Profile picture
Colm MacCárthaigh @colmmacc
, 30 tweets, 5 min read Read on Twitter
Ok. tweet thread time! Too long ago I promised to write a screed explaining how much I hated mutual-auth TLS and why. I got distracted, and I wasn't happy with the writing, so here it is in tweet thread form instead! But basically: Client certs and Mutual-Auth TLS is TERRIBAD.
When I say TERRIBAD, I mean that unless you've got the resources of a big security dept and folks who comb threat models for a living, using clients certs and mutual auth probably materially lessens your security. That's NUTS! Let me recount the many ways.
O.k some background. So Mutual Auth TLS, also called Client Auth TLS, or Client Certs, or MTLS, are all names for that crazy setup where you generate or give certificates to your clients and have them connect into your service. Seen in Intranets and MySQL conf since 2000.
Let's start with the big elephant in the room: MTLS is one big GIGANTIC layering violation. Authenticating users at the channel/session/network layer ... for actions that happen at a higher layer, like HTTP requests, or SQL commands. How is that bad?
Well it means that trivial security issues like SQL injection and request smuggling in HTTP headers ARE STILL THINGS IN TWO THOUSAND AND EIGHTEEN. Forget to escape a parameter and boom .. the attacker than put requests right there in your "authenticated" stream. *HEAD DESK*
Come on people - we *give* you strongly signed requests, and SPIFFE and ISTIO still do this garbage? Drives me nuts.
Even BASIC AUTH is better! Even kerberos is better! That's saying something.
O.k. so just authenticating a channel at all is BAD, but TLS is even MUCH worse at this than you think. Starting with ... it's common to FAIL OPEN. Default TLS server configurations "just work" and let anyone in! it's not even a mis-configuration really. I've seen this TOO OFTEN.
But ok., so you check that's locked down. But did you know that TLS connections can be re-negotiated, and re-AUTHENTICATED? It's nuts!! But yes, TLS supports this. The client can at any time decide to change the auth context.
Did you know there might be a DIFFERENT CLIENT CERT for each byte of the request? Hell, there can be an infinite number even between the byte! Again, layering violation! Which cert applies? Who knows!!
Btw @marshray basically told us all this 9 years ago!! And implementations still don't handle it right, because it's incomprehensible. You can turn off renegotiations wholesale, but then you might over-use a key! *sigh* no-win. TLS1.3 does fix this though.
Directly related to all of this is that it takes an enormous amount of code to do mTLS. An ordinary TLS server can more or less ignore X509 and ASN.1 - it doesn't need to parse or handle them. Turn on MTLS and all of a sudden it does!
Take it from me that you don't want a trusted service responsible for your AAA stack also parsing X.509 and ASN.1. Nuts nuts nuts.
We're still only GETTING WARMED UP btw!
Let's ask the most important question in the design of any AAA system: how do we handle the inevitable compromise of the credentials? So what are the common answers ...
I have never ever ever, not once, seen a working revoking system. In THEORY there's this idea that the bad cert can be listed in a CRL, and the servers all refresh it and we're good. I've seen half solutions at best. Common problem ...
What if you need to replace *ALL* your credentials? "This would never happen!" ... except Heartbleed, and the Debian RNG bug, and those Eastern European smart cards, and, and ...
and how do you update the clients quickly? Do you have a way to prompt people or let them know? PASSWORDS are so much better at all of this!
Can you grow your CRL infinitely for it all? NO? So you need a story for root key revocation anyway?? Oh man. Who has this stuff down? No-one is who.
So instead people use "short certs". O.k. first let me point out that the security of this solution depends on how secure your server clocks are. If I can spoof NTP ... it was all .. dumb ... anyway.
Next, let me ask, is there ANY good value for length of time here? Make it too short and you're going to have a lot of outages due to failure to renew certs quickly enough, Too long and it's not secure.
Google's ALTS dodged a lot of this by having epochs that end up being a mix of time and CRL-like strategies. Smart move and dampens the tyre-fire somewhat. Never seen in the wild though!
Now we get to my LEAST favorite part ... there are basically NO standards for logging credentials from certs, or for implementing authz. So admins just make up their own.
Enter an MTLS infrastructure and you have to cross your fingers that they are even logging the user's names. NIGHTMARE to debug.
And for authz the admins get "creative". Because certs basically encode strings, people start using them as arbitrary bearer tokens. Let's put group permissions in the cert itself, encoded in strings ... and then do access control with ... REGEXes!!
ACTUAL SECURITY ISSUE I SAW IN THE WILD: The "administrative-assistants" has root-level access to everything for years, because their group name started with "admin" and the regex letting them in lacked a $ terminator!!
Disclaimer: they were using Apache 2.0, and I wrote that regex supporting madness, and so it is my fault and I will pay for my sins.
Anyway, back to MTLS, it is a hodgepodge of awfulness. Massive code base to implement, terrible standards in the middle, and just obscure untested garbage left and right. RUN AWAY!
Yet it gets a reputation for being a best practice, maybe because it's hard, or because it has a halo from the false talisman of cryptography. *shudder* BAD, BAD, TERRIBAD.
Anyway, that's the rant out of my system! AMA about MTLS if you want, and dear @Unrollme - please unroll this thread.
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Colm MacCárthaigh
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @colmmacc see all

