- From: Dave Longley <dlongley@digitalbazaar.com>
- Date: Wed, 17 Apr 2013 21:35:44 -0400
- To: public-webpayments@w3.org
On 04/17/2013 09:15 PM, Dave Longley wrote: > On 04/17/2013 06:03 PM, Carsten Bormann wrote: >> On Apr 17, 2013, at 23:32, Manu Sporny <msporny@digitalbazaar.com> >> wrote: >> >>> https://github.com/joyent/node-http-signature/blob/master/http_signing.md >>> >> I looked at this for about 5 seconds, but are you telling us the >> attacker gets to choose what the lines in the signed string are >> supposed to mean? > > That definitely looks like a security hole in this scheme. The headers > names themselves should be included in the signature string, not just > the values. I've filed a bug here: https://github.com/joyent/node-http-signature/issues/10 -- Dave Longley CTO Digital Bazaar, Inc.
Received on Thursday, 18 April 2013 01:34:49 UTC