Deleted the tweet about the crypto bug because there's conflicting info on its scope. Some people are tweeting at me saying it's viable for TLS interception, but MS Security Portal only mentions file signature spoofing. Going to go do some digging.
-
-
My feelings exactly. It's like putting a warning label of "this product may contain nuts" then in small print "also, it contains a high dosage of cyanide".
-
Right?!? I mean, who actually code signs? I bring it up all the time and people laugh at the entire idea of using code signing in prod.
- 1 more reply
New conversation -
-
-
It kind of makes sense? Code signing most tangibly affects the default install, running no code from any third-party, letting you spoof MSFT, and thus most affects them. But it’s the TLS bits that will have the lasting impact on third party code, which is unbounded in impact

-
But almost nobody cares about code signing. Most won't even notice if an executable isn't even signed at all.
- 3 more replies
New conversation -
-
-
The real question is, did the NSA get a bug bounty?
End of conversation
New conversation -
-
They buried the lede. Easier to claim the effect is lower bc you still have secure transport of the binaries and ppl shouldn't install random binaries, etc. TLS being broken is a _way_ more problematic thing to say, so it comes second and smaller. NSA Advisory is opposite.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.