1
00:00:00,300 --> 00:00:09,690
‫However, we can't always encrypt we found out, guys, why, because sometimes I need to perform operation

2
00:00:09,720 --> 00:00:14,520
‫on the on the data and it's new that it needs to be plain text.

3
00:00:14,820 --> 00:00:18,540
‫You cannot, for example, perform database quiz on encrypted data.

4
00:00:18,540 --> 00:00:23,700
‫You cannot do select star from Blair where where ID equals seven.

5
00:00:23,700 --> 00:00:26,150
‫Well, the seven, the data is encrypted.

6
00:00:26,160 --> 00:00:27,500
‫So how do you do that?

7
00:00:27,510 --> 00:00:35,640
‫The only way is to actually either have it plaintext unencrypted stored on disk, which is pretty much

8
00:00:35,640 --> 00:00:44,160
‫what we do today or have the database store it encrypted, but when we want it perform, then the queries

9
00:00:44,160 --> 00:00:50,130
‫we decrypt the data using the key and then we have to do with deal with the key management and stuff

10
00:00:50,130 --> 00:00:52,380
‫like that, which is another hassle.

11
00:00:52,860 --> 00:00:53,280
‫Right.

12
00:00:53,790 --> 00:00:56,250
‫And then turn out an encrypted again.

13
00:00:56,250 --> 00:01:00,720
‫So that's where we where we can do today that there is no solution.

14
00:01:01,380 --> 00:01:02,220
‫That's what we do.

15
00:01:02,790 --> 00:01:04,400
‫Twitter, same thing.

16
00:01:04,440 --> 00:01:05,960
‫They cannot encrypt their data.

17
00:01:05,970 --> 00:01:09,090
‫Nobody encrypt their data in the database today.

18
00:01:09,180 --> 00:01:09,450
‫Right.

19
00:01:09,790 --> 00:01:10,200
‫Why?

20
00:01:10,320 --> 00:01:13,650
‫Because not only that, they want to run trends.

21
00:01:13,650 --> 00:01:14,010
‫Right.

22
00:01:14,010 --> 00:01:15,480
‫Twitter want to run trends.

23
00:01:15,480 --> 00:01:16,950
‫They want to run their analytics.

24
00:01:16,950 --> 00:01:20,760
‫They want to compute a recommendation.

25
00:01:20,910 --> 00:01:23,820
‫They can't keep the encrypting on the back backend.

26
00:01:24,120 --> 00:01:26,420
‫They cannot do that all the time.

27
00:01:26,430 --> 00:01:34,410
‫Maybe you can, but it's it's always there was there will be an agent that decrypt at the end of the

28
00:01:34,410 --> 00:01:41,850
‫day and the agent that decrypts, if you don't trust it, tough luck analysis, indexing, database

29
00:01:41,850 --> 00:01:43,260
‫tuning can do any of that.

30
00:01:43,290 --> 00:01:45,090
‫Has to be unencrypted.

31
00:01:45,090 --> 00:01:45,480
‫Right.

32
00:01:46,530 --> 00:01:47,100
‫Tough luck.

33
00:01:47,100 --> 00:01:47,390
‫Right.

34
00:01:48,000 --> 00:01:51,600
‫Applications must read the data in order to process it.

35
00:01:51,810 --> 00:01:52,230
‫Right.

36
00:01:52,560 --> 00:01:58,470
‫Even if the data is encrypted on disk and you read it encrypted.

37
00:01:58,680 --> 00:01:59,100
‫Right.

38
00:01:59,100 --> 00:02:02,910
‫So whoever snoops in the network cannot really read it.

39
00:02:02,910 --> 00:02:08,460
‫But the moment the reach is you as an agent, as an as an application, as a backend application, as

40
00:02:08,460 --> 00:02:16,140
‫a Web server, as xpress, as no jass, as python jangle, you got to decrypt it in order to make sense

41
00:02:16,140 --> 00:02:16,470
‫of it.

42
00:02:16,470 --> 00:02:16,890
‫Right.

43
00:02:17,100 --> 00:02:19,410
‫And once you do that, it's available.

44
00:02:19,470 --> 00:02:19,710
‫Right.

45
00:02:20,100 --> 00:02:23,070
‫And the question is, do you trust this application or not?

46
00:02:23,730 --> 00:02:24,060
‫Not.

47
00:02:25,080 --> 00:02:27,000
‫So same thing.

48
00:02:27,210 --> 00:02:31,710
‫We have this concept of trust termination on layer seven, reverse proxies and load balancers.

49
00:02:31,710 --> 00:02:31,980
‫Right.

50
00:02:32,280 --> 00:02:41,250
‫All load balancers that that act of the layer seven, if the traffic is encrypted with a steeps, it

51
00:02:41,250 --> 00:02:43,140
‫has to say stop.

52
00:02:43,350 --> 00:02:44,670
‫I need to look at the data.

53
00:02:44,970 --> 00:02:46,080
‫What what does it do?

54
00:02:46,080 --> 00:02:47,310
‫It terminates deals.

55
00:02:47,310 --> 00:02:48,160
‫What does that mean?

56
00:02:48,180 --> 00:02:55,710
‫It means it serves the load balancer certificate to the client and decrypt all the traffic.

57
00:02:55,740 --> 00:02:58,380
‫Looks at the data, look at the records, look at the post.

58
00:02:58,380 --> 00:03:00,120
‫Of course, look at the path.

59
00:03:00,210 --> 00:03:06,150
‫And then based on that, execute rules that you have put on the application.

60
00:03:06,150 --> 00:03:13,110
‫So I can know your horse, I can know where you're going, I can know the path, and I can execute micro

61
00:03:13,120 --> 00:03:16,080
‫services logic.

62
00:03:16,080 --> 00:03:16,370
‫Right.

63
00:03:16,380 --> 00:03:20,610
‫So if you're going slash pictures, then I'm going to take you to this set of back end servers.

64
00:03:20,790 --> 00:03:23,850
‫If you're going to slash comments, I'm going to take you to this back end servers.

65
00:03:24,270 --> 00:03:26,190
‫You cannot do this if you can.

66
00:03:26,190 --> 00:03:30,930
‫If you don't decrypt today, we decrypt DNS termination and reverse proxies.

67
00:03:31,180 --> 00:03:33,850
‫Apparently they brag about the features.

68
00:03:33,850 --> 00:03:36,120
‫That way we do Telus termination.

69
00:03:36,120 --> 00:03:36,780
‫We're good.

70
00:03:37,560 --> 00:03:38,710
‫Well, it is official.

71
00:03:38,710 --> 00:03:39,000
‫All right.

72
00:03:39,000 --> 00:03:40,290
‫But you're up the traffic.

73
00:03:40,290 --> 00:03:44,970
‫And although a lot of people against this concept, Steve Gibson is one of them.

74
00:03:44,970 --> 00:03:47,040
‫And we're going to reference the video below us.

75
00:03:47,460 --> 00:03:56,940
‫I'm not gonna give you a reverse proxy or not seven bucks the audience protector to to look at my traffic

76
00:03:56,940 --> 00:03:58,890
‫just to do your operations.

77
00:03:58,920 --> 00:03:59,490
‫No, sir.

78
00:03:59,490 --> 00:04:03,030
‫I'm not going to give you my private and certificate to serve it.

79
00:04:03,960 --> 00:04:05,340
‫He's just not comfortable with it.

80
00:04:05,430 --> 00:04:09,540
‫And so many other people are not comfortable with Layer seven reverse proxies.

81
00:04:09,790 --> 00:04:10,020
‫Right.

82
00:04:10,240 --> 00:04:12,840
‫That's the nature of the beast, I guess.

83
00:04:12,840 --> 00:04:13,110
‫Right.

84
00:04:13,530 --> 00:04:19,710
‫But that's why people prefer layer four load balancers where it will stream all the way to the back

85
00:04:19,710 --> 00:04:19,830
‫end.

86
00:04:19,830 --> 00:04:21,960
‫Well, it has it's efficient.

87
00:04:21,960 --> 00:04:24,330
‫It's not as efficient as layer seven.

88
00:04:24,330 --> 00:04:26,590
‫OK, you cannot do Poulenc cannot do all the stuff.

89
00:04:26,590 --> 00:04:32,640
‫But that's a big, big, big problem in that in the back engineering community today, tearless termination.