Basic info
Every instance started by SteamCannon will have to have an open port on public IP address to allow management of the services running in that instance.
Data exchanged between SC and SC Agent will be secured using SSL with certificate validation.
See also current SteamCannon | Agent | API.
How does it work?
- SC generates a self-signed CA certificate and a client certificate and for itself on boot if they don't already exist.
- SC passes the public client certificate as User Data when starting the instance.
- On boot the instance starts the SC Agent which listens on a port for HTTPS connections, using a self-signed cert. The SC Agent will only accept incoming SSL connections from clients that match the client certificate given during instance creation.
SC generates an SSL certificate and private key for the instance.
- SC poll pings Agent to know when it comes up.
- After the ping response, SC sends SSL certificate and key down to Agent.
- Agent receives cert bundle, and replaces self-signed cert with the bundled cert.
- When SC connects to the Agent, it verifies that the Agent's SSL certificate matches the one given in the bundle.
- Both SC and the Agent have verified that the other side is who they say they are.
Concerns
This approach has a small window where it is theoretically possible for a man in the middle attack to occur, or for another instance masquerading as our agent instance to take its place. For either of these to occur, an Eve would need to:
- gain access to the public cert passed as User Data before SC has successfully pinged the agent and delivered the cert bundle
- reroute the network so that the IP SC has for the instance routes to another location, also before SC has successfully pinged the agent and delivered the cert bundle
Questions
- What port we will use?
- Should we allow SSL to be toggled on or off, maybe for local dev testing?
- Should we allow HTTP auth instead of SSL client certs if someone wants authentication but not encryption?
Comments