbox of cert failures