DAY 115:00-15:20
安全で信頼性の高いシステムでSSL証明書を管理する
Security
Security
koja,en
HTTPSは、従来の非セキュアなHTTPプロトコルを暗号化されたSSL/TLS接続を介して提供するプロトコルです。現在インターネットサービスをサポートするこのプロトコルは、急速に成長しています。LINEが提供する全てのサービスは、ユーザーのトラフィックを保護するため、以前よりHTTPSをサポートしてきました。しかし、SSL証明書を使用するためのプロセスは少し複雑で、十分な安全性が確保されていませんでした。私たちは、SSL証明書をより安全に管理する方法を見つける必要があることに気付きました。このセッションでは、証明書が適切に管理されなかった場合に発生する問題と、SSL証明書を効果的に管理してインシデントを発生させない方法について説明します。また、LINE社内のチームや開発者がセキュリティをより容易に提供するために、どのような取り組みを行ってきたかについても説明します。最後に、社内のSSL証明書管理システムである Voyager がどうやって進化しているのか、LINEの開発文化に触れながらお話しします。
SSL/TLS証明書の管理者。SSL証明書を利用するサービス開発者
Hwee-jae Yoo
LINE Infra Protection1チーム Security Engineer
主にTLS証明書とKubernetes(k8s)セキュリティに関連する業務に携わっています。必要なツールの作成と反復的タスクの自動化に興味を持っています。主な開発言語はCとPythonです。新しいスキルの習得と、実生活で役立つものの作成が好きです。ちなみに、私の妻は美人です。
Noh Seung-Heun
LINE Plus Service Engineering Service Reliability Engineer
LINEのユーザーのトラフィックを (バイナリとして) 扱っています。ユーザートラフィックに関係する、開発およびサービス組織とコラボレーションしています。LINE ユーザーにより良いネットワーク品質を提供するため、外部のキャリアやグローバルのコンテンツ配信プラットフォーム事業者とも協力を続けています。
Q&A
Terry Prateepavanich15:18 Nov 25
How do each system on a different domain reverified with the same SSL certificate?
Hwee-jae Yoo13:55 Nov 26
In general, if you use a wildcard certificate or a multi domain certificate, you can authenticate in different systems and domains with the same certificate.
Wildcard certificate is a certificate that can apply SSL to sub-domain hosts of a domain (FQDN).
Multi Domain Certificate is a certificate that can contain multiple FQDN domains that require SSL application to one certificate.
It is also referred to as a SAN (Subject Alternative Name) certificate, and in the case of a question, it seems possible to authenticate using a SAN certificate.
Chris Qiang15:06 Nov 25
Do we need Certificate Transparency for internal uses? E.g Docker/Kubernetes and/or Organization Intranet site and maybe more?
Noh Seung-Heun19:24 Nov 25
Basically, I don't believe CT is required for internal purpose. But the problem is commercial CA as well as free CA like Let's Encrypt leave histories to publicly accessible location once we ask them to publish certificates.
Could I know your case or concerns about CT?
It’s Your Man: Anto➹15:15 Nov 25
What is voyager and how does it work?
Noh Seung-Heun19:09 Nov 25
As <Security> getting more important in internet era, manage SSL certificate securely is also important for LINE. To manage SSL certificate in secure, reliable way, we made Voyager.
Developers of LINE asks or manages their SSL certificates in Voyager. Voyager securely store SSL certificates and allows granted users to access SSL certificates.
We are on long journey to make secure but automated way of managing SSL certificates throughout Voyager.
Dandi Waluya15:14 Nov 25
How to create ssl certificates?
Noh Seung-Heun19:01 Nov 25
There are three ways for creating SSL certificates. Purchasing from commercial Certificate Authority, get free SSL certs from organizations like Let's Encrypt, or create self-signed SSL certificate.
If you are planning to use SSL certificate for your internet service, self-signed SSL certificate is not a valid option cause browsers can not guarantee validity of certificates.
Creating SSL certificate is starting from making CSR(Certificate Signing Request). You need to send out CSR to CA to make publicly valid(=means acceptable by modern browsers) certificates, and those need to be installed to your server software like nginx, apache, etc.
I recommend you to use Let's Encrypt first before you purchase commercial one. Cause it's free and valid for service purposes. As you may know, Let's Encrypt's certificates are widely in use nowadays by well-known internet services.
It’s Your Man: Anto➹15:17 Nov 25
How does SSL certificates work?
Noh Seung-Heun18:51 Nov 25
To understand how SSL works, you need to understand PKI first. PKI is acronym for Public Key Infrastructure, that uses a pair of key, private key and public key for data exchange. We call PKI as an asymmetric cryptography cause it uses these two different keys while encrypt and decrypt data. If we encrypt some data with private key, it can be decrypted with public key vice versa.
<How SSL works> is a kind of implementation of PKI in public network. To guarantee validity of shared certificate from server, we ask CA(Certificate Authority) to sign public key. Then CA will publish certificate by signing CSR and public key with their private key of root certificate. Certificate along with both keys will be installed to servers and public part will be sent out to clients. Cause modern web browsers already have public part of CA's root certificates, they can figure out public key from server is valid or not.
For more details, I recommend to see CloudFlare's document for how SSL works!
Fahri...15:11 Nov 25
How ssl certificates work
Noh Seung-Heun18:50 Nov 25
To understand how SSL works, you need to understand PKI first. PKI is acronym for Public Key Infrastructure, that uses a pair of key, private key and public key for data exchange. We call PKI as an asymmetric cryptography cause it uses these two different keys while encrypt and decrypt data. If we encrypt some data with private key, it can be decrypted with public key vice versa.
<How SSL works> is a kind of implementation of PKI in public network. To guarantee validity of shared certificate from server, we ask CA(Certificate Authority) to sign public key. Then CA will publish certificate by signing CSR and public key with their private key of root certificate. Certificate along with both keys will be installed to servers and public part will be sent out to clients. Cause modern web browsers already have public part of CA's root certificates, they can figure out public key from server is valid or not.
For more details, I recommend to see CloudFlare's document for how SSL works!