This tweet and its thread has had over 100,000 views, WHICH WAS UNEXPECTED. There's also some offshoot threads about MITM and Forward Secrecy. While we're at it: ask me anything about TLS/SSL or the crypto involved and I'll answer here. NO SCARY MATH.https://twitter.com/colmmacc/status/978430840198742016 …
-
Show this thread
-
I'll start! "Colm, WHAT'S THE WORST PART OF TLS?". Answer: X.509, hands down, game over. Certificates use a crazy format called X509, which is just a set of rules built on top of an ancient encoding called ASN.1 DER.
1 reply 1 retweet 6 likesShow this thread -
You'd think it'd be pretty simple to parse a certificate, especially since it's security critical, RIGHT? WRONG! OpenSSL uses about as many lines of code to parse ASN.1 and X.509 as the Apollo moon landing guidance system.
1 reply 0 retweets 6 likesShow this thread -
So of course there have been lots of X509 parsing security issues. Hell, even security issues that were introduced just by fixing other security issues. And we're all still using it! *sigh*
1 reply 0 retweets 3 likesShow this thread -
Replying to @colmmacc
Haven’t followed 1.3 development closely (or certainly not as closely as you) - has replacing x509 been discussed - would need to be managed carefully but achievable in the medium term
1 reply 0 retweets 0 likes
I don't think there's been any discussion of replacing X509. That would more likely start at the CA/Browser forum imo. Some private systems have taken it out, Google's ALTS uses protobufs for the same job, for example.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.