Right now, anyone who knows a Selenium Grid Hub node can register as a Node on it. This is is convenient, but also means a bad actor could register on your Hub and intercept your scripts. In order to counter this the Grid 4.x needs to be able to restrict node registration.
Puppet includes a Certificate Authority in the Server. When new nodes are brought online they contact the server with a new Certificate Signing Request. The administrator then needs to sign the request before communication can begin. And when the node is no longer under management, the certificate is removed from the server.
This approach is secure, but also likely more complicated than what Selenium needs. Especially since the Grid will often be scaled up and down causing certificates to be created and removed often. And only with involvement from a human. (Auto signing negates the benefit of this approach but addresses the elasticity problem.)
More information at https://puppet.com/docs/pe/2019.2/adding_and_removing_nodes.html
Filebeat talks to Logstash using certificates, but the CA is managed outside of the server. Both sides of the connection have a private key and certificate as well as a certificate authority bundle. When certificate validation is enabled, connections are only made when all parts are signed by the CA.
This approach is the next step the recently merged HTTPS support, but does require a CA and makes it really hard to do Secure Node Registration on an HTTP Hub.
More information at https://www.elastic.co/guide/en/beats/filebeat/current/configuring-ssl-logstash.html
A more low-key approach is to configure a shared secret on both the Hub and the Node(s) and only allow registration if the secrets match.
- Secure Node Registration for 4.x should take the Shared Secret approach due to its ability to operate over both HTTP and HTTPS
- Secure Node Registration should be optional in the 4.x series, and mandatory for 5.x and beyond
- The Filebeat-esque approach should be re-evaluated should HTTP no longer be an option as it uses a lot of the same user-space scaffolding