JSJ 406: Security in Node

Today the panel is talking about security features that are being added to Node 13. AJ talks about the background and what he’s working with Let’s Encrypt. He talks about changes that Node has made to the TLS module. TLS is a handshake that happens between a client and a server. They exchange certificates, generate some random numbers to use for encryption, and TLS handles the encryption. The move to HTTP/2 is all about fixing legacy bugs and legacy features from the SSL days and reducing the number of handshakes.AJ talks about the difference between TLS and HTTPS. While TLS reduces the handshakes between client and server, HTTPS is just HTTP and has no knowledge that TLS is going on. HTTP/2 is more baked in as both encryption and compression are part of the specification and you get it automatically. HTTP/2 is also supposed to be faster because there’s fewer handshakes, and you can build heuristic based web servers. Since browsers have varying degrees of compatibility, a smart HTTP/2 server will classify the browser and anticipate what files to send to a client based on behavior and characteristics without the client requesting themA lot of these new features will be built into Node, in addition to some other notable features. First, there will now be set context on the TLS object. Second, if you’re connected to a server, and the server manages multiple domains, the certificate will have multiple names on it. Previously, each different server name had a different network request, but now a .gitcertificate will let you get all the metadata about the certificate, including the primary domain and all the secondary domains and reuse the connections. These new features are a great improvement on the old Node. Previously, the TLS module in Node has been an absolute mess. These are APIs that have been long neglected, and are long overdue core editions to Node. Because of these additions, Node Crypto has finally become usable. HTTP/2 is now stable, usable, and has backwards compatable API, and a dictionary of headers to make it more efficient in compression.The conversation turns back to certificates, and AJ explains what a certificate is and what it represents. A certificate has on it a subject, which is a field which contains things like common name, which in the case of HTTPS is the server name or host name. then it will have subject alternative names (SAN), which will have a list of other names that are valid on that certificate. Also included on the certificate is the name of the authority that issued the certificate. AJ talks about some of the different types of certificates, such as DV, OV, and EV certificates. They differentiate between encryption and hashing. Hashing is for verifying the integrity of data, while encryption can be used either as signing to verify identity or to keep data owned privately to the parties that are part of the connection. Encryption does not necessarily guarantee that the data is the original data. The show concludes with AJ talking about how he wants to make encryption available to the average person so that everyone can share securely. PanelistsSteve EdwardsAJ O’NealCharles Max WoodSponsorsTideliftSentry use the code “devchat” for 2 months free on Sentry’s small plan Ruby RoguesLinksLet’s EncryptGreenlockHTTP/2<a href="https://nodejs.org/" target="_blank" rel="noreferrer...