Profile picture
, 12 tweets, 4 min read
My Authors
Read all threads
Tuesday Tweet Thread is a "Today in Infosec" one. It's 10 years since @marshray published one of my favorite TLS/SSL issues, and the best named. The Pizza Attack! Read about it in EKR's blog post from the time: educatedguesswork.org/2009/11/unders… ...
@marshray In a case of "History doesn't repeat itself, but it does rhyme", the attack is similar in several ways to the latest HTTP "DESYNC" attacks. The Pizza attack hinged on inconsistencies between layers, and clever use of HTTP headers to hide requests.
@marshray Basically: TLS/SSL *used* to allow clients or servers to renegotiate a connection at any time, and that was like starting over. The Pizza attack had the attacker create a legit connection to a server, and then place a not quite finished lingering HTTP request on the connection.
@marshray Then, the attacker would initiate a renegotiation. Next, the attacker could MITM a client and connect the client to the server. This would actually work; TLS/SSL would authenticate just fine, despite the lower level MITM.
The client would then make their own request, but because of the clever way the Pizza attack would leave the pending lingering one, the client would effectively complete that one too.
If the lingering request was something like "Order a pizza", then the MITMd client would end up ordering a pizza. Pretty crafty.
This issue in the SSL/TLS protocols was a "Drop everything and fix" for us at Amazon, and it came on the heels of a "Drop everything and fix the internet" because of how silly bind9 was issue earlier in the year.
To protect our customers, we worked with a bunch of vendors, including going to their sites and working with their TLS teams to get renegotiations disabled. We updated a lot of software and hardware in November, our peak month. There was a @JeffBezos call about it!
@JeffBezos The issue caused some examination of the SSL/TLS protocol itself, and led to secure renegotiations, and also caused a lot of people to disable renegotiations, which helped mitigate 3SHAKE (blog.cryptographyengineering.com/2014/04/24/att…)
@JeffBezos TLS1.3 has also cleaned a lot of house, and no longer supports renegotiations at all. This is good because being able to arbitrarily change contexts at the transport layer is way too confusing for applications.
@JeffBezos The attack also informed the design of other security protocols. At AWS, our signed request protocols like SIGv4 are explicitly designed to prevent issues like this from creating security issues.
Happy Birthday Pizza Attack! 🎂🍕🏹
Missing some Tweet in this thread? You can try to force a refresh.

Enjoying this thread?

Keep Current with Colm MacCárthaigh

Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @colmmacc see all

Profile picture
Colm MacCárthaigh
@colmmacc
Tuesday Tweet Thread time! Today's is special. 5 pieces of programming advice: write tests, think in data structures, learn functional programming, check everything and bail on bad, and use "why" not "what" comments. Plus a small totally open $1,000 programming contest. O.k. ...
First a disclaimer: I've been programming for over 30 years, and for 20 years on mission critical systems, and these are thoughts from that and from observing and helping beginners, but there are many paths to walk, and no single perfect way to program. Find what works for you!
O.k. so my number one top tip for programming is to write tests, and to really really deeply value testing, and not think of it as a nuisance or a burden. We all get a satisfying high from that eureka moment of making something 'work', but that's not 'done'.
Read 28 tweets
Profile picture
Colm MacCárthaigh
@colmmacc
Tuesday Tweet thread! Today's is a small career or leadership advice thread and my advice is to argue at, and never just attend, a meeting. Remember: argue, not attend ...
First, just attending a meeting, sitting there passively or whatever can be just the worst. Good chance it's a waste of your time, and if you're not contributing, no-one is getting the benefit of your insight, expertise, point of view, etc.
Speaking up and contributing can be intimidating, you're pulling focus, stealing attention, and you might say something wrong!
Read 13 tweets
Profile picture
Colm MacCárthaigh
@colmmacc
How many of us spend a lot of our time white boarding diagrams and concepts ... yet there's basically no training in it? Are there any books, classes, tutorials? Seems like an area ripe for thinking and refinement.
it's essentially the intersection of sketch art, good handwriting, conceptualization, informatics, iconography, and storytelling. It can be practiced and developed intentionally ... but we don't.
I would ❤️ to spend time with artists, creative thinkers, and storytellers thinking about how we could improve it. Can we develop better symbols that can convey more? E.g. how can I lo-fi sketch a symbol that says "customer" and not just "person"?
Read 3 tweets

