Gociphers management
Concept
A Spider Gocipher is a service that attach eBPF Uprobes to the OpenSSL libraries used by the applications which
network communications are being captured by Whisperers.
The Uprobe capture the TLS secrets of TLS sessions being setup, and send them to Spider backoffice.
Spider then parses TCP sessions and TLS secrets to link them together.
Once linked, TCP sessions are deciphered in the applicative protocol parsers for live decoding, and on the UI for TLS analysis.
By default, you have a Spider Gocipher installed in the cluster when installing Spider.
It is installed as a Daemonset since it must be able to access the container namespaces on the host.
You may also install Gociphers to any other cluster, and have them connected to the same Spider instance.
The Gocipher:
- polls its configuration for the list of targets to watch
- from the Controller to get the list of Whisperers attached in the cluster
- from its configuration file when deployed on standalone
- discovers the target executables and OpenSSL libraries
- attaches a Uprobe to the OpenSSL functions
- link the captured secrets to the Whisperers
- and sends secrets to the backoffice
Content
This documentation describes: