Profile picture
Filippo Valsorda @FiloSottile
, 6 tweets, 2 min read Read on Twitter
No, in 2018 you don’t get to claim the high ground and blame users and implementations if your crypto API returns the plaintext on a decryption error.

At most you can say “sorry we are a legacy system, no one knew better then, it’s time to migrate off”.
thisisfine.jpg lists.gnupg.org/pipermail/gnup…
I really don’t get the community’s negative reaction. This is a perfect case study for proper AEADs, safe APIs, and against secure email in general.
[0] days since retrofitting security on top of a complex existing system blew up.
And wait, apparently you can even strip the authentication tag outright, downgrading the decryption error to just a warning?!
The GnuPG (v2.2.7) command line tool is also happy to create the plaintext output file when the authentication tag is missing (or stripped).

Only a warning and a non-zero exit code.
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Filippo Valsorda
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @FiloSottile see all

Profile picture
“We don’t negotiate salaries” is a negotiation tactic.

Always. No, your company is not an exception.
A tactic I don’t appreciate at all because of how unfairly it penalizes low-leverage, junior employees, and those loyal enough not to question it, but that’s negotiation for you after all. Weaponized information asymmetry.
Listen to Aditya 👇
Read 13 tweets
Profile picture
Can't believe that two versions after introducing support for DNS-over-TLS, unbound still makes a new TLS connection (handshake and everything) *for every DNS request*.
I'm convinced that while DNS-over-TLS makes more sense as a protocol than DNS-over-HTTPS (DNS requests are small and have unique IDs), the DNS software ecosystem is just unprepared to handle DoT, while there's solid software to reuse for DoH.
Today my DNS resolver broke, as it does (is it the chroot? the python bindings? the DNSSEC anchor? the DoT proxy? who knows!), so I decided to take another look at connection reuse support, 6 months later. AFAICT, nope. Nothing.
Read 6 tweets
Profile picture
We need to talk about TLS 1.2 Session Tickets and how they are the weakest link in modern TLS deployments. blog.filippo.io/we-need-to-tal…
Session Tickets are a way to speed up TLS handshakes in resumed connections. They work by keeping encrypted session keys with the client. 2/
The problem is that in 1.2 there's no (EC)DH involved, so an attacker that obtains the Ticket key can passively decrypt traffic w/o PFS. 3/
Read 9 tweets

Related threads

Profile picture
0/ Been away from the #crypto and #blockchain space for a while and now find yourself out-of-the-loop?

Fear not! I've pieced together a thread dedicated to ecosystem events that occurred over the past day or two. Read on to get back up to speed.
1/ 🥼 Over on #EthResearch, @JieyiLong proposed a SNARK-based sidechain for #ERC20 tokens.

Can reduce processing time per transaction significantly on the #Ethereum network, relative to a fully on-chain ERC20 smart contract. Click below for more! ethresear.ch/t/snark-based-…
2/ 🤝 @FantomFDN x Fuiou Group

Having partnered with one of China's leading payment solution provider, #Fantom will work to integrate its pioneering DAG-based smart contract platform to give Fuiou users access to a faster, more scalable payment service. medium.com/@FantomFDN/fan…
Read 25 tweets
Profile picture
0/ Regardless of the market conditions, the #crypto and #blockchain space is active as ever.

Let's go through some of the eye-catching, project-specific news that took place over the past 24 hours or so, shall we?
1/ 🇲🇾 @NEMofficial's SEA arm - @NEM_SEA - announced an MoU reached with Taylor’s University.

NEM SEA will assist the Malaysian university's School of Computing and IT in many ways. E.g., help author a syllabus devoted to #blockchain, run some of the students classes, and more.
2/ 📣 @DharmaProtocol unveiled #DharmaLever, a way for users to *trustlessly* borrow/lend #crypto in large volumes on a global scale.

Will feed and draw credit liquidity from Dharma's growing network of relayers (e.g. @Bloqboard, #QuickLine).

Read more: blog.dharma.io/introducing-dh…
Read 21 tweets
Profile picture
1/ Great morning for a tweetstorm updating the latest on the interaction of #WallSt & #bitcoin, drinking coffee from my new BitMug (thanks AC Fenton!) @brucefenton
2/ The most significant news--maybe most important news to date on the #WallSt front--was @tzeroblockchain's token generation event on 10/12 (a fully-compliant #STO on the public #Ethereum mainnet of true preferred stock, issued by an SEC registrant). Investor letter captures...
3/ ...perfectly the true benefit of owning #cryptoassets (which defenders of the legacy system love to ignore): investors have the option to opt out of the legacy system, which is unstable & unfair. Owners can either hold tokens at a broker/dealer OR IN A PERSONAL WALLET at...
Read 13 tweets
Profile picture
1/ EU citizens allowed to stay in case of no deal Brexit because of labour shortages - UK Govt claiming moral high ground.
Moral f'ing high ground my fat German derriere. I really feel valued now. 20 years on this island and I am 'allowed to stay' because of labour shortages?
2/ there have been plenty of opportunities to claim moral high ground over the last 2 years. Proper moral high ground that both @The3Million & @BritishInEurope have asked for. The UK Gov has ignored those pleas.
3/ now with no deal Brexit looming, something I had zero say in and wasn't even allowed to vote in, they realise that the economy needs us. Bloody late. And bloody insulting.
Read 6 tweets
Profile picture
After 12 seasons of coaching my son's little league team I've been banned from league.

My job, reputation, community, and now my love and joy I shared with my son is ruined.

All because @lacymacauley @cjcmichel @JuddLegum @thinkprogress @crooksandliars attacked me.
I found out tonight at 10pm, the day before try outs.

I am devastated. I've cried harder and longer tonight than I have in years.

I had to tell my son that his Dad was banned from coaching him, something we've shared since he could barely hold a bat.
I can handle losing my job. I can handle having my professional reputation smeared. But losing this most precious thing I shared with my boy brings true sorrow.

All because @cjcmichel @lacymacauley and @JuddLegum decided to lie and attack me.
Read 24 tweets
Profile picture
1/
 on January 17th, 2018
@caitoz made a terrible error
@caitoz decided to debate @ThomasWictor on Syria

Two HeavyWeights
Two Equals
Two Opposites

This Tweetstorm is the play-by-play
then you can decide how it went

I have to go slow
I'm doing screen captures
But this was epic
1/
 Appears the debate started around 3pm on Jan 17th

@Caitoz was discussing Tillerson comments about Syria

tweet 👇
2/
 @Caitoz then discussed it further
by quoting an article
and
stating

"#MAGA"

(my browser that copies tweets has a problem with attachments, but the tweets will be linked below for your verification)

tweet #2 👇
Read 109 tweets

Trending hashtags

#cryptocurrency #Monero #startup #Augur #Aragon #NEP5 #bitcoin #blockchain #Android #crypto #financial #web3 #WallSt #piggy #Chainlink #technology #EOS #SanFrancisco #Golem #ether #Ethereum #0x #EtherX #MAGA #micropayment

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($3.00/month or $30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!