- From: Adrian Hope-Bailie <notifications@github.com>
- Date: Thu, 24 May 2018 12:39:37 -0700
- To: w3c/payment-request <payment-request@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Thursday, 24 May 2018 19:40:00 UTC
https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/ The issues with JWS are that you can: 1. Send a header that specifies the "none" algorithm be used 2. Send a header that specifies the "HS256" algorithm when the application normally signs messages with an RSA public key. (i.e. Use the public key as a secret) Further, as I understand it, the issue with the Base64 encoding is that the recipient will validate the signature over the Base64 data but often will not validate that the Base64 data is the same as the unencoded JSON data they have been provided along with the signature. It's a foot gun. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3c/payment-request/issues/714#issuecomment-391834618
Received on Thursday, 24 May 2018 19:40:00 UTC