Mutual authentication is a big component of Zero Trust. Setting up client certificates for all your end users may not be feasible, but mTLS between Pomerium and upstream services definitely is.
Short of TLS for endpoints (users), all you're doing is making a MitM message passing scheme waiting for a subpoena in the United States.
You cannot know the message or Third Party Doctrine kicks in. Do yourself a favor if you really care about the space, and figure out cert provisioning and distribution.
If your organization can support provisioning and managing certs for end users, you can do that too (https://www.pomerium.com/guides/mtls.html). This is talking about the connection between the identity-aware proxy (Pomerium) running in your local network, and the upstream service. It prevents someone with unauthorized access into your local network from talking directly to the service.
Does this explain the context better? This is not a SaaS solution, this is self-hosted so there's no third party here. If you still think there's an attack vector here, maybe you can tell me exactly what that is?
3 comments
[ 3.0 ms ] story [ 14.8 ms ] threadYou cannot know the message or Third Party Doctrine kicks in. Do yourself a favor if you really care about the space, and figure out cert provisioning and distribution.
Does this explain the context better? This is not a SaaS solution, this is self-hosted so there's no third party here. If you still think there's an attack vector here, maybe you can tell me exactly what that is?