HackerTrans
TopNewTrendsCommentsPastAskShowJobs

SnowflakeOnIce

no profile record

Submissions

TruffleHog now detects public-key JWTs and verifies them for liveness

trufflesecurity.com
2 points·by SnowflakeOnIce·il y a 7 mois·0 comments

comments

SnowflakeOnIce
·il y a 26 jours·discuss
Logout functionality is not the only use case for token invalidation. Another significant one is to revoke a token that has been exposed, like inadvertently pushed to GitHub. In that case you want to invalidate the token to a avoid unauthorized access to your service.

With vanilla JWTs, you have no way to do this! But then if you add revocation checking on top (which people do), your JWTs are no longer stateless.
SnowflakeOnIce
·il y a 2 mois·discuss
Your general point here is reasonable. But to provide some domain knowledge context: secrets are leaked _very_ often!

In public data (source code on GitHub, etc.) you can expect a prevalence somewhere in the range of 0.5-2.5 live secrets per gigabyte of content. Now yes, there are more than 8 billion people on earth now and the murder prevalence is a lot higher than 0.5-2.5 per billion. But there are _far_ more bytes of public content than there are people on earth, so in absolute terms, there are far more leaked secrets than murders.

If you look at other types of data (like internal Git forges), the prevalence is much higher.

I think you could indeed retire with $1 per leaked secret!
SnowflakeOnIce
·l’année dernière·discuss
https://en.m.wikipedia.org/wiki/Simultaneous_localization_an...
SnowflakeOnIce
·il y a 6 ans·discuss
The latency on the touch bat is terrible. Perhaps 1/2 second to update when you switch apps, for example!