On Apr 9, 2013, at 7:50 PM, Paul Theriault <[email protected]> wrote:
> > On Apr 10, 2013, at 10:16 AM, Andy McKay wrote: > >> >> On 2013-04-09, at 5:13 PM, Andy McKay <[email protected]> wrote: >>> If the item was for something that can be repeatedly purchased (say a new >>> life in a game). Can I MITM it, then just keep replaying the request? I >>> guess the developer will checking for things like transaction id or id? Can >>> I just change that and keep replaying it? >> >> Ah no, because its signed, so can't tamper with it. > > But what about not changing anything, and just replaying it (e.g. buy one > month worth of access to a service, replay to get many months worth of access) If an app server doesn't use some kind of nonce (e.g. transaction ID) then it's susceptible to replays. I'd like to refer to this from now on as the 1000 Unicorns Problem :) We should document it to make app developers more aware. JWTs always have an expiration time though which mitigates replays. We currently have that set to 1 hour but we could shorten it. The thing to be careful of here is clock skew on the receiving end. It looks like an official nonce is being discussed for JOSE (the latest effort at standardizing JWT) http://www.mail-archive.com/[email protected]/msg00763.html I think it would be good to have official nonce support in JWT because expirations aren't enough. OTOH you'd need some kind of memory storage to do nonce checks which would make JWT libraries more complex. Ephemeral storage like memcache should be enough because after that the expiration will catch replays. > > Again though, if you are an attacker who has the ability to MITM all traffic > to a non-ssl website, you pretty much already win (sessions ids, passwords, > inject scripts etc etc) > >> _______________________________________________ >> dev-webapps mailing list >> [email protected] >> https://lists.mozilla.org/listinfo/dev-webapps > _______________________________________________ dev-webapps mailing list [email protected] https://lists.mozilla.org/listinfo/dev-webapps
