Tuesday Tweet Thread is a "Today in Infosec" one. It's 10 years since @marshray published one of my favorite TLS/SSL issues, and the best named. The Pizza Attack! Read about it in EKR's blog post from the time: http://www.educatedguesswork.org/2009/11/understanding_the_tls_renegoti.html … ...
-
-
To protect our customers, we worked with a bunch of vendors, including going to their sites and working with their TLS teams to get renegotiations disabled. We updated a lot of software and hardware in November, our peak month. There was a
@JeffBezos call about it!Show this thread -
The issue caused some examination of the SSL/TLS protocol itself, and led to secure renegotiations, and also caused a lot of people to disable renegotiations, which helped mitigate 3SHAKE (https://blog.cryptographyengineering.com/2014/04/24/attack-of-week-triple-handshakes-3shake/ …)
Show this thread -
TLS1.3 has also cleaned a lot of house, and no longer supports renegotiations at all. This is good because being able to arbitrarily change contexts at the transport layer is way too confusing for applications.
Show this thread -
The attack also informed the design of other security protocols. At AWS, our signed request protocols like SIGv4 are explicitly designed to prevent issues like this from creating security issues.
Show this thread -
New conversation -
-
-
could you talk more about how aws runs and does “drop everything and fix” style things?
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.


