encrypted-tunnel
Security pattern for channel-level encryption (TLS/SSH). Use when implementing HTTPS, securing all communication between endpoints, setting up TLS connections, or when infrastructure should handle encryption transparently. Addresses "Leak action request or data in transit" problem.
Security pattern for channel-level encryption (TLS/SSH). Use when implementing HTTPS, securing all communication between endpoints, setting up TLS connections, or when infrastructure should handle encryption transparently. Addresses "Leak action request or data in transit" problem.
Encrypted Tunnel Security Pattern
Entities set up a communication channel where ALL exchanges are encrypted. The channel infrastructure handles encryption transparently. Common implementations: TLS and SSH.
Problem Addressed
Leak action request or data in transit: Any data transmitted over the channel could be observed. Encrypt everything at the channel level.
Core Components
| Role | Type | Responsibility |
|---|---|---|
| Sender | Entity | Initiates communication |
| Receiver | Entity | Receives communication |
| EndpointS | Entity | Manages sending end of tunnel |
| EndpointR | Entity | Manages receiving end of tunnel |
| CryptographerS | Cryptographic Primitive | Encrypts for Sender |
| CryptographerR | Cryptographic Primitive | Decrypts for Receiver |
| EndpointManagerS | Entity | Configures sender endpoint |
| EndpointManagerR | Entity | Configures receiver endpoint |
Data Elements
- action/data: Plaintext communication
- {x}_k: Encrypted communication
- config: Cipher configuration, certificates, keys
Pattern Flow
Setup Phase
EndpointManagerS → [initialise(config)] → EndpointS
EndpointManagerR → [initialise(config)] → EndpointR
Communication Phase
Sender → [action/data] → EndpointS
EndpointS ↔ EndpointR: [negotiate cipher/key] (if needed)
EndpointS → [encrypt] → CryptographerS → [{x}_k] → EndpointS
EndpointS → [{x}_k] → EndpointR (over channel)
EndpointR → [decrypt] → CryptographerR → [data] → EndpointR
EndpointR → [action/data] → Receiver
Key Characteristics
Transparent Encryption
- Sender/Receiver don't manage encryption directly
- Endpoints handle cryptographic operations
- Application sees plaintext
All-or-Nothing
- Everything through the tunnel is encrypted
- No selective encryption at this level
- Simpler mental model
Infrastructure Managed
- TLS libraries handle complexity
- Standardized protocols
- Well-tested implementations
TLS Implementation (Most Common)
Configuration Options
- Protocol version: TLS 1.2 minimum, TLS 1.3 preferred
- Cipher suites: Modern, authenticated encryption
- Certificate validation: Enable and configure properly
Mozilla SSL Configuration Generator
Use for safe defaults: https://ssl-config.mozilla.org/
TLS 1.3 Benefits
- Simplified handshake
- Stronger cipher suites only
- Forward secrecy required
- Removed vulnerable options
Security Considerations
Never Implement Custom Protocols
- Use TLS/SSH, not custom encryption
- Use established libraries (OpenSSL, BoringSSL, etc.)
- Never implement your own handshake
Certificate Validation
Critical: Always validate certificates
- Verify certificate chain
- Check certificate not expired
- Verify hostname matches
- Check revocation status (OCSP, CRL)
Disabling certificate validation defeats TLS security.
Cipher Suite Selection
- Disable weak ciphers (RC4, DES, export ciphers)
- Prefer authenticated encryption (GCM modes)
- Prefer forward secrecy (ECDHE, DHE)
- Disable SSL 2.0, SSL 3.0, TLS 1.0, TLS 1.1
Private Key Protection
- Protect server private key
- Restrict file permissions
- Consider HSM for high-security applications
- Rotate keys periodically
Certificate Management
- Use certificates from trusted CAs
- Automate renewal (Let's Encrypt)
- Monitor expiration
- Implement certificate pinning for mobile apps (carefully)
HSTS (HTTP Strict Transport Security)
For web applications:
- Force HTTPS connections
- Prevent downgrade attacks
- Include subdomains
- Consider preloading
Comparison with Selective Encryption
| Aspect | Encrypted Tunnel | Selective Encryption |
|---|---|---|
| Scope | All communication | Specific data |
| Control | Infrastructure | Application |
| Complexity | Lower for application | Higher for application |
| Flexibility | Less | More |
Recommendation: Use encrypted tunnel (TLS) as baseline. Add selective encryption for data that needs additional protection (e.g., encrypted at rest AND in transit).
Implementation Checklist
- [ ] TLS 1.2+ (prefer 1.3)
- [ ] Strong cipher suites only
- [ ] Certificate validation enabled
- [ ] Hostname verification enabled
- [ ] Certificate from trusted CA
- [ ] Private key protected
- [ ] HSTS enabled (web apps)
- [ ] Automatic certificate renewal
- [ ] No custom protocol implementation
- [ ] Forward secrecy enabled
Common Misconfigurations
| Misconfiguration | Risk |
|---|---|
| Certificate validation disabled | MITM attacks |
| Old TLS versions enabled | Protocol downgrade |
| Weak cipher suites | Cryptographic attacks |
| Expired certificates | Connection failures, user warnings |
| Self-signed certs in production | Trust issues |
Related Patterns
- Selective encrypted transmission (alternative: selective encryption)
- Encryption (underlying operations)
- Cryptographic key management (certificate/key handling)
References
- Source: https://securitypatterns.distrinet-research.be/patterns/06_01_002__encrypted_tunnel/
- Mozilla SSL Configuration Generator
- OWASP TLS Cheat Sheet
You Might Also Like
Related Skills
create-pr
Creates GitHub pull requests with properly formatted titles that pass the check-pr-title CI validation. Use when creating PRs, submitting changes for review, or when the user says /pr or asks to create a pull request.
n8n-io
electron-chromium-upgrade
Guide for performing Chromium version upgrades in the Electron project. Use when working on the roller/chromium/main branch to fix patch conflicts during `e sync --3`. Covers the patch application workflow, conflict resolution, analyzing upstream Chromium changes, and proper commit formatting for patch fixes.
electron
pr-creator
Use this skill when asked to create a pull request (PR). It ensures all PRs follow the repository's established templates and standards.
google-gemini
clawdhub
Use the ClawdHub CLI to search, install, update, and publish agent skills from clawdhub.com. Use when you need to fetch new skills on the fly, sync installed skills to latest or a specific version, or publish new/updated skill folders with the npm-installed clawdhub CLI.
moltbottmux
Remote-control tmux sessions for interactive CLIs by sending keystrokes and scraping pane output.
moltbot
create-pull-request
Create a GitHub pull request following project conventions. Use when the user asks to create a PR, submit changes for review, or open a pull request. Handles commit analysis, branch management, and PR creation using the gh CLI tool.
cline