Public
- Public
- Network
- Groups
- Popular
- People

Conversation

Notices

Hallå Kitteh (clacke@social.heldscal.la)'s status on Tuesday, 14-Mar-2017 10:00:16 UTC Hallå Kitteh

> because no list of questionable public-key encryption modes could be complete without shoehorning a shared-key encryption mode

Sick burn.

https://paragonie.com/blog/2017/03/jwt-json-web-tokens-is-bad-standard-that-everyone-should-avoid

prompted by

https://blogs.adobe.com/security/2017/03/critical-vulnerability-uncovered-in-json-encryption.html

In conversation Tuesday, 14-Mar-2017 10:00:16 UTC from social.heldscal.la permalink
- Annah (maiyannah@community.highlandarrow.com)'s status on Tuesday, 14-Mar-2017 10:03:47 UTC Annah
  in reply to
  
  @clacke "JWT is bad because people can make year 1 computer science mistakes with it"
  
  Guess we should avoid every fucking library ever then.
  
  In conversation Tuesday, 14-Mar-2017 10:03:47 UTC permalink
  
  Hallå Kitteh likes this.
  
  Hallå Kitteh repeated this.
- Pietro Gagliardi (andlabs@mastodon.social)'s status on Tuesday, 14-Mar-2017 10:14:11 UTC Pietro Gagliardi
  - Annah
  @maiyannah @clacke (also I still wonder if there is a correct, mistake-proof, OWASP ASVS-compliant way to do simple logins and logouts via HTTP...)
  
  In conversation Tuesday, 14-Mar-2017 10:14:11 UTC permalink
  
  Hallå Kitteh repeated this.
- Annah (maiyannah@community.highlandarrow.com)'s status on Tuesday, 14-Mar-2017 10:15:32 UTC Annah
  in reply to
  - Pietro Gagliardi
  @andlabs @clacke RFC 1149 covers this.
  
  In conversation Tuesday, 14-Mar-2017 10:15:32 UTC permalink
  
  Hallå Kitteh likes this.
  
  Hallå Kitteh repeated this.
- Hallå Kitteh (clacke@social.heldscal.la)'s status on Tuesday, 14-Mar-2017 12:26:03 UTC Hallå Kitteh
  in reply to
  - Annah
  @maiyannah That's one view. But I think it's valid to think about which protocols and tools make it easy to Do The Right Thing, and which ones just don't care. The article *does* have suggestions on what to use instead.
  
  Even if we were all brilliant CS PhDs, we'd still be chasing featuritis and impossible deadlines, and tools you can trust help. A job done right in a deep dependency saves work and energy exponentially.
  
  In conversation Tuesday, 14-Mar-2017 12:26:03 UTC permalink
- Hallå Kitteh (clacke@social.heldscal.la)'s status on Tuesday, 14-Mar-2017 12:27:21 UTC Hallå Kitteh
  in reply to
  - Annah
  @maiyannah Makes me think about the whole dependencies witch hunt and the node.js community. Outsourcing solving problems makes sense, the problem is when you outsource it to someone else who *also* didn't care to get it right.
  
  In conversation Tuesday, 14-Mar-2017 12:27:21 UTC permalink
- Annah (maiyannah@community.highlandarrow.com)'s status on Tuesday, 14-Mar-2017 12:27:27 UTC Annah
  in reply to
  
  @clacke "Just use cookies" lolololololol
  
  In conversation Tuesday, 14-Mar-2017 12:27:27 UTC permalink
  
  Hallå Kitteh likes this.
  
  Hallå Kitteh repeated this.
- Hallå Kitteh (clacke@social.heldscal.la)'s status on Tuesday, 14-Mar-2017 12:28:15 UTC Hallå Kitteh
  in reply to
  - Annah
  @maiyannah Ok, that one wasn't very well specified. :-)
  
  I think their point is, a server-side entity rather than a trust model.
  
  In conversation Tuesday, 14-Mar-2017 12:28:15 UTC permalink
- Douglas A. Whitfield (musicman@nu.federati.net)'s status on Tuesday, 14-Mar-2017 13:02:18 UTC Douglas A. Whitfield
  in reply to
  - Annah
  @maiyannah a4b6dd1fe082db9732d0985675edfcb45c9c7960f0eb42c308fda3d4eb2874e5
  
  In conversation Tuesday, 14-Mar-2017 13:02:18 UTC permalink
- Douglas A. Whitfield (musicman@nu.federati.net)'s status on Tuesday, 14-Mar-2017 21:53:53 UTC Douglas A. Whitfield
  in reply to
  - Douglas A. Whitfield
  well, that didn't go as planned...
  
  In conversation Tuesday, 14-Mar-2017 21:53:53 UTC permalink

Public

Conversation

Notices

Feeds