Related threads

Profile picture
MET LGBT Network
@MetLGBTNetwork
#Thread 1of5.
The MetLGBT+ Network is a staff association for colleagues, and we are inclusive of LGBT+. We want inclusivity for all our members, so the Met delivers a more inclusive service to all Londoners.
#Thread 2of5.
We recognise that LGBT+ inclusivity is achieved in a number of ways, and that there is currently considerable discussion about #trans inclusivity. That is why we work closely with other staff associations to ensure the Met’s practices are wholly inclusive.
#Thread 3of5.
A recent tweet, written in personal capacity but from a Network account, misrepresented our position. It caused upset to some; we apologise for that. The person concerned has been dealt with & our processes were quick to identify issue & delete the offending tweet.
Read 5 tweets
Profile picture
David Nakamura
@DavidNakamura
#thread I wanted to add some additional context to this story we published today that aimed to trace the origin story of Nationals Park by focusing on the people who worked and lived in the 21 acres that became the stadium footprint. 1/
I saw some asking why the Post would publish a downbeat story on the day of the World Series. That wasn't the story. It was an effort to show there was, despite what some might say, a kind of neighborhood, with real humanity, before the Nats arrived. 2/
In a way, this was a coda to this fine deep dive by my colleague @mffisher last year before the All-Star Game on the tremendous success of the DC's redevelopment of near Southeast. It traces all the ways the ballpark surpassed expectations. 3/ washingtonpost.com/graphics/2018/…
Read 23 tweets
Profile picture
RickLeeJames
@RickLeeJames
#thread This may surprise many, but one of the richest books of Christian Theological insight (in my opionon) is the Exorcist by Peter Blatty. The movie too has some strong theological insight as well. Here are some of my favorite moments from each.
"What we give to the poor is what we take with us when we die."
“What seemed like morning was the beginning of endless night.”
Read 13 tweets
Profile picture
Allen Ray
@2CynicAl65
#Thread
Good morning.
Today, I'm sure there will be social morons on Twitter playing their "yabutt" games, telling us how we should feel ashamed, or calling us "phobic" because we point out what really happened on September 11, 2001.
1/
Don't let them get to you. Block and move on.
18 years ago, we were attacked by Islamic extremists, bent on the destruction of our way of life, cheering as our brothers and sisters burned in fire, cheering louder as the buildings crumbled, taking even more to their deaths.
2/
We do NOT have to tiptoe around the facts. We do NOT have to "watch our language". Speak up and tell the truth. These extremists were screaming "Death to America", calling us "The Great Satan", and saying we need to "convert or be destroyed" for decades leading up to 9-11.
3/
Read 8 tweets
Profile picture
Aijay
@Hejeoma
#Thread
1. It is unfortunate & very stupid of people like Dele Momodu & Davido to blame the attacks of Nigerians in SA on PMB & Nigerians. No country in the world has it all. Every country have their fair share of criminals constituting nuisance globally. Even Americans are
2. seen moving into Dubai, Qatar everyday! China is one of the most advanced countries in the world yet, the chinese are scouring the earth looking for business opportunities. I wouldn't expect Davido to know anything but Dele Momodu keeps disappointing me. Anyone with half a
3. brain would know that xenophobic attacks in South Africa didnt start today. In fact, one of the worst attacks happened in 2008; March 67 were killed & May another 62. An intelligent person should be asking, what would lead black Africans to attack fellow Africans when they
Read 8 tweets
Profile picture
파룬
@balloon_wanted
#Thread: Press Conference today regarding TheEastLight's recent events regarding the band's abuse and assault by Producer A and CEO KimChanghwan "B" (leader Lee Seokcheol) and his lawyer at Choyeongrae Hall
(181019)
Lee Seokcheol shares that both he and his brother, Lee Seunghyun have endured being beaten by Producer A

Lee Seokcheol shared that Kim Changhwan, their CEO, was aware of the situation and would watch the two of them be beaten up in the 5th floor studio
Seokcheol shares for the past 4 years, beginning in 2015, he and the members would be clubbed by a baseball bat, the abuse would occur everywhere within the company, studios, practice rooms
Read 37 tweets

Trending hashtags

#sheeple #ToqueQueda #Nitwit #Hurts2BHuman #CaptivatingKat #Globalists #خاشقجي #GroovyAsFuck #native #NuevaConstitucion #Planet #gomslly #pedantry #DearNonNatives #BadIdeas #VP #DorothyParkerReference #dogs #Kurukshatra #Reminiscing #50thDayofWidowhood #BadBreaks #Everyone #Bellavista #Banksy
Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!