I love the people who have advice on how to avoid the “accept alg:none” JWT bug. Like: the bug is that there’s a knob that turns the crypto off in the protocol. And it’s LABELED THAT. And major apps still have this bug. We’re beyond advice here.
-
-
You have sold me on your mTLS position.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
What about the knobs in many languages effectively turning off TLS (eg no certificate validation or hostname verification)? This is at least as common but I never see people as up-in-arms about it
-
A malicious cert still prevents passive eavesdropping!
End of conversation
New conversation -
-
-
Solution: make it not work with the cert if would work without?
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
Systems that assume anything signed is allowed, but never say, look at a CN? And also do the mTLSing in the app instead of a sidecar?
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.