Ok. tweet thread time! Too long ago I promised to write a screed explaining how much I hated mutual-auth TLS and why. I got distracted, and I wasn't happy with the writing, so here it is in tweet thread form instead! But basically: Client certs and Mutual-Auth TLS is TERRIBAD.
-
-
it's a big "we" - I mean all cloud and SaaS providers for quite a while now.
-
I don't understand (note: not a euphemism for "I disagree with") this part of the argument. Unless you're willing to use the cloud provider's SDK, signed requests/responses are difficult. If you do use the SDK then the SDK's already handled injection, right?
-
Also, most people can't implement the consumer or producer side of request/response signing (canonicalization is hard; misunderstanding what is and isn't covered by sig is error-prone). Further, rightly or wrongly, people often want to mutate requests in middleware.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.