Tuesday Tweet Thread is a "Today in Infosec" one. It's 10 years since @marshray published one of my favorite TLS/SSL issues, and the best named. The Pizza Attack! Read about it in EKR's blog post from the time: http://www.educatedguesswork.org/2009/11/understanding_the_tls_renegoti.html … ...
-
-
The issue caused some examination of the SSL/TLS protocol itself, and led to secure renegotiations, and also caused a lot of people to disable renegotiations, which helped mitigate 3SHAKE (https://blog.cryptographyengineering.com/2014/04/24/attack-of-week-triple-handshakes-3shake/ …)
Show this thread -
TLS1.3 has also cleaned a lot of house, and no longer supports renegotiations at all. This is good because being able to arbitrarily change contexts at the transport layer is way too confusing for applications.
Show this thread -
The attack also informed the design of other security protocols. At AWS, our signed request protocols like SIGv4 are explicitly designed to prevent issues like this from creating security issues.
Show this thread -
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.


