What Is mTLS?
Mutual Transport Layer Security (mTLS) is a process that establishes an encrypted TLS connection in which both parties use X.509 digital certificates to authenticate each other. MTLS can help mitigate the risk of moving services to the cloud and can help prevent malicious third parties from imitating genuine apps.
Great. I think I got it. But just in case, tell me the whole thing again.
A Quick Review: How TLS Works
Okay, but first, let’s back up a step. When web browsers want to connect to a secure web server, for example https://www.f5.com, they use the Transport Layer Security (TLS) protocol. This provides the ability not only to scramble and protect private communications but to verify that the server the browser is connecting to does indeed belong to F5. We may never have visited www.f5.com before, and yet our web browsers trust that site’s identity from the first moment we visit. Our web browser’s ability to do this is made possible thanks to the use of trusted third parties (TTPs). In the case of TLS, the TTP is a certificate authority (CA), which creates and issues X.509 digital certificates to website owners once they prove they own a domain name.
The web browser can trust the web server because they both trust the third party (the CA). In order for this trust to work, the web browser must have existing knowledge of the CA. That’s why our devices and web browsers come preloaded with certificates for hundreds of public CAs. These CAs form the “anchor” of trust between our web browsers and the websites we might want to visit.
The following steps are required for a web browser to trust the certificate that a web server provides. The steps are illustrated in Figure 1:
- The CA’s public certificate must already exist in the web browser or operating system. This provides the anchor upon which all subsequent trust relationships are based.
- The web server must prove ownership of the domain name for which it requests a certificate. Once ownership is verified, the CA issues a new certificate and digitally signs it using its own private key. The new certificate is installed on the web server.
- The web browser visits the website and, as part of the TLS connection, the web server sends its certificate to the web browser.
- The web browser uses the CA’s public certificate to check the signature of the certificate. If the signature is verified, the web browser knows it is connected to a web server that has proven ownership of that domain.
If you’re still a little fuzzy and want to learn how TLS works, visit the F5 DevCentral YouTube channel, which contains a series of videos explaining the process.
Okay, but you’ve just described everyday TLS. What is mTLS?
We’re almost there, don’t worry.
Now, Back to mTLS
In this example, only one party, let’s call her Alice, has performed authentication. The second party, let’s call him Bob, has not authenticated Alice using certificates (see Figure 2 below). For the most part, he doesn’t need to. Bob knows that millions of people visit his website and he has his own way of verifying his customers—he can ask Alice to provide a username and password after establishing the TLS connection. Using credentials is not nearly as secure as performing cryptographic verification using digital certificates, but it’s generally good enough for what most people do over the web, such as shopping or posting cat videos.