Share this page!

Matthew Green Profile picture
Twitter logo
9 Jun, 4 tweets, 1 min read
Oh wow, how did I miss this one. Tricking browsers into uploading their secret cookies to FTP sites, because the two servers share a TLS certificate.
Really in-the-weeds technical discussion of mitigations by @FiloSottile.
I’m going to forget about TLS here for a moment, and point out that the best way to mitigate a lot of these attacks is just to replace cookies entirely.
Maybe we shouldn’t have browsers upload a bunch of passwords to the server every time you request resources from a random website.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Matthew Green

Matthew Green Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @matthew_d_green

Matthew Green Profile picture
11 Jun
“But iMessage is end-to-end encrypted!”
Also I think it’s amazing that in five years we’ve gone from “if you haven’t committed a crime you don’t need encryption” to “US opposition lawmakers have their texts searched.”
Quick reminder: Apple could fix this in a heartbeat by adding an “end to end encryption for iCloud backup” setting (the tech is already in place), but they don’t. Even for those who want it.
Read 7 tweets
Matthew Green Profile picture
7 Jun
Oh good the FBI recovered the Colonial Pipeline ransom by tracing the wallet. Ransomware is solved!
Narrator voice: ransomware was not solved.
Looks like ransomware operators are going to have to do more than, well, the barest minimum in order to protect the privacy of their payments.
Read 12 tweets
Matthew Green Profile picture
7 Jun
The FSB’s encryption software seems to be pretty much in character. krebsonsecurity.com/2021/06/advent…
I know this is a bit of a stereotype, but why is Russian crypto always so weird?
“We don’t use a normal random number generator, we use a gerbil connected to a hot cup of tea. Also use our ciphers where the S-Boxes are ‘random’ meaning they actually aren’t.”
Read 4 tweets
Matthew Green Profile picture
3 Jun
Dear researchers: the hard part of problems like “traceability” is not the part where you build a mass surveillance system. Building mass surveillance systems is *easy*.
The hard part is building systems that don’t utterly shatter the security guarantees that the private system offered, and don’t have caveats like “obviously this can be abused, stopping that is future work.”
When I go out to see what our research community has been doing in this area, I expect them to understand what makes this research problem hard. Not to find slides like this one.
Read 7 tweets
Matthew Green Profile picture
2 Jun
Good article by WhatsApp on why content “traceability” is so hard. faq.whatsapp.com/general/securi…
The post makes this point informally, but it really seems like there’s an impossibility result in this problem: it’s impossible to have privacy and traceability at the same time without some very specific requirements.
There’s this idea that you can have content sent among small groups where there’s privacy of who is forwarding what, but when a piece of content goes “viral” suddenly we can trace the content back to its originator.
Read 8 tweets
Matthew Green Profile picture
17 May
Interesting story about how Apple is moving encryption keys to China. nytimes.com/2021/05/17/tec…
Ok, I have lots of things to say about encryption keys and hardware security modules. But forget all that for a second. WTF Apple.
“A legal shield from American law.”
Read 16 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @matthew_d_green has new unrolls!

Check out other threads from @matthew_d_green!

Read all threads by @matthew_d_green

:(