Skip to content

26) Mutual Transport Layer Security (mTLS or 2 way SSL)

Jump to bottom
Coding With The Force edited this page Jun 7, 2023 · 6 revisions

mTLS in relevance to the CTA Board

I don't believe this is ever something that you absolutely must call out in your system diagram, however it won't hurt, and you should be prepared for the potential for a judge to ask you about mTLS possibly, so it's good to know what it is and when to use it.

What is mTLS?

mTLS is a mechanism that allows both the client application AND the server to verify they both know each other and are supposed to be communicating with each other instead of just the client verifying that they know the server.

When to use mTLS?

mTLS should be suggested/used when you are doing a server to server integration (non-browser based integration) and with IoT device. Typically you will implement this when you are using a JWT flow in your system landscape.

It's important to note that platform events (and CDC) don't support mutual authentication. This is by design and will not be altered. You can view that here.

If encryption in transit is specifically called out (for both server and client) you should consider suggesting this.

What does mTLS prevent?

mTLS prevents the following (typically):

  1. On-Path attacks that attempt to intercept packets/traffic between systems. Because both systems communication is encrypted due to mTLS, the attacker could not decrypt the information even if they retrieved it.

  2. Spoofing Attacks that try to imitate a client application because the fake application couldn't fake who it was because it would not be able to verify itself with the sever.

  3. Credential stuffing (trying to use a username and password to auth to the server) won't work because the attacker couldn't prove (via a certificate) that it is who it is.

Clone this wiki locally