On 10/31/25 07:23, Anders Rundgren wrote: > Hi Chris, > I have not evaluated your solution for replay protection, I have rather thought a bit about possible issues with bot security and signatures. > > HTTP Signatures (RFC 9412) are fine but lack one item: a serialization format. Due to this I'm working with signature schemes that are more adapted for Embedding, Counter-signatures, Multi-hop, and Archival: > https://github.com/cyberphone/cbor-everywhere/tree/main?tab=readme-ov-file#signed-http-requests It’s worth noting that trying to sign an abstract message massively increases the room for implementations to err, often in exploitable ways. See the numerous vulnerabilities in XML signature implementations for examples, as well as various vulnerabilities in Hashicorp Vault. Instead, one should sign the data as raw bytes, and encapsulate it in a form that will pass through intermediates unchanged. In the case of HTTP, this would correspond to wrapping an HTTP request inside another. Is this something that could be used instead? -- Sincerely, Demi Marie Obenour (she/her/hers)
Received on Saturday, 1 November 2025 01:54:33 UTC