Hi,
I have a question regarding the “Require encryption” setting for service creation:
What exactly does this mean? When turned off, is the traffic on the overlay for this service really plain text? If no, what does this feature do?
Best regards
Dominik
P.S. I also noticed that for the “Quick add” via ZAC, the toggle is turned off by default and turned on by default when creating a service the conventional way. I might add a GitHub issue once I understood, what this actually does.
Connection Security | OpenZiti provides a good overview. The toggle refers to what is called end-to-end in the linked doc.
it should never, ever be off by default. @jeremy.tellier can you fix that? I noticed it the other day and forgot to file a bug for it.
Require encryption is on by default for the main service creation, I will push up for the simple service creation with the next release.
Thanks, the article is very helpful.
But I couldn’t find, which encryption is set when using the toggle. Is it the Edge connection?
If not set, which communication exactly is clear text?
It’s for the “end-to-end” encryption (SDK endpoint to SDK endpoint). The mTLS links will always be used, regardless of that toggle. Nothing is sent “clear text”.
The toggle is for “Service end-to-end encrypted ChaCha20-Poly1305” orangish band in this diagram:
You should not turn it off unless your application is already providing end-to-end encryption. (I would never turn it off, even if my app is providing encryption independent of Ziti)
Gotcha thanks!
So the red edge connection is also always encrypted, regardless of the toggle?
Yes. The red and blue are always mTLS (aka encrypted)
Then the yellow tunnel is the end to end encryption part. (the part Dave hightlights above)
And finally, the green line represents the application traffic, which if it’s say something like ssh, is ALSO encrypted.
Alright, does that mean that every transport path is encrypted but there’s no end-to-to end encryption if the toggle is deactivated?
Yes that’s exactly what it means. In that configuration, with e2ee off, technically OpenZiti routers would be able to look at the payload at the router, if it chose to. That’s why we always recommend leaving e2ee on, so that you don’t need to worry about anyone, anywhere, even the overlay network, being able to inspect any data… In our opinion, it’s just best to always have it enabled. We’ve even discussed not allowing people to disable it in the past…
And, to go deeper… IF you had e2ee off, and you chose to use an encrypted application protocol like ssh or https etc, well then I’d personally consider that “end to end encrypted” without OpenZiti also doing it. BUT. If someone ever changed that protocol in the future to an unencrypted protocol, you’re back to possibly allowing the data to be inspected at the nodes…
Thanks, that makes sense!
Btw: We had our final ISO 27001 audit day today and could fulfill quite a couple Annex A clauses by simply using Ziti. Pretty cool - the auditor was pretty amazed.
Very cool! Way to go!!! Congrats!
Thanks! Are you interested in another Ziti TV together, showing how we made our ESXi Hypervisor dark using Ziti when it’s necessary to access the vCenter Webinterface from anywhere?
We always enjoy seeing how people are using OpenZiti! Sounds like fun!
