Ok. tweet thread time! Too long ago I promised to write a screed explaining how much I hated mutual-auth TLS and why. I got distracted, and I wasn't happy with the writing, so here it is in tweet thread form instead! But basically: Client certs and Mutual-Auth TLS is TERRIBAD.
-
-
To summarize, just to make sure I understand: you're saying that the typical canonicalization style stuff I do to a request before signing the request is likely to prevent SQLi?
-
Often! like if you look at HTTP for example, request level signatures usually block the same kinds of attack because the first request ends up malformed and mismatching. Doesn't work if you do it at a proxy layer though.
- 2 more replies
New conversation -
-
-
It doesn't address the underlying design issues wherein SQL libraries are being used poorly (i.e. without using prepared statements correctly).
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.