Increased encryption is drawing scrutiny as it disables organizations that work to filter and block imagery showing the sexual abuse of children.
I was recently debugging a nasty issue in one of our backend services and needed to view the exact HTTP request & response being sent to an authentication server. Fortunately, Go’s standard library provides http.RoundTripper, httputil.DumpRequestOut & httputil.DumpResponse, which are great for dumping the exact out-bound request & the response. But since an authentication request contains credentials and a response contains a security token, it would have been insecure to record credentials & tokens in our logging systems. How could I securely exfiltrate the information I needed, while maintaining security and not requiring a whole lot of changes to my codebase or deployment environment?
A few years ago at a DEFCON conference, an organization called “Let’s Encrypt” lead a session on their new project. Although this group was not well-known at the time, their ambitious goals made me feel that I should hear what they had to say, even if it was just to save money.