@trailofbits where in your ruby code do you validate that the sha1 is actually of the timestamped data? Can't find it.. 
-
-
-
we strip user data before sending to backend - that means we only validate the signature server-side
-
protocol message contains both data+timestamp and sha1(data+timestamp), where do you check they match?
-
Good catch, that should happen in the middleware but due to low interest we never kept working on it. Easy to add, will do it soon.
-
seems awfully redundant to send the data and the precalculated sha when sig verification has to recalculate sha anyway...
-
it's a fair point, but it's also only 40 bytes for every tidas request..which maens 40 bytes every touchid prompt
-
also accident waiting to happen. implementers use one value and validate sig using the other, like in tidas-server
End of conversation
New conversation -
-
-
"It was difficult to overcome the inertia [...]". It is very often the issue, sadly.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.