Skip to content

Commit

Permalink
docs: Add a FAQ on DPI breaking the encryption
Browse files Browse the repository at this point in the history
  • Loading branch information
cdecker committed Nov 28, 2024
1 parent 17c71aa commit 4bf0bb9
Showing 1 changed file with 41 additions and 0 deletions.
41 changes: 41 additions & 0 deletions docs/src/about/faq.md
Original file line number Diff line number Diff line change
Expand Up @@ -26,3 +26,44 @@ request the signer:
All of this ensures that only ever the latest state gets signed, and
that this signed state doesn't get revoked, making a cheat attempt
impossible.

## Connectivity

### Why can't I connect to the service from my school/work network?

For its authentication and authorization Greenlight uses mTLS (mutual
transport layer security), an extension on the usual TLS used for
secure communication in browsers. Unlike normal websites however,
Greenlight requires two things:

- The server must reply with a server certificate signed by the Greenlight CA.
- The client must use a client certificate signed by the Greenlight CA.

When you try to access a service that uses mTLS (Mutual Transport
Layer Security) with self-signed certificates, you might encounter
connectivity issues, especially on networks with Deep Packet
Inspection (DPI).

DPI is a network security technique used to inspect network traffic to
identify potential threats. Some DPI systems can interfere with
encrypted connections, particularly those using self-signed
certificates. These systems often rely on trusted Certificate
Authorities (CAs) to validate certificates. Since self-signed
certificates are not issued by a trusted CA, they may be flagged as
suspicious and blocked.

The root cause of the issue lies in the network configuration and
security policies of your school or workplace network. They may have
strict security measures in place that restrict traffic based on
certificate validation. 

This is not a Greenlight issue. Greenlight is using a standard
security protocol, mTLS, to protect your data. The problem arises from
the network restrictions imposed by your institution.

We are working on exposing the scheduler and node interfaces over
[`grpc-web`][grpc-web] which can use browser-grade certificates, and
not require a client certificate, thus avoiding these connectivity
issues.

[grpc-web]: https://github.com/grpc/grpc-web

0 comments on commit 4bf0bb9

Please sign in to comment.