TLS vs. mTLS
TLS (Transport Layer Security)—Only the server is authenticated by the client. The client trusts the server's identity, but the server does not verify the client's identity. But how does the client trust the server's identity? The website's server has an SSL/TLS certificate installed, which proves it is the legitimate owner of that domain. mTLS (Mutual TLS)—Both the server and the client are mutually authenticated. This provides two-way authentication, ensuring that both parties can trust each other. However, in the case of mTLS, how do services authenticate each other? Suppose we have 2 services—the order service and the payment service. First, the order service sends its certificate to the payment service (its identity) The payment service checks if the order service’s certificate is valid and if it can be trusted, and after that The payment service also sends its certificate to the order service, and at last The order service verifies the payment service's certificate to ensure it's talking to the correct service. When should I use which? You can use TLS for a public-facing web application where the client only needs to ensure it's connecting to the right server, but there's no need for the server to authenticate the client. And you can use mTLS for internal service-to-service communication in Kubernetes, where mutual trust is necessary to secure the interaction between microservices (e.g., one microservice calling another for data).
TLS (Transport Layer Security)—Only the server is authenticated by the client. The client trusts the server's identity, but the server does not verify the client's identity.
But how does the client trust the server's identity?
The website's server has an SSL/TLS certificate installed, which proves it is the legitimate owner of that domain.
mTLS (Mutual TLS)—Both the server and the client are mutually authenticated. This provides two-way authentication, ensuring that both parties can trust each other.
However, in the case of mTLS, how do services authenticate each other?
Suppose we have 2 services—the order service and the payment service.
- First, the order service sends its certificate to the payment service (its identity)
- The payment service checks if the order service’s certificate is valid and if it can be trusted, and after that
- The payment service also sends its certificate to the order service, and at last
- The order service verifies the payment service's certificate to ensure it's talking to the correct service.
When should I use which?
You can use TLS for a public-facing web application where the client only needs to ensure it's connecting to the right server, but there's no need for the server to authenticate the client.
And you can use mTLS for internal service-to-service communication in Kubernetes, where mutual trust is necessary to secure the interaction between microservices (e.g., one microservice calling another for data).
