Epic twitter thread from @colmmacc explaining why client certs and mutual-auth TLS are TERRIBAD
Ok. tweet thread time! Too long ago I promised to write a screed explaining how much I hated mutual-auth TLS and why. I got distracted, and I wasn’t happy with the writing, so here it is in tweet thread form instead! But basically: Client certs and Mutual-Auth TLS is TERRIBAD. When I say TERRIBAD, I mean that unless you’ve got the resources of a big security dept and folks who comb threat models for a living, using clients certs and mutual auth probably materially lessens your security. That’s NUTS!
(source: https://twitter.com/colmmacc/status/1057017343438540801 )(tags: terribad rants twitter threads tls ssl authentication mtls security)
-
0 authentication on some setup APIs, including ‘delete the current wifi network config’ — pretty major lack of security
(tags: auth security fail google google-home)
-
similar to the Google Home hackable APIs, it seems Chromecasts are easily hacked/scripted with no auth