Let's ask the most important question in the design of any AAA system: how do we handle the inevitable compromise of the credentials? So what are the common answers ...
-
-
ACTUAL SECURITY ISSUE I SAW IN THE WILD: The "administrative-assistants" has root-level access to everything for years, because their group name started with "admin" and the regex letting them in lacked a $ terminator!!
Show this thread -
Disclaimer: they were using Apache 2.0, and I wrote that regex supporting madness, and so it is my fault and I will pay for my sins.
Show this thread -
Anyway, back to MTLS, it is a hodgepodge of awfulness. Massive code base to implement, terrible standards in the middle, and just obscure untested garbage left and right. RUN AWAY!
Show this thread -
Yet it gets a reputation for being a best practice, maybe because it's hard, or because it has a halo from the false talisman of cryptography. *shudder* BAD, BAD, TERRIBAD.
Show this thread -
Anyway, that's the rant out of my system! AMA about MTLS if you want, and dear
@Unrollme - please unroll this thread.Show this thread
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.