W3C home > Mailing lists > Public > public-webpayments@w3.org > April 2013

Re: Web Keys and HTTP Signatures

From: Dave Longley <dlongley@digitalbazaar.com>
Date: Wed, 17 Apr 2013 21:35:44 -0400
Message-ID: <516F4DF0.4030307@digitalbazaar.com>
To: public-webpayments@w3.org
On 04/17/2013 09:15 PM, Dave Longley wrote:
> On 04/17/2013 06:03 PM, Carsten Bormann wrote:
>> On Apr 17, 2013, at 23:32, Manu Sporny <msporny@digitalbazaar.com> 
>> wrote:
>>
>>> https://github.com/joyent/node-http-signature/blob/master/http_signing.md 
>>>
>> I looked at this for about 5 seconds, but are you telling us the 
>> attacker gets to choose what the lines in the signed string are 
>> supposed to mean?
>
> That definitely looks like a security hole in this scheme. The headers 
> names themselves should be included in the signature string, not just 
> the values.

I've filed a bug here:

https://github.com/joyent/node-http-signature/issues/10

-- 
Dave Longley
CTO
Digital Bazaar, Inc.
Received on Thursday, 18 April 2013 01:34:49 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:03:31 UTC