- Tom Hacohen
Why mTLS is Not Recommended for Webhook Authentication
By default, the TLS protocol only proves the identity of the server to the client. The TLS protocol also supports proving the identity of the client to the server, which is called mutual TLS authentication (mTLS). mTLS is more often used in environments where there are a limited number of services interacting with one another, and there are high compliance or security environments. While it does provide some benefits, it comes with significant drawbacks which prevent it from being a viable solution for webhooks.
The Problems with mTLS
One of the primary challenges when using mTLS for webhook authentication is its complexity. Setting up and maintaining mTLS involves managing certificates, keys, and sometimes even Certificate Authorities (CAs). For developers who are not well-versed in mTLS, this can be quite daunting and time-consuming. Especially when you consider the extra overhead involved with configuring the recipient to accept these certificates.
Compatibility and Support
Not all services and platforms support mTLS out of the box, which means developers might need to put in extra time and effort to configure their systems to work with it. In some cases, they might not even be able to use mTLS with their chosen tech stack. This can hinder mTLS adoption for webhook authentication and prompt developers to seek alternative solutions.
When something goes wrong with webhook communication, having mTLS in place can make the troubleshooting process more complicated. Since both parties need to present valid certificates for the communication to work, identifying and resolving issues related to expired or invalid certificates can be time-consuming and frustrating.
As your webhook infrastructure grows, managing mTLS certificates and keys for multiple clients and webhook endpoints can become a significant burden. This can lead to mistakes, such as misconfiguration or certificate expiration, which may disrupt webhook communication and negatively impact your service.
It may be tempting to think that adding mTLS will just make everything easier and more secure, it’s actually not the case. Additional security measures are required in order for mTLS to be used securely with webhooks.
For example, you probably want a client certificate per customer on your platform (or some different security mechanism), otherwise one customer can potentially trick your server to send webhooks to another customer, and these webhooks will authenticate just fine. This may sound far-fetched, but it’s actually very easy, they just need to sign up to your service, put the victim’s URL as their own, and manipulate the server to send attacker controlled payloads. This becomes even worse if your service supports sending test payloads.
A Better Alternative: Webhook Signatures
That’s why the most common way to authenticate webhooks, and what Svix uses, is signing payloads. Signing the payload offers several advantages over mTLS, making it a more suitable choice for securing webhook communication.
Webhook signatures are much simpler to implement and maintain compared to mTLS. They involve creating a unique signature for each webhook payload using a shared secret key. This signature is then included in the webhook request, allowing the receiver to verify the authenticity of the payload without the need for complex certificate management.
Svix also provides a variety of open source libraries for webhook signature and verification which makes it even easier to sign and verify webhooks. Both for customers of the Svix service, and for people building their own webhook implementations.
Webhook signatures can be easily implemented in virtually any tech stack, making them a more universally compatible solution for webhook authentication. There's no need to worry about whether your chosen platform or service supports mTLS, as webhook signatures can be integrated seamlessly.
Since webhook signatures do not involve the complex certificate management associated with mTLS, troubleshooting issues related to webhook authentication becomes a simpler and more streamlined process. Webhook signatures come with their own challenges (cryptography is always a pain), but these challenges are much easier to overcome.
As your webhook infrastructure expands, managing webhook signatures remains relatively straightforward and does not require the same level of maintenance as managing mTLS certificates. This allows your webhook service to scale more efficiently, without causing unnecessary burdens on your team.
While mTLS has its merits in certain use cases, it is not an ideal solution for webhook authentication. Its complexity, compatibility issues, and scalability concerns make it a less-than-optimal choice for securing webhook communication. Webhook signatures, on the other hand, offer a simpler, more compatible, and scalable alternative that can help ensure the integrity and authenticity of webhook payloads without the headaches associated with mTLS.