mTLS and Mesh Security — Vocabulary
5 exercises — 5 exercises practising mutual TLS, SPIFFE workload identities, PeerAuthentication modes, and AuthorizationPolicy vocabulary in service meshes.
0 / 5 completed
1 / 5
A security engineer asks why Istio mTLS is described as mutual TLS rather than regular TLS. Which explanation is correct?
mTLS = both parties authenticate — the server verifies the client's certificate, and the client verifies the server's certificate. This enables zero-trust service-to-service authentication.
In a typical HTTPS connection (regular TLS), only the server presents a certificate. The browser verifies the server is legitimate, but the server doesn't verify who the browser is (authentication is done via cookies/tokens at the application layer). In Istio mTLS, the payment-service doesn't just verify that it's talking to the order-service's IP address — it verifies the order-service's SPIFFE certificate. If a rogue container with the same IP somehow intercepts traffic, it won't have the valid SPIFFE certificate and the mTLS handshake will fail.
Key vocabulary:
• mutual TLS (mTLS) — both parties present and verify X.509 certificates
• workload identity — the SPIFFE certificate Istio issues to each service's Envoy sidecar
• SPIFFE — Secure Production Identity Framework for Everyone; standard for workload identity in cloud-native systems
In a typical HTTPS connection (regular TLS), only the server presents a certificate. The browser verifies the server is legitimate, but the server doesn't verify who the browser is (authentication is done via cookies/tokens at the application layer). In Istio mTLS, the payment-service doesn't just verify that it's talking to the order-service's IP address — it verifies the order-service's SPIFFE certificate. If a rogue container with the same IP somehow intercepts traffic, it won't have the valid SPIFFE certificate and the mTLS handshake will fail.
Key vocabulary:
• mutual TLS (mTLS) — both parties present and verify X.509 certificates
• workload identity — the SPIFFE certificate Istio issues to each service's Envoy sidecar
• SPIFFE — Secure Production Identity Framework for Everyone; standard for workload identity in cloud-native systems