Ok. tweet thread time! Too long ago I promised to write a screed explaining how much I hated mutual-auth TLS and why. I got distracted, and I wasn't happy with the writing, so here it is in tweet thread form instead! But basically: Client certs and Mutual-Auth TLS is TERRIBAD.
Often! like if you look at HTTP for example, request level signatures usually block the same kinds of attack because the first request ends up malformed and mismatching. Doesn't work if you do it at a proxy layer though.
-
-
By "same kind of attack" you mean, like header injection?
-
Yep, request smuggling through broken header validation.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.