Come on people - we *give* you strongly signed requests, and SPIFFE and ISTIO still do this garbage? Drives me nuts.
-
Show this thread
-
Even BASIC AUTH is better! Even kerberos is better! That's saying something.
2 replies 0 retweets 7 likesShow this thread -
O.k. so just authenticating a channel at all is BAD, but TLS is even MUCH worse at this than you think. Starting with ... it's common to FAIL OPEN. Default TLS server configurations "just work" and let anyone in! it's not even a mis-configuration really. I've seen this TOO OFTEN.
1 reply 0 retweets 6 likesShow this thread -
But ok., so you check that's locked down. But did you know that TLS connections can be re-negotiated, and re-AUTHENTICATED? It's nuts!! But yes, TLS supports this. The client can at any time decide to change the auth context.
1 reply 0 retweets 7 likesShow this thread -
Did you know there might be a DIFFERENT CLIENT CERT for each byte of the request? Hell, there can be an infinite number even between the byte! Again, layering violation! Which cert applies? Who knows!!
1 reply 1 retweet 18 likesShow this thread -
Btw
@marshray basically told us all this 9 years ago!! And implementations still don't handle it right, because it's incomprehensible. You can turn off renegotiations wholesale, but then you might over-use a key! *sigh* no-win. TLS1.3 does fix this though.2 replies 0 retweets 7 likesShow this thread -
-
Replying to @marshray
TLS1.3 got rid of renegotiation entirely and added simple rekeying support to handle key exhaustion.
1 reply 0 retweets 0 likes -
Replying to @colmmacc
Why not just use larger keys? Can http servers still configure client cert requests on the basis of information contained in the url?
1 reply 0 retweets 0 likes -
Replying to @marshray
1/ With the math for AES block size and ChaCha20's stream it's still possible to hit the usage limits. There was talk of using an extended key schedule to mint more keys from the PRF, but that doesn't help PSK and other modes. Plus rekeying makes forward secrecy easier.
1 reply 0 retweets 0 likes
2/ Yes, but the browser has to reconnect. Still dumb.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.