Hacker News new | past | comments | ask | show | jobs | submit login

btw: isn't the scheme you posted vulnerable to replay attacks too? Much easier than the timing attack.

edited to add: don't mean this as a nitpick. I've seen that very mistake made by two S&P 500 companies that had 'homebrew' SSO we had to integrate with.




> btw: isn't the scheme you posted vulnerable to replay attacks too? Much easier than the timing attack.

Yep, probably. In fact now that I look at it definitely, I should have gone with that instead!

I forget who said this but basically any feature that exists in TLS that doesn't exist in your hand-rolled authentication scheme is a vulnerability.


Does peer review count as a feature?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: