Tuesday Tweet Thread is a "Today in Infosec" one. It's 10 years since @marshray published one of my favorite TLS/SSL issues, and the best named. The Pizza Attack! Read about it in EKR's blog post from the time: http://www.educatedguesswork.org/2009/11/understanding_the_tls_renegoti.html … ...
The client would then make their own request, but because of the clever way the Pizza attack would leave the pending lingering one, the client would effectively complete that one too.
-
-
If the lingering request was something like "Order a pizza", then the MITMd client would end up ordering a pizza. Pretty crafty.
Show this thread -
This issue in the SSL/TLS protocols was a "Drop everything and fix" for us at Amazon, and it came on the heels of a "Drop everything and fix the internet" because of how silly bind9 was issue earlier in the year.
Show this thread -
To protect our customers, we worked with a bunch of vendors, including going to their sites and working with their TLS teams to get renegotiations disabled. We updated a lot of software and hardware in November, our peak month. There was a
@JeffBezos call about it!Show this thread -
The issue caused some examination of the SSL/TLS protocol itself, and led to secure renegotiations, and also caused a lot of people to disable renegotiations, which helped mitigate 3SHAKE (https://blog.cryptographyengineering.com/2014/04/24/attack-of-week-triple-handshakes-3shake/ …)
Show this thread -
TLS1.3 has also cleaned a lot of house, and no longer supports renegotiations at all. This is good because being able to arbitrarily change contexts at the transport layer is way too confusing for applications.
Show this thread -
The attack also informed the design of other security protocols. At AWS, our signed request protocols like SIGv4 are explicitly designed to prevent issues like this from creating security issues.
Show this thread -
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.


