Overview
This article discusses the implementation of employee-facing mutual TLS (mTLS) at Pinterest, focusing on enhancing user experience during authentication processes. It highlights the challenges faced and solutions implemented to streamline certificate selection and improve security compliance across various platforms.
What You'll Learn
1
How to implement automatic certificate selection in browsers using policies
2
Why disabling HTTP/2 can be necessary for certificate prompts
3
How to configure distinguished names of CAs to improve user experience
Prerequisites & Requirements
- Understanding of mutual TLS and certificate management
- Familiarity with Chrome policies and Envoy proxy(optional)
Key Questions Answered
How does Pinterest enhance the user experience with mutual TLS?
Pinterest has implemented automatic certificate selection policies for browsers, reducing user prompts and improving the authentication experience. This is particularly effective on macOS and Windows, where users are not prompted to select certificates manually, thus streamlining the login process.
What challenges does mTLS face on mobile platforms?
On mobile platforms like iOS and Android, automatic certificate selection policies cannot be implemented, leading to user experience issues. Users may struggle with certificate prompts, especially if they select the wrong certificate, as they cannot easily re-prompt for a certificate without restarting the application.
Why is disabling HTTP/2 important for mTLS certificate prompts?
Disabling HTTP/2 is crucial because it prevents connection reuse, which can interfere with triggering certificate prompts. The HTTP/2 RFC suggests that servers can indicate they do not wish to reuse connections, but some implementations, like Envoy, do not adhere to this, complicating the mTLS process.
What is the SSLClientAuthCache and how does it affect mTLS?
The SSLClientAuthCache stores SSL client certificate decisions based on server host and port. If a certificate prompt is canceled, the cache treats it as an intentional action, preventing re-prompting for certificates unless the browser is restarted, which can hinder user experience.
Key Statistics & Figures
Weekly authentications after mTLS implementation
13k
This statistic reflects the volume of successful authentications achieved weekly since the implementation of the mutual TLS solution.
Average number of related helpdesk tickets
less than five
This indicates the effectiveness of the mTLS implementation, resulting in minimal user issues requiring support.
Technologies & Tools
Some links below are affiliate links. We may earn a commission if you make a purchase.
Backend
Envoy
Used for routing logic to manage mTLS authentication and certificate prompting.
Frontend
Chrome
Browser used for implementing automatic certificate selection policies.
Key Actionable Insights
1Implement automatic certificate selection policies for browsers to enhance user experience in mTLS authentication.This approach minimizes user interaction during authentication, making the process smoother and reducing the likelihood of errors in certificate selection.
2Consider disabling HTTP/2 for services requiring mTLS to ensure proper certificate prompting.This can help avoid complications arising from connection reuse, which may prevent users from being prompted for the correct certificate.
3Properly configure the list of distinguished names of acceptable CAs to streamline the certificate selection process.This reduces the chances of users being prompted to select from invalid certificates, enhancing the overall authentication experience.
Common Pitfalls
1
Relying on WebViews for authentication can lead to compatibility issues with mTLS.
WebViews do not provide access to the keychain or certificate store, which can hinder authentication processes. Developers should use alternatives like Chrome Custom Tabs or ASWebAuthenticationSession to ensure proper certificate access.
2
Not properly configuring distinguished names of CAs can lead to poor user experience.
If the list of acceptable CAs is not set correctly, users may be prompted to select from invalid certificates, causing frustration and potential authentication failures.
Related Concepts
Mutual TLS
Single Sign-on (sso)
Certificate Management
Webview Security Issues