Profile picture
Another year, another bit closer. I'll never stop being amazed at just how bad Google is at AI and what they'll throw out there!
These lyrics composer and category errors have persisting for 8 years now, that I've been tracking. I give feedback every time I see one.
Previously:

, ,
Read 3 tweets
Profile picture
Last tweet thread of the year is a meta-one! I'm going to round up the most popular tweet threads I've done. Coming in at number 1: the most popular, by far, was all about how to generate and use random numbers safely.
Number 2: all about the quirks and delight of the modern Irish presidency. Éire Abú!
Number 3: All about TLS1.3 and why it's better:
Read 12 tweets
Profile picture
Very serious question: Are there AWS services that you think are missing? What new infrastructure, security, or data service would you most like to see us build? Here's why I'm asking ...
Every 5 years or so I look around and try to pick an area to work on, and then commit and persist. 10 years ago it was to build our edge: CloudFront, Route 53, and anti-DDOS. 5 years ago I moved to ELB and ended up building VPC Networking, HyperPlane, TLS, Cryptograpy and more ..
Time for another look around! I have some ideas myself already, mostly crazy, I'm curious about thoughts and suggestions from folks here.
Read 3 tweets

Related threads

Profile picture
Ok. It’s time to go into Joshua’s memory box and tell his story #thread
Joshua was very much a rainbow baby 🌈 and we were so excited and over the moon when I finally made it into the second trimester. (Alex and I are both big rugby fans!)
I was working as a 1st year Registrar in A&E when I suddenly broke my waters at 24 weeks. I was transferred to Southampton @UHSFT who have a specialist level 3 Neonatal Intensive Care Unit. They were wonderful, and did everything they could to stop my labour over Father’s Day.
Read 69 tweets
Profile picture
OK my @medium account got "caught in the spam filter" & has been restored so let me try this #thread again. I've been working for several months on a series of blogs explaining trolling & botting tactics used by 4chan during the election. #ContentWarning: medium.com/@erin_gallaghe…
Several months ago @elimisteve from @PursuanceProj found a series of pastebins and sent them to me. 4chan trolls studied learned graphic design software to make memes, memetic warfare and botting to troll the election. medium.com/@erin_gallaghe…
The 1st part is an 8chan thread by someone who claimed to have worked in the marketing & advertising industry. The explain various components of effective graphic design & instructions for /pol/ to “normalize” their message to blend in with the normies. medium.com/@erin_gallaghe…
Read 36 tweets
Profile picture
Ok so let's talk about when you shouldn't do an interview folks... #thread
Many of you academics want to be public, and that's great. But sometimes, our job is to tell the people who want to interview us that they have to come with the right questions.
If you call me, and haven't done a bit of homework, and you are asking me for resources, and you don't have an idea about the article you want to write, I'm not going to write it for you.. I can do that. Why tell you?
Read 9 tweets
Profile picture
Not so long ago, the Russian pro-opposition outlet The Insider, together with the "expert group" Bellingcat, published an investigation about the MH-17 plane crash. I'm gonna try to explain the arguments of @cyberberkut2 about this investigation. #thread
In this article, 'journalists' tried to show that the Russian government is directly responsible for the Malaysian MH-17 crash, which was shot down over the territory of Ukraine in 2014: bellingcat.com/news/uk-and-eu…
In particular, the article features the name of Oleg Ivannikov, whom journalists call the "Commander of the GRU", working under the pseudonym "Oreon". According to the editors, he is the main suspect involved in this case.
Read 73 tweets
Profile picture
Writing Myths #3 Writing Portfolios are the magic way into the industry!!
Get a portfolio said the writing panel/advice/speaker in what is the latest throwaway simple advice that instantly builds a career…. So, let’s talk about them.
1/24
1)Portfolios are NOT magic. Simply having one doesn't get you a job. Tey are a tool to be used in chasing work and an increasing number of employers ask for them. Having one can be very useful, but just putting some bits of writing in the same place does not = instant career.
2) People tend to read your email first, then your c.v. and then portfolio. Mess up stages 1, or 2 and 3 may well not matter. Always rework your email, c.v. and portfolio for EVERY application. Focus on what matches that job/company.
Read 60 tweets
Profile picture
Time for some game theory! No, not really. Rather, a short analysis of an important point: for 10 months, something has prevented Trump from halting Mueller's investigation, and that something is still there and just as powerful as it ever was. Thread 👇1/11
Watch this process at work. Remember this? Maybe Dowd thought saying “Yes as his counsel” was enough of a caveat (it's not), but either way this line of thinking didn't come out of nowhere. He had reason to believe this was Trump's view. 2/11
And, indeed, later in the day, Trump himself says pretty much the same thing, that Mueller's investigation should never have been started and thus, obviously, shouldn't continue. 3/11
Read 11 tweets

Trending hashtags

#Saddam #SaudiGov #bored #Satsplat #MemeWar #HousingCrisis #SciFi #Erdoğan #ProtectOurVotes #CNN #rigueurscientifique #SunWIP #moodmon #BLM #trap #POVPrompt #justice #TipTuesday #BinLaden #ConnectedFieldService #Doubtful #MSDyn356 #time #agribashing #exhausted

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!