Secure Services in Three Steps
Distributed Services with Go — by Travis Jeffery (39 / 84)
👈 Chapter 5 Secure Your Services | TOC | Authenticate the Server with TLS 👉
Security in distributed services can be broken down into three steps:
- Encrypt data in-flight to protect against man-in-the-middle attacks;
- Authenticate to identify clients; and
- Authorize to determine the permissions of the identified clients.
Let’s talk about these phases in more detail, explore the security benefits they provide, and write the code to build them into our service.
Encrypt In-Flight Data
Encryption of data in-flight prevents man-in-the-middle attacks (MITM).[21] An example of a MITM attack is active eavesdropping, where the attacker makes independent connections with the victims to make them think they’re talking directly with each other when in fact the conversation is controlled by the attacker. This is bad because not only can the attacker learn confidential information, but also the attacker can maliciously change the messages sent between the victims. For example, say Bob was trying to send money to Alice using PayPal, but Mallory changed the account the money was sent to from Alice’s to her own.
