So instead people use "short certs". O.k. first let me point out that the security of this solution depends on how secure your server clocks are. If I can spoof NTP ... it was all .. dumb ... anyway.
-
-
Hola the unroll you asked for: https://threadreaderapp.com/thread/1057025260095066112.html … Share this if you think it's interesting.
End of conversation
New conversation -
-
does that imply that API gateway's client cert stuff is basically pointless because the backend systems supplied by customers are misconfigured anyways?
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
What's the alternative? Are you suggesting request / object signing? Still need PKI (or similar), still have to deal with clocks, and you get new problems around replays. Go the other direction to IPSec/SDN/Network-level stuff and you have an even worse layering violation...
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.