Startups keep asking us how to sign JSON objects and @lvh got sick of re-explaining and wrote this. https://latacora.micro.blog/2019/07/24/how-not-to.html …
-
-
Awesome write-up! Two comments: 1/ with HMAC signatures it is still critical to do a constant time comparison of the expected and sent HMAC values. A standard strcmp/memcmp isn't secure and I still see this error in 2019
1 reply 0 retweets 4 likes
2/ The HMAC key AWS SigV4 is actually a derived synthetic key that is ephemeral and partially based on a time-window. Using derived secrets is useful if you want to avoid the problems of credential compromise on the server side.
2:36 PM - 24 Jul 2019
0 replies
0 retweets
1 like
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.